ALSA: es18xx: check control allocation before private data setup

snd_es18xx_mixer() creates controls with snd_ctl_new1() and then stores
bookkeeping pointers or sets private_free before calling snd_ctl_add().
snd_ctl_new1() can return NULL on allocation failure, so those writes
can dereference a NULL control pointer.

Check the returned control pointers before using them and return -ENOMEM
on allocation failure.

Signed-off-by: Ruoyu Wang <ruoyuw560@gmail.com>
Link: https://patch.msgid.link/20260607074219.3-1-ruoyuw560@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/isa/es18xx.c b/sound/isa/es18xx.c
index df88d91e0fb200d1330a2eb33afea358146f6f35..1a02da1679d0513e01b63f067465fc3f2c7609ff 100644 (file)
--- a/sound/isa/es18xx.c
+++ b/sound/isa/es18xx.c
@@ -1762,6 +1762,8 @@ static int snd_es18xx_mixer(struct snd_card *card)
        for (idx = 0; idx < ARRAY_SIZE(snd_es18xx_base_controls); idx++) {
                struct snd_kcontrol *kctl;
                kctl = snd_ctl_new1(&snd_es18xx_base_controls[idx], chip);
+               if (!kctl)
+                       return -ENOMEM;
                if (chip->caps & ES18XX_HWV) {
                        switch (idx) {
                        case 0:
@@ -1823,6 +1825,8 @@ static int snd_es18xx_mixer(struct snd_card *card)
                for (idx = 0; idx < ARRAY_SIZE(snd_es18xx_hw_volume_controls); idx++) {
                        struct snd_kcontrol *kctl;
                        kctl = snd_ctl_new1(&snd_es18xx_hw_volume_controls[idx], chip);
+                       if (!kctl)
+                               return -ENOMEM;
                        if (idx == 0)
                                chip->hw_volume = kctl;
                        else