Re: [PATCH] media: em28xx: fix memory leak in em28xx_init_dev

From: Dongliang Mu <mudongliangabcd@gmail.com>
To: Pavel Skripkin <paskripkin@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	syzbot <syzkaller@googlegroups.com>,
	linux-media@vger.kernel.org,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] media: em28xx: fix memory leak in em28xx_init_dev
Date: Tue, 2 Nov 2021 14:31:26 +0800	[thread overview]
Message-ID: <CAD-N9QVxOObXE-voToHxFTDyJtyZ0PjWg6JQ-rQB5dB2ivrjtA@mail.gmail.com> (raw)
In-Reply-To: <76e1264b-87d3-c7cb-c9d5-bcf461fbb2bf@gmail.com>

On Tue, Nov 2, 2021 at 3:28 AM Pavel Skripkin <paskripkin@gmail.com> wrote:
>
> On 11/1/21 21:32, Dan Carpenter wrote:
> > On Mon, Nov 01, 2021 at 05:55:39PM +0800, Dongliang Mu wrote:
> >> In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails
> >> to deallocate the media_dev allocated in the em28xx_media_device_init.
> >>
> >> Fix this by adding em28xx_unregister_media_device to free media_dev.
> >>
> >> BTW, this patch is tested in my local syzkaller instance, and it can
> >> prevent the memory leak from occurring again.
> >>
> >> CC: Pavel Skripkin <paskripkin@gmail.com>
> >> Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support")
> >> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> >> Reported-by: syzbot <syzkaller@googlegroups.com>
> >
> > Is this really a syzbot warning?  If so it should be in the format:
> >
> > Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
> >
> > Syzbot is different from syzkaller.  Syzkaller is the fuzzer and syzbot
> > is the program which reports syzkaller bugs.
> >
>
> Bug report is from his local instance. He just wants to give credit to
> syzbot for finding it

Hi Dan,

just as explained by Pavel, I leveraged the local syzkaller instance
to find this bug.

I can modify it to "Reported-by: syzkaller
<syzkaller@googlegroups.com>", this one looks better.

>
> >> ---
> >>  drivers/media/usb/em28xx/em28xx-cards.c | 19 +++++++++++++------
> >>  1 file changed, 13 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
> >> index c1e0dccb7408..fca68939ca50 100644
> >> --- a/drivers/media/usb/em28xx/em28xx-cards.c
> >> +++ b/drivers/media/usb/em28xx/em28xx-cards.c
> >> @@ -3625,8 +3625,10 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
> >>
> >
> > There is no check to see if the em28xx_media_device_init() fails.  I
>
> I guess, it should work, since there a lot of checks to see if this
> pointer is valid, i.e driver can work even without this pointer, AFAIK
>
> > don't love that we call unregister() to undo the init() but it seems
> > like it should work...
>
> Same here, but it is out of scope of this patch :)

From the implementation, em28xx_media_device_init and
em28xx_unregister_media_device should not be a pair of functions
(do/undo).

Maybe I can write em28xx_free_media_device to be paired with
em28xx_media_device_init, like below. And then only call it from the
error handling context.

static void em28xx_free_media_device(struct em28xx *dev)
{
#ifdef CONFIG_MEDIA_CONTROLLER
                kfree(dev->media_dev);
                dev->media_dev = NULL;
#endif
}

>
>
>
> With regards,
> Pavel Skripkin