[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4e065b3a-240e-4cd9-acd8-53e5a56abed0@moroto.mountain>
Date: Tue, 23 Jan 2024 09:04:26 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Zhipeng Lu <alexious@....edu.cn>
Cc: Parthiban Veerasooran <parthiban.veerasooran@...rochip.com>,
Christian Gromm <christian.gromm@...rochip.com>,
Dan Carpenter <error27@...il.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] most: fix a memleak in audio_probe_channel
On Tue, Jan 23, 2024 at 01:20:44AM +0800, Zhipeng Lu wrote:
> When get_channel fails, audio_probe_channel should free adpt like all
> its following error-handling paths after get_channel. Otherwise there
> could be a memleak.
>
> Fixes: 15600aea2754 ("staging: most: sound: create one sound card w/ multiple PCM devices per MOST device")
> Signed-off-by: Zhipeng Lu <alexious@....edu.cn>
> ---
> drivers/most/most_snd.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/most/most_snd.c b/drivers/most/most_snd.c
> index 45d762804c5e..6cccc9c26796 100644
> --- a/drivers/most/most_snd.c
> +++ b/drivers/most/most_snd.c
> @@ -564,7 +564,8 @@ static int audio_probe_channel(struct most_interface *iface, int channel_id,
> if (get_channel(iface, channel_id)) {
> pr_err("channel (%s:%d) is already linked\n",
> iface->description, channel_id);
> - return -EEXIST;
> + ret = -EEXIST;
> + goto err_free_adpt;
No, this doesn't work. Someone should add a comment here explaining
why.
This function is a bit complicated because we sometimes allocate "adpt"
and sometimes we don't. Why can we not make it consistently one way or
the other? This is not my code and I don't know. But presumably there
is a good reason. I looked up the previous discussion of this and found
this thread.
https://lore.kernel.org/all/78cc59b31042f865e947a2c09a5d10cc60ddc01c.camel@microchip.com/
Anyway, in the end, we're trying to clean up and on the other error
paths we're allowed to free "adpt" even though we didn't allocate it.
However once it's got a channel linked then we cannot. At that stage
"adpt" is already added to the &iface->p->channel_list list. The
release_adapter() adapter function will free it without removing it from
the list so it leads to a use after free.
However, memory on this path is not leaked as your commit message says.
"adpt" is still on the lists. The stuff is in a messed up state so the
user will need to tear it all down manually and recreate the
configuration. Quoting the email I linked to, "This
involves the call to mdev_link_destroy_link_store() that cleans up
everything."
So we can't apply your patch because it leads to a use after free. But
we could apply a patch which adds a comment like:
/*
* This error path doesn't leak. If the channel is already set
* up then something has gone badly wrong. The user will have
* to tear everything down and reconfigure from scratch. The
* memory will be released via mdev_link_destroy_link_store().
*
*/
regards,
dan carpenter
Powered by blists - more mailing lists