From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>,
syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-media@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 12/16] media: gscpa/stv06xx: fix memory leak
Date: Mon, 3 May 2021 12:43:25 -0400 [thread overview]
Message-ID: <20210503164329.2854739-12-sashal@kernel.org> (raw)
In-Reply-To: <20210503164329.2854739-1-sashal@kernel.org>
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
For two of the supported sensors the stv06xx driver allocates memory which
is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
the probe() fails, then it isn't freed and so this leaks memory.
Add a new probe_error() op that drivers can use to free any allocated
memory in case there was a probe failure.
Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
of the memory leak.
Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/gspca/gspca.c | 2 ++
drivers/media/usb/gspca/gspca.h | 1 +
drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
3 files changed, 12 insertions(+)
diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
index 17b7b02330c9..a4f64bdb8017 100644
--- a/drivers/media/usb/gspca/gspca.c
+++ b/drivers/media/usb/gspca/gspca.c
@@ -2131,6 +2131,8 @@ int gspca_dev_probe2(struct usb_interface *intf,
#endif
v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
v4l2_device_unregister(&gspca_dev->v4l2_dev);
+ if (sd_desc->probe_error)
+ sd_desc->probe_error(gspca_dev);
kfree(gspca_dev->usb_buf);
kfree(gspca_dev);
return ret;
diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
index d39adf90303b..bec8fccc2c94 100644
--- a/drivers/media/usb/gspca/gspca.h
+++ b/drivers/media/usb/gspca/gspca.h
@@ -101,6 +101,7 @@ struct sd_desc {
cam_cf_op config; /* called on probe */
cam_op init; /* called on probe and resume */
cam_op init_controls; /* called on probe */
+ cam_v_op probe_error; /* called if probe failed, do cleanup here */
cam_op start; /* called on stream on after URBs creation */
cam_pkt_op pkt_scan;
/* optional operations */
diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
index 7d255529ed4c..40d4c99debb8 100644
--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
+++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
@@ -541,12 +541,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
static int stv06xx_config(struct gspca_dev *gspca_dev,
const struct usb_device_id *id);
+static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
+{
+ struct sd *sd = (struct sd *)gspca_dev;
+
+ kfree(sd->sensor_priv);
+ sd->sensor_priv = NULL;
+}
+
/* sub-driver description */
static const struct sd_desc sd_desc = {
.name = MODULE_NAME,
.config = stv06xx_config,
.init = stv06xx_init,
.init_controls = stv06xx_init_controls,
+ .probe_error = stv06xx_probe_error,
.start = stv06xx_start,
.stopN = stv06xx_stopN,
.pkt_scan = stv06xx_pkt_scan,
--
2.30.2
next prev parent reply other threads:[~2021-05-03 17:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-03 16:43 [PATCH AUTOSEL 4.4 01/16] scsi: target: pscsi: Fix warning in pscsi_complete_cmd() Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 02/16] media: ite-cir: check for receive overflow Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 03/16] media: media/saa7164: fix saa7164_encoder_register() memory leak bugs Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 04/16] media: gspca/sq905.c: fix uninitialized variable Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 05/16] media: pci: saa7164: Rudimentary spelling fixes in the file saa7164-types.h Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 06/16] media: em28xx: fix memory leak Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 07/16] clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 08/16] power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 09/16] power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 10/16] media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 11/16] media: dvb-usb: fix memory leak in dvb_usb_adapter_init Sasha Levin
2021-05-03 16:43 ` Sasha Levin [this message]
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 13/16] drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal Sasha Levin
2021-05-03 16:43 ` Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 14/16] drm/amdgpu: fix NULL pointer dereference Sasha Levin
2021-05-03 16:43 ` Sasha Levin
2021-05-03 16:43 ` Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 15/16] scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response Sasha Levin
2021-05-03 16:43 ` [PATCH AUTOSEL 4.4 16/16] scsi: libfc: Fix a format specifier Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210503164329.2854739-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.