This is a note to let you know that I've just added the patch titled
ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
alsa-usb-audio-fix-potential-memory-leaks-at-error-path-for-ump-open.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From b1757fa30ef14f254f4719bf6f7d54a4c8207216 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@xxxxxxx>
Date: Tue, 5 Sep 2023 07:45:11 +0200
Subject: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
From: Takashi Iwai <tiwai@xxxxxxx>
commit b1757fa30ef14f254f4719bf6f7d54a4c8207216 upstream.
The allocation and initialization errors at alloc_midi_urbs() that is
called at MIDI 2.0 / UMP device are supposed to be handled at the
caller side by invoking free_midi_urbs(). However, free_midi_urbs()
loops only for ep->num_urbs entries, and since ep->num_entries wasn't
updated yet at the allocation / init error in alloc_midi_urbs(), this
entry won't be released.
The intention of free_midi_urbs() is to release the whole elements, so
change the loop size to NUM_URBS to scan over all elements for fixing
the missed releases.
Also, the call of free_midi_urbs() is missing at
snd_usb_midi_v2_open(). Although it'll be released later at
reopen/close or disconnection, it's better to release immediately at
the error path.
Fixes: ff49d1df79ae ("ALSA: usb-audio: USB MIDI 2.0 UMP support")
Reported-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
Closes: https://lore.kernel.org/r/fc275ed315b9157952dcf2744ee7bdb78defdb5f.1693746347.git.christophe.jaillet@xxxxxxxxxx
Link: https://lore.kernel.org/r/20230905054511.20502-1-tiwai@xxxxxxx
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
sound/usb/midi2.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/sound/usb/midi2.c
+++ b/sound/usb/midi2.c
@@ -265,7 +265,7 @@ static void free_midi_urbs(struct snd_us
if (!ep)
return;
- for (i = 0; i < ep->num_urbs; ++i) {
+ for (i = 0; i < NUM_URBS; ++i) {
ctx = &ep->urbs[i];
if (!ctx->urb)
break;
@@ -279,6 +279,7 @@ static void free_midi_urbs(struct snd_us
}
/* allocate URBs for an EP */
+/* the callers should handle allocation errors via free_midi_urbs() */
static int alloc_midi_urbs(struct snd_usb_midi2_endpoint *ep)
{
struct snd_usb_midi2_urb *ctx;
@@ -351,8 +352,10 @@ static int snd_usb_midi_v2_open(struct s
return -EIO;
if (ep->direction == STR_OUT) {
err = alloc_midi_urbs(ep);
- if (err)
+ if (err) {
+ free_midi_urbs(ep);
return err;
+ }
}
return 0;
}
Patches currently in stable-queue which might be from tiwai@xxxxxxx are
queue-6.5/alsa-hda-cirrus-fix-broken-audio-on-hardware-with-two-cs42l42-codecs.patch
queue-6.5/alsa-seq-fix-snd_seq_expand_var_event-call-to-user-space.patch
queue-6.5/alsa-ump-fix-wformat-truncation-warnings.patch
queue-6.5/alsa-ump-fill-group-names-for-legacy-rawmidi-substre.patch
queue-6.5/alsa-ac97-fix-possible-error-value-of-rac97.patch
queue-6.5/alsa-usb-audio-attach-legacy-rawmidi-after-probing-a.patch
queue-6.5/um-fix-hostaudio-build-errors.patch
queue-6.5/alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
queue-6.5/alsa-usb-audio-fix-potential-memory-leaks-at-error-path-for-ump-open.patch
queue-6.5/wifi-rtw89-fix-loading-of-compressed-firmware.patch
queue-6.5/alsa-ump-don-t-create-unused-substreams-for-static-b.patch
