From fd0977d0f42d3e73121b88f57c7d48ca9b861a58 Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 29 Oct 2010 21:35:25 +0200 Subject: ALSA: asihpi - Unsafe memory management when allocating control cache I noticed that sound/pci/asihpi/hpicmn.c::hpi_alloc_control_cache() does not check the return value from kmalloc(), which may fail. If kmalloc() fails we'll dereference a null pointer and things will go bad fast. There are two memory allocations in that function and there's also the problem that the first may succeed and the second may fail and nothing is done about that either which will also go wrong down the line. Signed-off-by: Jesper Juhl Acked-by: Eliot Blennerhassett Signed-off-by: Takashi Iwai --- sound/pci/asihpi/hpi6000.c | 2 ++ sound/pci/asihpi/hpi6205.c | 2 ++ sound/pci/asihpi/hpicmn.c | 12 +++++++++--- 3 files changed, 13 insertions(+), 3 deletions(-) (limited to 'sound') diff --git a/sound/pci/asihpi/hpi6000.c b/sound/pci/asihpi/hpi6000.c index f7e374ec441..1b9bf9395cf 100644 --- a/sound/pci/asihpi/hpi6000.c +++ b/sound/pci/asihpi/hpi6000.c @@ -625,6 +625,8 @@ static short create_adapter_obj(struct hpi_adapter_obj *pao, control_cache_size, (struct hpi_control_cache_info *) &phw->control_cache[0] ); + if (!phw->p_cache) + pao->has_control_cache = 0; } else pao->has_control_cache = 0; diff --git a/sound/pci/asihpi/hpi6205.c b/sound/pci/asihpi/hpi6205.c index 22c5fc62553..2672f6591ce 100644 --- a/sound/pci/asihpi/hpi6205.c +++ b/sound/pci/asihpi/hpi6205.c @@ -644,6 +644,8 @@ static u16 create_adapter_obj(struct hpi_adapter_obj *pao, interface->control_cache.size_in_bytes, (struct hpi_control_cache_info *) p_control_cache_virtual); + if (!phw->p_cache) + err = HPI_ERROR_MEMORY_ALLOC; } if (!err) { err = hpios_locked_mem_get_phys_addr(&phw-> diff --git a/sound/pci/asihpi/hpicmn.c b/sound/pci/asihpi/hpicmn.c index dda4f1c6f65..d67f4d3db91 100644 --- a/sound/pci/asihpi/hpicmn.c +++ b/sound/pci/asihpi/hpicmn.c @@ -571,14 +571,20 @@ struct hpi_control_cache *hpi_alloc_control_cache(const u32 { struct hpi_control_cache *p_cache = kmalloc(sizeof(*p_cache), GFP_KERNEL); + if (!p_cache) + return NULL; + p_cache->p_info = + kmalloc(sizeof(*p_cache->p_info) * number_of_controls, + GFP_KERNEL); + if (!p_cache->p_info) { + kfree(p_cache); + return NULL; + } p_cache->cache_size_in_bytes = size_in_bytes; p_cache->control_count = number_of_controls; p_cache->p_cache = (struct hpi_control_cache_single *)pDSP_control_buffer; p_cache->init = 0; - p_cache->p_info = - kmalloc(sizeof(*p_cache->p_info) * p_cache->control_count, - GFP_KERNEL); return p_cache; } -- cgit v1.2.3-70-g09d2