On Mon, Nov 1, 2021 at 3:50 PM Pavel Skripkin <paskripkin@xxxxxxxxx> wrote: > > On 11/1/21 06:02, Dongliang Mu wrote: > > Hi all, > > > > My local syzkaller instance found one bug named "memory leak in > > em28xx_init_dev" in 5.14-rc5. Kernel configuration and PoC file are > > attached(I don't check if the latest kernel is vulnerable, but it > > should be). The trace from memleak is as follows: > > > > backtrace: > > [<ffffffff842cc66d>] kmalloc include/linux/slab.h:591 [inline] > > [<ffffffff842cc66d>] kzalloc include/linux/slab.h:721 [inline] > > [<ffffffff842cc66d>] em28xx_media_device_init > > drivers/media/usb/em28xx/em28xx-cards.c:3444 [inline] > > [<ffffffff842cc66d>] em28xx_init_dev.isra.0+0x366/0x9bf > > drivers/media/usb/em28xx/em28xx-cards.c:3624 > > [<ffffffff842cd1bd>] em28xx_usb_probe.cold+0x4f7/0xf95 > > drivers/media/usb/em28xx/em28xx-cards.c:3979 > > [<ffffffff82bf0815>] usb_probe_interface+0x185/0x350 > > drivers/usb/core/driver.c:396 > > > > > Looks like missing clean up on error handling path. > > ->probe() > em28xx_init_dev() > em28xx_media_device_init() <- dev->media_dev allocated > *error somewhere in em28xx_init_dev()* > Hi Pavel, you're right. In some error handling code (em28xx_audio_setup fails), em28xx_init_dev fails to deallocated the media_dev field. > > And then nothing unwinds em28xx_media_device_init() call, since > disconnect won't be called in case of failure in ->probe() > > > Just build tested, but, I guess, something like this should work. > > > > With regards, > Pavel Skripkin > > >
