Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a30d538c authored by Hans Verkuil's avatar Hans Verkuil Committed by Greg Kroah-Hartman
Browse files

media: gscpa/stv06xx: fix memory leak 



[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]

For two of the supported sensors the stv06xx driver allocates memory which
is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
the probe() fails, then it isn't freed and so this leaks memory.

Add a new probe_error() op that drivers can use to free any allocated
memory in case there was a probe failure.

Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
of the memory leak.

Reported-and-tested-by: default avatar <syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com>

Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 821b08da

drivers/media/usb/gspca/gspca.c

+2 −0
Original line number Diff line number Diff line
@@ -1586,6 +1586,8 @@ int gspca_dev_probe2(struct usb_interface *intf, 
#endif

	v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);

	v4l2_device_unregister(&gspca_dev->v4l2_dev);

	if (sd_desc->probe_error)

		sd_desc->probe_error(gspca_dev);

	kfree(gspca_dev->usb_buf);

	kfree(gspca_dev);

	return ret;

drivers/media/usb/gspca/gspca.h

+1 −0
Original line number Diff line number Diff line
@@ -105,6 +105,7 @@ struct sd_desc { 
	cam_cf_op config;	/* called on probe */

	cam_op init;		/* called on probe and resume */

	cam_op init_controls;	/* called on probe */

	cam_v_op probe_error;	/* called if probe failed, do cleanup here */

	cam_op start;		/* called on stream on after URBs creation */

	cam_pkt_op pkt_scan;

/* optional operations */

drivers/media/usb/gspca/stv06xx/stv06xx.c

+9 −0
Original line number Diff line number Diff line
@@ -538,12 +538,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev, 
static int stv06xx_config(struct gspca_dev *gspca_dev,

			  const struct usb_device_id *id);



static void stv06xx_probe_error(struct gspca_dev *gspca_dev)

{

	struct sd *sd = (struct sd *)gspca_dev;



	kfree(sd->sensor_priv);

	sd->sensor_priv = NULL;

}



/* sub-driver description */

static const struct sd_desc sd_desc = {

	.name = MODULE_NAME,

	.config = stv06xx_config,

	.init = stv06xx_init,

	.init_controls = stv06xx_init_controls,

	.probe_error = stv06xx_probe_error,

	.start = stv06xx_start,

	.stopN = stv06xx_stopN,

	.pkt_scan = stv06xx_pkt_scan,