From: Dan Carpenter <dan.carpenter@oracle.com>
To: oleksandr_andrushchenko@epam.com
Cc: xen-devel@lists.xenproject.org
Subject: [bug report] ALSA: xen-front: Use Xen common shared buffer implementation
Date: Wed, 21 Oct 2020 13:50:23 +0300 [thread overview]
Message-ID: <20201021105023.GA957589@mwanda> (raw)
Hello Oleksandr Andrushchenko,
The patch 58f9d806d16a: "ALSA: xen-front: Use Xen common shared
buffer implementation" from Nov 30, 2018, leads to the following
static checker warning:
sound/xen/xen_snd_front_alsa.c:495 alsa_hw_params()
warn: 'stream->shbuf.directory' double freed
sound/xen/xen_snd_front_alsa.c:495 alsa_hw_params()
warn: 'stream->shbuf.grefs' double freed
sound/xen/xen_snd_front_alsa.c
461 static int alsa_hw_params(struct snd_pcm_substream *substream,
462 struct snd_pcm_hw_params *params)
463 {
464 struct xen_snd_front_pcm_stream_info *stream = stream_get(substream);
465 struct xen_snd_front_info *front_info = stream->front_info;
466 struct xen_front_pgdir_shbuf_cfg buf_cfg;
467 int ret;
468
469 /*
470 * This callback may be called multiple times,
471 * so free the previously allocated shared buffer if any.
472 */
473 stream_free(stream);
^^^^^^^^^^^^^^^^^^^
This is freed here.
474 ret = shbuf_setup_backstore(stream, params_buffer_bytes(params));
475 if (ret < 0)
476 goto fail;
^^^^^^^^^^
This leads to some double frees. Probably more double frees than Smatch
is detecting.
477
478 memset(&buf_cfg, 0, sizeof(buf_cfg));
479 buf_cfg.xb_dev = front_info->xb_dev;
480 buf_cfg.pgdir = &stream->shbuf;
481 buf_cfg.num_pages = stream->num_pages;
482 buf_cfg.pages = stream->pages;
483
484 ret = xen_front_pgdir_shbuf_alloc(&buf_cfg);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is where "stream->shbuf.directory" is re-allocated on the success
path.
485 if (ret < 0)
486 goto fail;
487
488 ret = xen_front_pgdir_shbuf_map(&stream->shbuf);
489 if (ret < 0)
490 goto fail;
491
492 return 0;
493
494 fail:
495 stream_free(stream);
^^^^^^^^^^^^^^^^^^^^
Double free.
496 dev_err(&front_info->xb_dev->dev,
497 "Failed to allocate buffers for stream with index %d\n",
498 stream->index);
499 return ret;
500 }
regards,
dan carpenter
next reply other threads:[~2020-10-21 10:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-21 10:50 Dan Carpenter [this message]
2020-10-27 7:37 ` [bug report] ALSA: xen-front: Use Xen common shared buffer implementation Oleksandr Andrushchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201021105023.GA957589@mwanda \
--to=dan.carpenter@oracle.com \
--cc=oleksandr_andrushchenko@epam.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.