tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

media: cpia2: fix memory leak in cpia2_usb_probe

syzbot reported leak in cpia2 usb driver. The problem was
in invalid error handling.

v4l2_device_register() is called in cpia2_init_camera_struct(), but
all error cases after cpia2_init_camera_struct() did not call the
v4l2_device_unregister()

Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Pavel Skripkin and committed by
Mauro Carvalho Chehab be8656e6 27ba4427

+20 -6
+1
drivers/media/usb/cpia2/cpia2.h
··· 429 429 int cpia2_do_command(struct camera_data *cam, 430 430 unsigned int command, 431 431 unsigned char direction, unsigned char param); 432 + void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf); 432 433 struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf); 433 434 int cpia2_init_camera(struct camera_data *cam); 434 435 int cpia2_allocate_buffers(struct camera_data *cam);
+12
drivers/media/usb/cpia2/cpia2_core.c
··· 2167 2167 * 2168 2168 * cpia2_init_camera_struct 2169 2169 * 2170 + * Deinitialize camera struct 2171 + *****************************************************************************/ 2172 + void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf) 2173 + { 2174 + v4l2_device_unregister(&cam->v4l2_dev); 2175 + kfree(cam); 2176 + } 2177 + 2178 + /****************************************************************************** 2179 + * 2180 + * cpia2_init_camera_struct 2181 + * 2170 2182 * Initializes camera struct, does not call reset to fill in defaults. 2171 2183 *****************************************************************************/ 2172 2184 struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf)
+7 -6
drivers/media/usb/cpia2/cpia2_usb.c
··· 844 844 ret = set_alternate(cam, USBIF_CMDONLY); 845 845 if (ret < 0) { 846 846 ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret); 847 - kfree(cam); 848 - return ret; 847 + goto alt_err; 849 848 } 850 849 851 850 852 851 if((ret = cpia2_init_camera(cam)) < 0) { 853 852 ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret); 854 - kfree(cam); 855 - return ret; 853 + goto alt_err; 856 854 } 857 855 LOG(" CPiA Version: %d.%02d (%d.%d)\n", 858 856 cam->params.version.firmware_revision_hi, ··· 870 872 ret = cpia2_register_camera(cam); 871 873 if (ret < 0) { 872 874 ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret); 873 - kfree(cam); 874 - return ret; 875 + goto alt_err; 875 876 } 876 877 877 878 return 0; 879 + 880 + alt_err: 881 + cpia2_deinit_camera_struct(cam, intf); 882 + return ret; 878 883 } 879 884 880 885 /******************************************************************************