On Wed, Jan 20, 2021 at 11:20:56AM +0100, Takashi Iwai wrote:
> dvb_usb_device_init() allocates a dvb_usb_device object, but it
> doesn't release it even when returning an error. The callers don't
> seem caring it as well, hence those memories are leaked.
>
> This patch assures releasing the memory at the error path in
> dvb_usb_device_init(). Also it makes sure that USB intfdata is reset
> and don't return the bogus pointer to the caller at the error path,
> too.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
> ---
> drivers/media/usb/dvb-usb/dvb-usb-init.c | 18 ++++++++++++------
> 1 file changed, 12 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> index c1a7634e27b4..5befec87f26a 100644
> --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
> +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
> @@ -281,15 +281,21 @@ int dvb_usb_device_init(struct usb_interface *intf,
>
> usb_set_intfdata(intf, d);
>
> - if (du != NULL)
> + ret = dvb_usb_init(d, adapter_nums);
dvb_usb_init() has different errors paths.
1. It can return -ENOMEM if it cannot kzalloc(). No other side affects.
2. It can return an error if dvb_usb_i2c_init() or dvb_usb_adapter_init()
fails. In this case, dvb_usb_exit() is called, which frees
struct dvb_usb_device*
In the last case we now have a double free.
Sean
> + if (ret) {
> + info("%s error while loading driver (%d)", desc->name, ret);
> + goto error;
> + }
> +
> + if (du)
> *du = d;
>
> - ret = dvb_usb_init(d, adapter_nums);
> + info("%s successfully initialized and connected.", desc->name);
> + return 0;
>
> - if (ret == 0)
> - info("%s successfully initialized and connected.", desc->name);
> - else
> - info("%s error while loading driver (%d)", desc->name, ret);
> + error:
> + usb_set_intfdata(intf, NULL);
> + kfree(d);
> return ret;
> }
> EXPORT_SYMBOL(dvb_usb_device_init);
> --
> 2.26.2
