[RFC PATCH] media: dvb-usb: fix memory leak in dvb_usb_adapter_init()

From: Mazin Al Haddad <mazinalhaddad05@gmail.com>
To: linux-media@vger.kernel.org
Cc: mchehab@kernel.org, sean@mess.org, mudongliangabcd@gmail.com,
	skhan@linuxfoundation.org,
	Mazin Al Haddad <mazinalhaddad05@gmail.com>,
	syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com
Subject: [RFC PATCH] media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Date: Sun, 26 Jun 2022 04:44:24 +0300	[thread overview]
Message-ID: <20220626014423.86262-1-mazinalhaddad05@gmail.com> (raw)

Fix a memory leak in dvb_usb_adapter_init() found by syzkaller. The 
problem is due to the error path exiting before incrementing 
num_adapters_initalized which is used to kfree() adapter's private data. 
There are multiple error paths that dvb_usb_adapter_init() can exit from 
including one before the problematic allocation itself. Fix it by adding a 
variable to the dvb_usb_device struct that counts the successful 
allocations for each dvb adapter's private data and use it to kfree the 
objects in dvb_usb_adapter_exit.

BUG: memory leak
unreferenced object 0xffff8881172f1a00 (size 512):
  comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
    [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
    [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
    [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
    [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
    [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
    [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
    [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
    [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
    [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
    [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
    [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
    [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
    [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
    [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
    [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
    [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
    [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
    [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
    [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
    [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
    [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752

Link: https://syzkaller.appspot.com/bug?id=4d54f8bf7b98eecf6cd76ed5aaea883c5d9e502a
Reported-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com
Signed-off-by: Mazin Al Haddad <mazinalhaddad05@gmail.com>
---
 drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 ++++++-
 drivers/media/usb/dvb-usb/dvb-usb.h      | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 61439c8f33ca..bbee86c70cc5 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -77,6 +77,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
 				err("no memory for priv for adapter %d.", n);
 				return -ENOMEM;
 			}
+			d->num_adap_priv_initialized++;
 		}
 
 		ret = dvb_usb_adapter_stream_init(adap);
@@ -125,8 +126,12 @@ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
 		dvb_usb_adapter_frontend_exit(&d->adapter[n]);
 		dvb_usb_adapter_dvb_exit(&d->adapter[n]);
 		dvb_usb_adapter_stream_exit(&d->adapter[n]);
-		kfree(d->adapter[n].priv);
 	}
+
+	for (n = 0; n < d->num_adap_priv_initialized; n++)
+		kfree(d->adapter[n].priv);
+
+	d->num_adapters_initialized = 0;
 	d->num_adapters_initialized = 0;
 	d->state &= ~DVB_USB_STATE_DVB;
 	return 0;
diff --git a/drivers/media/usb/dvb-usb/dvb-usb.h b/drivers/media/usb/dvb-usb/dvb-usb.h
index 0990aa4a17bb..1bfc33db3b52 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb.h
+++ b/drivers/media/usb/dvb-usb/dvb-usb.h
@@ -483,6 +483,7 @@ struct dvb_usb_device {
 	struct i2c_adapter i2c_adap;
 
 	int                    num_adapters_initialized;
+	int		       num_adap_priv_initialized;
 	struct dvb_usb_adapter adapter[MAX_NO_OF_ADAPTER_PER_DEVICE];
 
 	/* remote control */
-- 
2.36.1

