Re: saa7164 Driver Memory Leakage, Would like to write the fix myself

Hans Verkuil <hverkuil@xxxxxxxxx> · Wed, 10 Mar 2021 12:59:42 +0100

Hi Daniel,

On 10/03/2021 12:40, דניאל ניב wrote:
> Hello all,
> after looking on the linux kernel source code(version 5.11.15) of the saa7164 driver, it seems like I found a memory leak.
> I couldn't find a specific person that maintains the saa7164 driver in the kernel maintainers file, so I hope you can help me or forward me
> to the right person.
> 
> The leak is located at /drivers/media/pci/saa7164/saa7164-encoder.c file, in the next function:
> int saa7164_encoder_register(struct saa7164_port *port)
> 
> The bug is actually allocation of memory in the kernel heap, without explicitly freeing it.
> 
> The memory allocation is happening here
> (https://github.com/torvalds/linux/blob/v5.8/drivers/media/pci/saa7164/saa7164-vbi.c#L720
> <https://github.com/torvalds/linux/blob/v5.8/drivers/media/pci/saa7164/saa7164-vbi.c#L720>):
> /* Allocate and register the video device node */
> port->v4l_device = saa7164_vbi_alloc(port,dev->pci, &saa7164_vbi_template, "vbi"); 
> 
> and if we look deeper in the function saa7164_vbi_alloc(...), we can see it eventually uses kzalloc() in order to allocate the memory.
> Looking again at saa7164_encoder_register(...) function, we can see the next code block
> (https://github.com/torvalds/linux/blob/v5.8/drivers/media/pci/saa7164/saa7164-vbi.c#L734
> <https://github.com/torvalds/linux/blob/v5.8/drivers/media/pci/saa7164/saa7164-vbi.c#L734>):
> if (result < 0) {
> 	printk(KERN_INFO "%s: can't register vbi device\n",
> 	dev->name);
> 	/* TODO: We're going to leak here if we don't dealloc
> 	The buffers above. The unreg function can't deal wit it.
> 	*/
> 	goto failed;
> 	}
> 
> ````````failed:
> 	return result;
> 	
> 
> that actually exists from the function without freeing the memory it allocated earlier.
> This flow seems to happen when we can't register a vbi device.
> It seems like we can trigger this flow. 
> 
> I would like to add some code that will free the allocated memory and fix the bug,
> but I want to ask first if there is a point in doing that? will it be merged into the driver code?

Sure, we accept patches for fixes like that. Just post the patch to the linux-media mailinglist.

Make sure that you do post ascii only emails to the mailinglist, HTML emails (like the one
you sent) will be silently dropped.

This should be helpful:

https://www.kernel.org/doc/html/latest/process/submitting-patches.html

Regards,

	Hans

> 
> Thanks in advance,
> Danie Niv.
> 