提交 fd0977d0 编写于 作者: J Jesper Juhl 提交者: Takashi Iwai

ALSA: asihpi - Unsafe memory management when allocating control cache

I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.
Signed-off-by: NJesper Juhl <jj@chaosbits.net>
Acked-by: NEliot Blennerhassett <linux@audioscience.com>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
上级 f7467452
...@@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao, ...@@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao,
control_cache_size, (struct hpi_control_cache_info *) control_cache_size, (struct hpi_control_cache_info *)
&phw->control_cache[0] &phw->control_cache[0]
); );
if (!phw->p_cache)
pao->has_control_cache = 0;
} else } else
pao->has_control_cache = 0; pao->has_control_cache = 0;
......
...@@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao, ...@@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao,
interface->control_cache.size_in_bytes, interface->control_cache.size_in_bytes,
(struct hpi_control_cache_info *) (struct hpi_control_cache_info *)
p_control_cache_virtual); p_control_cache_virtual);
if (!phw->p_cache)
err = HPI_ERROR_MEMORY_ALLOC;
} }
if (!err) { if (!err) {
err = hpios_locked_mem_get_phys_addr(&phw-> err = hpios_locked_mem_get_phys_addr(&phw->
......
...@@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32 ...@@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32
{ {
struct hpi_control_cache *p_cache = struct hpi_control_cache *p_cache =
kmalloc(sizeof(*p_cache), GFP_KERNEL); kmalloc(sizeof(*p_cache), GFP_KERNEL);
if (!p_cache)
return NULL;
p_cache->p_info =
kmalloc(sizeof(*p_cache->p_info) * number_of_controls,
GFP_KERNEL);
if (!p_cache->p_info) {
kfree(p_cache);
return NULL;
}
p_cache->cache_size_in_bytes = size_in_bytes; p_cache->cache_size_in_bytes = size_in_bytes;
p_cache->control_count = number_of_controls; p_cache->control_count = number_of_controls;
p_cache->p_cache = p_cache->p_cache =
(struct hpi_control_cache_single *)pDSP_control_buffer; (struct hpi_control_cache_single *)pDSP_control_buffer;
p_cache->init = 0; p_cache->init = 0;
p_cache->p_info =
kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count,
GFP_KERNEL);
return p_cache; return p_cache;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册