Please apply commit 9453264ef586 ("media: go7007: fix a miss of snd_card_free") to v4.9.y up to v5.4.y

Please apply commit 9453264ef586 ("media: go7007: fix a miss of snd_card_free") to v4.9.y up to v5.4.y

[Salvatore Bonaccorso]

Hi

Could you please apply 9453264ef586 ("media: go7007: fix a miss of
snd_card_free") to v4.9.y up to v5.4.y stable series? The fix is
related to CVE-2019-20810.

The commit can be cherry-picked as is for 5.4.y but needs a small
adjustment for context for versions which do not contain c0decac19da3
("media: use strscpy() instead of strlcpy()") and ba78170ef153
("media: go7007: Fix misuse of strscpy"). Attached a respective patch
which applies with that refresh back to v4.9.y.

Regards,
Salvatore

From fd93d8ec8b3447fd29509d2d2f92352e26ff3804 Mon Sep 17 00:00:00 2001
From: Chuhong Yuan <hslester96@gmail.com>
Date: Tue, 10 Dec 2019 04:15:48 +0100
Subject: [PATCH] media: go7007: fix a miss of snd_card_free

go7007_snd_init() misses a snd_card_free() in an error path.
Add the missed call to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[Salvatore Bonaccorso: Adjust context for backport to versions which do
not contain c0decac19da3 ("media: use strscpy() instead of strlcpy()")
and ba78170ef153 ("media: go7007: Fix misuse of strscpy")]
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
---
 drivers/media/usb/go7007/snd-go7007.c | 35 +++++++++++++--------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/drivers/media/usb/go7007/snd-go7007.c b/drivers/media/usb/go7007/snd-go7007.c
index 137fc253b122..96c37a131deb 100644
--- a/drivers/media/usb/go7007/snd-go7007.c
+++ b/drivers/media/usb/go7007/snd-go7007.c
@@ -244,22 +244,18 @@ int go7007_snd_init(struct go7007 *go)
 	gosnd->capturing = 0;
 	ret = snd_card_new(go->dev, index[dev], id[dev], THIS_MODULE, 0,
 			   &gosnd->card);
-	if (ret < 0) {
-		kfree(gosnd);
-		return ret;
-	}
+	if (ret < 0)
+		goto free_snd;
+
 	ret = snd_device_new(gosnd->card, SNDRV_DEV_LOWLEVEL, go,
 			&go7007_snd_device_ops);
-	if (ret < 0) {
-		kfree(gosnd);
-		return ret;
-	}
+	if (ret < 0)
+		goto free_card;
+
 	ret = snd_pcm_new(gosnd->card, "go7007", 0, 0, 1, &gosnd->pcm);
-	if (ret < 0) {
-		snd_card_free(gosnd->card);
-		kfree(gosnd);
-		return ret;
-	}
+	if (ret < 0)
+		goto free_card;
+
 	strlcpy(gosnd->card->driver, "go7007", sizeof(gosnd->card->driver));
 	strlcpy(gosnd->card->shortname, go->name, sizeof(gosnd->card->driver));
 	strlcpy(gosnd->card->longname, gosnd->card->shortname,
@@ -270,11 +266,8 @@ int go7007_snd_init(struct go7007 *go)
 			&go7007_snd_capture_ops);
 
 	ret = snd_card_register(gosnd->card);
-	if (ret < 0) {
-		snd_card_free(gosnd->card);
-		kfree(gosnd);
-		return ret;
-	}
+	if (ret < 0)
+		goto free_card;
 
 	gosnd->substream = NULL;
 	go->snd_context = gosnd;
@@ -282,6 +275,12 @@ int go7007_snd_init(struct go7007 *go)
 	++dev;
 
 	return 0;
+
+free_card:
+	snd_card_free(gosnd->card);
+free_snd:
+	kfree(gosnd);
+	return ret;
 }
 EXPORT_SYMBOL(go7007_snd_init);
 
-- 
2.27.0.rc0

Re: Please apply commit 9453264ef586 ("media: go7007: fix a miss of snd_card_free") to v4.9.y up to v5.4.y

[Greg Kroah-Hartman]

On Sat, Jun 06, 2020 at 03:57:20PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> Could you please apply 9453264ef586 ("media: go7007: fix a miss of
> snd_card_free") to v4.9.y up to v5.4.y stable series? The fix is
> related to CVE-2019-20810.

cves for memory leaks on error cleanup paths that no one has ever been
able to trigger?  Hah, yet another reason to hate cves...

I'll go queue this up now, thanks.

greg k-h