From 54e8e21ed21ca8788aa75294067494abebf9d550 Mon Sep 17 00:00:00 2001 From: Daniel THOMPSON Date: Fri, 15 Aug 2008 10:53:38 +0100 Subject: [PATCH] sound: Fix esoteric double free in the dummy sound driver. The dummy driver uses runtime->private_free but still frees its pcm structures on error paths. This is esoteric because the error paths in question are unreachable. Thus the bug is only a problem when someone copies this code into other drivers. Signed-off-by: Daniel R Thompson Signed-off-by: Jaroslav Kysela --- sound/drivers/dummy.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c index c873243e6713..4f900d8b92ce 100644 --- a/sound/drivers/dummy.c +++ b/sound/drivers/dummy.c @@ -354,6 +354,7 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_playback; if (substream->pcm->device & 1) { @@ -362,10 +363,8 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_playback_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_playback_constraints(runtime)) < 0) return err; - } return 0; } @@ -379,6 +378,7 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_capture; if (substream->pcm->device == 1) { @@ -387,10 +387,8 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_capture_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_capture_constraints(runtime)) < 0) return err; - } return 0; } -- 2.20.1