[PATCH 1/2] media: as102: fix memory leak in probe error path after device registration

[xiaopeitux]

From: Pei Xiao <xiaopei01@xxxxxxxxxx>

Commit 8bd29dbe03fc ("media: as102: fix to not free memory after the
device is registered in as102_usb_probe()") solved a use-after-free /
double-free race condition by never freeing as102_dev directly once
usb_register_dev() had succeeded.  Instead, the memory is freed in
as102_usb_release() when the last open file descriptor is closed.

However, this introduced a memory leak when the probe fails after
usb_register_dev() succeeds but no userspace process has opened the
device node.  In that scenario, usb_deregister_dev() removes the device
node, but as102_dev is never freed because as102_usb_release() is never
called (there is no open fd).  The only reference to the object (the
interface's private data) is cleared, leaving the allocated memory
completely unreachable.

Fix the leak by calling kref_put() on as102_dev->kref in the
failed_stream error path.  The kref was initialised to 1 during probe,
and as102_usb_release() is the release function that performs kfree().
If no open fd exists, the kref_put() will drop the initial reference to
zero and trigger as102_usb_release() immediately, freeing the memory.
If there are open fds, the extra references keep the object alive until
the last close, which is the correct behaviour.

Fixes: 8bd29dbe03fc ("media: as102: fix to not free memory after the device is registered in as102_usb_probe()")
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
Closes: https://lore.kernel.org/lkml/DAD7161C-A1DA-422E-BBC5-2893ABDC2DD0@xxxxxxxxx/
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Pei Xiao <xiaopei01@xxxxxxxxxx>
---
 drivers/media/usb/as102/as102_usb_drv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/usb/as102/as102_usb_drv.c b/drivers/media/usb/as102/as102_usb_drv.c
index a11024451ceb..ad6c5837f1d7 100644
--- a/drivers/media/usb/as102/as102_usb_drv.c
+++ b/drivers/media/usb/as102/as102_usb_drv.c
@@ -405,6 +405,7 @@ static int as102_usb_probe(struct usb_interface *intf,
 failed_stream:
 	usb_set_intfdata(intf, NULL);
 	usb_deregister_dev(intf, &as102_usb_class_driver);
+	kref_put(&as102_dev->kref, as102_usb_release);
 	return ret;
 failed:
 	usb_put_dev(as102_dev->bus_adap.usb_dev);
-- 
2.25.1