From: Navid Emamdoost <navid.emamdoost@gmail.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: Navid Emamdoost <emamd001@umn.edu>, Kangjie Lu <kjlu@umn.edu>,
Stephen McCamant <smccaman@umn.edu>,
Clemens Ladisch <clemens@ladisch.de>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
alsa-devel@alsa-project.org, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ALSA: usb-audio: Fix memory leak in __snd_usbmidi_create
Date: Mon, 28 Oct 2019 11:25:41 -0500 [thread overview]
Message-ID: <CAEkB2ESwKEQYQx75BnaHf4aUQHObx4jf0hreQx_KTeZ+QCjL4g@mail.gmail.com> (raw)
In-Reply-To: <s5hpnihmlk3.wl-tiwai@suse.de>
Thanks for the explanation,
On Mon, Oct 28, 2019 at 1:27 AM Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sun, 27 Oct 2019 23:10:06 +0100,
> Navid Emamdoost wrote:
> >
> > In the implementation of __snd_usbmidi_create() there is a memory leak
> > caused by incorrect goto destination. Go to free_midi if
> > snd_usbmidi_create_endpoints_midiman() or snd_usbmidi_create_endpoints()
> > fail.
>
> No, this will lead to double-free. After registering the rawmidi
> interface at snd_usbmidi_create_rawmidi(), the common destructor will
> be called via rawmidi private_free callback, and this will release the
> all resources already.
Now I can see how rawmidi private_free is set up to release the
resources, but what concerns me is that at the moment of endpoint/port
creation umidi is not yet added to the midi_list.
In other words, what I see is that we still have just one local
pointer to umidi if any of snd_usbmidi_create_endpoint* fail.
Am I missing something?
>
>
> thanks,
>
> Takashi
>
> >
> > Fixes: 731209cc0417 ("ALSA: usb-midi: Use common error handling code in __snd_usbmidi_create()")
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> > sound/usb/midi.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> > index b737f0ec77d0..22db37fbfbbd 100644
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -2476,7 +2476,7 @@ int __snd_usbmidi_create(struct snd_card *card,
> > else
> > err = snd_usbmidi_create_endpoints(umidi, endpoints);
> > if (err < 0)
> > - goto exit;
> > + goto free_midi;
> >
> > usb_autopm_get_interface_no_resume(umidi->iface);
> >
> > --
> > 2.17.1
> >
--
Navid.
WARNING: multiple messages have this Message-ID (diff)
From: Navid Emamdoost <navid.emamdoost@gmail.com>
To: Takashi Iwai <tiwai@suse.de>
Cc: alsa-devel@alsa-project.org, Kangjie Lu <kjlu@umn.edu>,
Clemens Ladisch <clemens@ladisch.de>,
Takashi Iwai <tiwai@suse.com>, Navid Emamdoost <emamd001@umn.edu>,
Stephen McCamant <smccaman@umn.edu>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [alsa-devel] [PATCH] ALSA: usb-audio: Fix memory leak in __snd_usbmidi_create
Date: Mon, 28 Oct 2019 11:25:41 -0500 [thread overview]
Message-ID: <CAEkB2ESwKEQYQx75BnaHf4aUQHObx4jf0hreQx_KTeZ+QCjL4g@mail.gmail.com> (raw)
In-Reply-To: <s5hpnihmlk3.wl-tiwai@suse.de>
Thanks for the explanation,
On Mon, Oct 28, 2019 at 1:27 AM Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sun, 27 Oct 2019 23:10:06 +0100,
> Navid Emamdoost wrote:
> >
> > In the implementation of __snd_usbmidi_create() there is a memory leak
> > caused by incorrect goto destination. Go to free_midi if
> > snd_usbmidi_create_endpoints_midiman() or snd_usbmidi_create_endpoints()
> > fail.
>
> No, this will lead to double-free. After registering the rawmidi
> interface at snd_usbmidi_create_rawmidi(), the common destructor will
> be called via rawmidi private_free callback, and this will release the
> all resources already.
Now I can see how rawmidi private_free is set up to release the
resources, but what concerns me is that at the moment of endpoint/port
creation umidi is not yet added to the midi_list.
In other words, what I see is that we still have just one local
pointer to umidi if any of snd_usbmidi_create_endpoint* fail.
Am I missing something?
>
>
> thanks,
>
> Takashi
>
> >
> > Fixes: 731209cc0417 ("ALSA: usb-midi: Use common error handling code in __snd_usbmidi_create()")
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > ---
> > sound/usb/midi.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> > index b737f0ec77d0..22db37fbfbbd 100644
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -2476,7 +2476,7 @@ int __snd_usbmidi_create(struct snd_card *card,
> > else
> > err = snd_usbmidi_create_endpoints(umidi, endpoints);
> > if (err < 0)
> > - goto exit;
> > + goto free_midi;
> >
> > usb_autopm_get_interface_no_resume(umidi->iface);
> >
> > --
> > 2.17.1
> >
--
Navid.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
https://mailman.alsa-project.org/mailman/listinfo/alsa-devel
next prev parent reply other threads:[~2019-10-28 16:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-27 22:10 [PATCH] ALSA: usb-audio: Fix memory leak in __snd_usbmidi_create Navid Emamdoost
2019-10-27 22:10 ` [alsa-devel] " Navid Emamdoost
2019-10-28 6:27 ` Takashi Iwai
2019-10-28 6:27 ` [alsa-devel] " Takashi Iwai
2019-10-28 16:25 ` Navid Emamdoost [this message]
2019-10-28 16:25 ` Navid Emamdoost
2019-10-28 16:38 ` Takashi Iwai
2019-10-28 16:38 ` [alsa-devel] " Takashi Iwai
2019-10-28 16:42 ` Navid Emamdoost
2019-10-28 16:42 ` [alsa-devel] " Navid Emamdoost
2019-10-28 16:38 ` Clemens Ladisch
2019-10-28 16:38 ` [alsa-devel] " Clemens Ladisch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEkB2ESwKEQYQx75BnaHf4aUQHObx4jf0hreQx_KTeZ+QCjL4g@mail.gmail.com \
--to=navid.emamdoost@gmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=clemens@ladisch.de \
--cc=emamd001@umn.edu \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=perex@perex.cz \
--cc=smccaman@umn.edu \
--cc=tiwai@suse.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.