Re: [PATCH] ALSA: usb-audio: qcom: Free sideband sg_table objects

Next message: Miguel Ojeda: "Re: [PATCH 6.1 000/522] 6.1.176-rc1 review"
Previous message: Philipp Stanner: "Re: [PATCH v2 5/6] rust: Add dma_fence abstractions"
In reply to: raoxu: "[PATCH] ALSA: usb-audio: qcom: Free sideband sg_table objects"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Wed Jun 17 2026 - 05:08:29 EST

On Tue, 16 Jun 2026 13:59:16 +0200,
raoxu wrote:
>
> From: Xu Rao <raoxu@xxxxxxxxxxxxx>
>
> The Qualcomm USB audio offload driver obtains an endpoint transfer-ring
> table by calling xhci_sideband_get_endpoint_buffer(). This getter passes
> the endpoint ring to xhci_ring_to_sgtable(), which allocates the outer
> struct sg_table with kzalloc_obj(*sgt). The event-ring path is
> equivalent: xhci_sideband_get_event_buffer() also returns the result of
> xhci_ring_to_sgtable().
>
> Inside xhci_ring_to_sgtable(), sg_alloc_table_from_pages() separately
> allocates the scatterlist storage referenced by sgt->sgl. The returned
> object therefore has two allocation layers: the outer struct sg_table
> and its internal scatterlist storage.
>
> The Qualcomm caller only invokes sg_free_table(sgt). sg_free_table()
> releases the scatterlist storage owned by the table, but it does not
> free the separately allocated outer struct sg_table. The local sgt
> pointer is then discarded, so every successful endpoint or event-ring
> query leaks the outer object.
>
> Call kfree(sgt) after sg_free_table(sgt) in both setup paths, after the
> required page and DMA addresses have been copied out.
>
> Fixes: 326bbc348298 ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
> Signed-off-by: Xu Rao <raoxu@xxxxxxxxxxxxx>

Applied now. Thanks.

Takashi