From: Sean Young <sean@mess.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
Stefan Seyfried <seife+kernel@b1-systems.com>
Subject: Re: [PATCH 1/2] media: dvb-usb: Fix memory leak at error in dvb_usb_device_init()
Date: Sun, 31 Jan 2021 14:53:20 +0000 [thread overview]
Message-ID: <20210131145320.GA4886@gofer.mess.org> (raw)
In-Reply-To: <20210120102057.21143-2-tiwai@suse.de>
On Wed, Jan 20, 2021 at 11:20:56AM +0100, Takashi Iwai wrote:
> dvb_usb_device_init() allocates a dvb_usb_device object, but it
> doesn't release it even when returning an error. The callers don't
> seem caring it as well, hence those memories are leaked.
>
> This patch assures releasing the memory at the error path in
> dvb_usb_device_init(). Also it makes sure that USB intfdata is reset
> and don't return the bogus pointer to the caller at the error path,
> too.
>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
> drivers/media/usb/dvb-usb/dvb-usb-init.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index c1a7634e27b4..5befec87f26a 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -281,15 +281,21 @@ int dvb_usb_device_init(struct usb_interface *intf,
>
> usb_set_intfdata(intf, d);
>
> - if (du != NULL)
> + ret = dvb_usb_init(d, adapter_nums);
dvb_usb_init() has different errors paths.
1. It can return -ENOMEM if it cannot kzalloc(). No other side affects.
2. It can return an error if dvb_usb_i2c_init() or dvb_usb_adapter_init()
fails. In this case, dvb_usb_exit() is called, which frees
struct dvb_usb_device*
In the last case we now have a double free.
Sean
> + if (ret) {
> + info("%s error while loading driver (%d)", desc->name, ret);
> + goto error;
> + }
> +
> + if (du)
> *du = d;
>
> - ret = dvb_usb_init(d, adapter_nums);
> + info("%s successfully initialized and connected.", desc->name);
> + return 0;
>
> - if (ret == 0)
> - info("%s successfully initialized and connected.", desc->name);
> - else
> - info("%s error while loading driver (%d)", desc->name, ret);
> + error:
> + usb_set_intfdata(intf, NULL);
> + kfree(d);
> return ret;
> }
> EXPORT_SYMBOL(dvb_usb_device_init);
> --
> 2.26.2
next prev parent reply other threads:[~2021-01-31 14:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 10:20 [PATCH 0/2] media: dvb-usb: Fix UAF and memory leaks Takashi Iwai
2021-01-20 10:20 ` [PATCH 1/2] media: dvb-usb: Fix memory leak at error in dvb_usb_device_init() Takashi Iwai
2021-01-22 9:24 ` Robert Foss
2021-01-31 14:53 ` Sean Young [this message]
2021-02-01 8:18 ` Takashi Iwai
2021-01-20 10:20 ` [PATCH 2/2] media: dvb-usb: Fix use-after-free access Takashi Iwai
2021-01-22 15:47 ` Robert Foss
2021-01-31 15:04 ` Sean Young
2021-02-01 8:22 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210131145320.GA4886@gofer.mess.org \
--to=sean@mess.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=seife+kernel@b1-systems.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.