[PATCH 4.14 037/186] media: em28xx: fix memory leak in em28xx_init_dev

From: Greg Kroah-Hartman
Date: Mon Jan 24 2022 - 14:18:02 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 118/186] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 113/157] ALSA: seq: Set upper limit of processed events"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 079/186] dmaengine: pxa/mmp: stop referencing config->slave_id"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 118/186] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dongliang Mu <mudongliangabcd@xxxxxxxxx>

[ Upstream commit 22be5a10d0b24eec9e45decd15d7e6112b25f080 ]

In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails
to deallocate the media_dev allocated in the em28xx_media_device_init.

Fix this by adding em28xx_unregister_media_device to free media_dev.

BTW, this patch is tested in my local syzkaller instance, and it can
prevent the memory leak from occurring again.

CC: Pavel Skripkin <paskripkin@xxxxxxxxx>
Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support")
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/media/usb/em28xx/em28xx-cards.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
index 9747e23aad271..b736c027a0bd0 100644
--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3386,8 +3386,10 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,

if (dev->is_audio_only) {
retval = em28xx_audio_setup(dev);
- if (retval)
- return -ENODEV;
+ if (retval) {
+ retval = -ENODEV;
+ goto err_deinit_media;
+ }
em28xx_init_extension(dev);

return 0;
@@ -3417,7 +3419,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
dev_err(&dev->intf->dev,
"%s: em28xx_i2c_register bus 0 - error [%d]!\n",
__func__, retval);
- return retval;
+ goto err_deinit_media;
}

/* register i2c bus 1 */
@@ -3433,9 +3435,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
"%s: em28xx_i2c_register bus 1 - error [%d]!\n",
__func__, retval);

- em28xx_i2c_unregister(dev, 0);
-
- return retval;
+ goto err_unreg_i2c;
}
}

@@ -3443,6 +3443,12 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
em28xx_card_setup(dev);

return 0;
+
+err_unreg_i2c:
+ em28xx_i2c_unregister(dev, 0);
+err_deinit_media:
+ em28xx_unregister_media_device(dev);
+ return retval;
}

/* high bandwidth multiplier, as encoded in highspeed endpoint descriptors */
--
2.34.1

Next message: Greg Kroah-Hartman: "[PATCH 4.14 118/186] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 113/157] ALSA: seq: Set upper limit of processed events"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 079/186] dmaengine: pxa/mmp: stop referencing config->slave_id"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 118/186] ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]