On Sun, 31 Jan 2021 15:53:20 +0100, Sean Young wrote: > > On Wed, Jan 20, 2021 at 11:20:56AM +0100, Takashi Iwai wrote: > > dvb_usb_device_init() allocates a dvb_usb_device object, but it > > doesn't release it even when returning an error. The callers don't > > seem caring it as well, hence those memories are leaked. > > > > This patch assures releasing the memory at the error path in > > dvb_usb_device_init(). Also it makes sure that USB intfdata is reset > > and don't return the bogus pointer to the caller at the error path, > > too. > > > > Cc: <stable@xxxxxxxxxxxxxxx> > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > > --- > > drivers/media/usb/dvb-usb/dvb-usb-init.c | 18 ++++++++++++------ > > 1 file changed, 12 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > index c1a7634e27b4..5befec87f26a 100644 > > --- a/drivers/media/usb/dvb-usb/dvb-usb-init.c > > +++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c > > @@ -281,15 +281,21 @@ int dvb_usb_device_init(struct usb_interface *intf, > > > > usb_set_intfdata(intf, d); > > > > - if (du != NULL) > > + ret = dvb_usb_init(d, adapter_nums); > > dvb_usb_init() has different errors paths. > > 1. It can return -ENOMEM if it cannot kzalloc(). No other side affects. > 2. It can return an error if dvb_usb_i2c_init() or dvb_usb_adapter_init() > fails. In this case, dvb_usb_exit() is called, which frees > struct dvb_usb_device* > > In the last case we now have a double free. A good catch, indeed the function has inconsistent behavior. I'll update the patch and resubmit to address it. thanks, Takashi
