From: Dan Carpenter <dan.carpenter@oracle.com>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
Linux Media Mailing List <linux-media@vger.kernel.org>,
royale@zerezo.com, USB <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com
Subject: Re: [RFT][PATCH v1] media: zr364xx: Fix memory leak in ->probe()
Date: Tue, 5 Jan 2021 17:00:45 +0300 [thread overview]
Message-ID: <20210105140045.GF2809@kadam> (raw)
In-Reply-To: <20201230211918.63508-1-andriy.shevchenko@linux.intel.com>
On Wed, Dec 30, 2020 at 11:19:18PM +0200, Andy Shevchenko wrote:
> When ->probe() fails in some cases it may not free resources.
> Replace few separated calls by v4l2_device_put() to clean up
> everything.
>
The clean up everything style of error handling is always buggy.
For example, in this case, all the early error paths will now crash
instead of leaking. The __videobuf_free() function will Oops when it
dereferences "q->int_ops->magic".
MAGIC_CHECK(q->int_ops->magic, MAGIC_QTYPE_OPS);
The "q->int_ops" pointer is set in videobuf_queue_vmalloc_init(). There
are probably other bugs as well. It's almost impossible to audit this
style of error handling either for completeness or for crashyness.
regards,
dan carpenter
next prev parent reply other threads:[~2021-01-05 14:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 21:19 [RFT][PATCH v1] media: zr364xx: Fix memory leak in ->probe() Andy Shevchenko
2020-12-31 1:53 ` Ezequiel Garcia
2020-12-31 1:53 ` syzbot
2021-01-05 14:00 ` Dan Carpenter [this message]
2021-01-05 14:37 ` Andy Shevchenko
2021-01-05 16:04 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210105140045.GF2809@kadam \
--to=dan.carpenter@oracle.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=royale@zerezo.com \
--cc=syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).