diff options
| author | Daniel THOMPSON <daniel.thompson@st.com> | 2008-08-15 10:53:38 +0100 |
|---|---|---|
| committer | Jaroslav Kysela <perex@perex.cz> | 2008-08-15 12:38:14 +0200 |
| commit | 54e8e21ed21ca8788aa75294067494abebf9d550 (patch) | |
| tree | 354640ce67641af2632212edf6a29fb8e7a6fd9c /sound/drivers | |
| parent | 8daaaa97d6420c7e8b02c12ce591bb29fd959c62 (diff) | |
| download | linux-54e8e21ed21ca8788aa75294067494abebf9d550.tar.gz | |
sound: Fix esoteric double free in the dummy sound driver.
The dummy driver uses runtime->private_free but still frees its pcm structures on error paths. This is esoteric because the error paths in question are unreachable. Thus the bug is only a problem when someone copies this code into other drivers. Signed-off-by: Daniel R Thompson <daniel.thompson@st.com> Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Diffstat (limited to 'sound/drivers')
| -rw-r--r-- | sound/drivers/dummy.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c index c873243e6713..4f900d8b92ce 100644 --- a/sound/drivers/dummy.c +++ b/sound/drivers/dummy.c @@ -354,6 +354,7 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_playback; if (substream->pcm->device & 1) { @@ -362,10 +363,8 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_playback_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_playback_constraints(runtime)) < 0) return err; - } return 0; } @@ -379,6 +378,7 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_capture; if (substream->pcm->device == 1) { @@ -387,10 +387,8 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_capture_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_capture_constraints(runtime)) < 0) return err; - } return 0; } |