diff options
| author | Daniel THOMPSON <daniel.thompson@st.com> | 2008-08-15 10:53:38 +0100 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2008-08-15 14:28:00 +0200 |
| commit | 84571e9036fd8f2dd20f53fd4f6b83758932b9de (patch) | |
| tree | 967f61bc2d4a3f3d96c6a139d150b1941b1ce996 /sound | |
| parent | fd429be53b1dc3b0503f35bdee490e2edf17a6fb (diff) | |
sound: Fix esoteric double free in the dummy sound driver.
The dummy driver uses runtime->private_free but still frees
its pcm structures on error paths.
This is esoteric because the error paths in question are
unreachable. Thus the bug is only a problem when someone
copies this code into other drivers.
Signed-off-by: Daniel R Thompson <daniel.thompson@st.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/drivers/dummy.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c index 4e4c69e6cb4c..90fc1ce44162 100644 --- a/sound/drivers/dummy.c +++ b/sound/drivers/dummy.c @@ -354,6 +354,7 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_playback; if (substream->pcm->device & 1) { @@ -362,10 +363,8 @@ static int snd_card_dummy_playback_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_playback_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_playback_constraints(runtime)) < 0) return err; - } return 0; } @@ -379,6 +378,7 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) if ((dpcm = new_pcm_stream(substream)) == NULL) return -ENOMEM; runtime->private_data = dpcm; + /* makes the infrastructure responsible for freeing dpcm */ runtime->private_free = snd_card_dummy_runtime_free; runtime->hw = snd_card_dummy_capture; if (substream->pcm->device == 1) { @@ -387,10 +387,8 @@ static int snd_card_dummy_capture_open(struct snd_pcm_substream *substream) } if (substream->pcm->device & 2) runtime->hw.info &= ~(SNDRV_PCM_INFO_MMAP|SNDRV_PCM_INFO_MMAP_VALID); - if ((err = add_capture_constraints(runtime)) < 0) { - kfree(dpcm); + if ((err = add_capture_constraints(runtime)) < 0) return err; - } return 0; } |