I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does
not check the return value from kmalloc(), which may fail.
If kmalloc() fails we'll dereference a null pointer and things will go bad
fast.
There are two memory allocations in that function and there's also the
problem that the first may succeed and the second may fail and nothing is
done about that either which will also go wrong down the line.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Eliot Blennerhassett <linux@audioscience.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
control_cache_size, (struct hpi_control_cache_info *)
&phw->control_cache[0]
);
+ if (!phw->p_cache)
+ pao->has_control_cache = 0;
} else
pao->has_control_cache = 0;
interface->control_cache.size_in_bytes,
(struct hpi_control_cache_info *)
p_control_cache_virtual);
+ if (!phw->p_cache)
+ err = HPI_ERROR_MEMORY_ALLOC;
}
if (!err) {
err = hpios_locked_mem_get_phys_addr(&phw->
{
struct hpi_control_cache *p_cache =
kmalloc(sizeof(*p_cache), GFP_KERNEL);
+ if (!p_cache)
+ return NULL;
+ p_cache->p_info =
+ kmalloc(sizeof(*p_cache->p_info) * number_of_controls,
+ GFP_KERNEL);
+ if (!p_cache->p_info) {
+ kfree(p_cache);
+ return NULL;
+ }
p_cache->cache_size_in_bytes = size_in_bytes;
p_cache->control_count = number_of_controls;
p_cache->p_cache =
(struct hpi_control_cache_single *)pDSP_control_buffer;
p_cache->init = 0;
- p_cache->p_info =
- kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count,
- GFP_KERNEL);
return p_cache;
}