On Sun, 11 Aug 2024 22:23:36 +0200,
Ivan Orlov wrote:
> +static int snd_utimer_ioctl_create(struct file *file,
> + struct snd_timer_uinfo __user *_utimer_info)
> +{
> + struct snd_utimer *utimer;
> + struct snd_timer_uinfo *utimer_info __free(kfree) = NULL;
> + int err;
> +
> + utimer_info = memdup_user(_utimer_info, sizeof(*utimer_info));
> + if (IS_ERR(utimer_info))
> + return PTR_ERR(no_free_ptr(utimer_info));
> +
> + err = snd_utimer_create(utimer_info, &utimer);
> + if (err < 0)
> + return err;
> +
> + utimer_info->id = utimer->id;
> +
> + err = copy_to_user(_utimer_info, utimer_info, sizeof(*utimer_info));
> + if (err) {
> + snd_utimer_free(utimer);
> + return -EFAULT;
> + }
> +
> + return anon_inode_getfd(utimer->name, &snd_utimer_fops, utimer, O_RDWR
> | O_CLOEXEC);
Wouldn't utimer be left unfreed if this returns an error?
thanks,
Takashi
