Hi Ricardo,
Thank you for the patch.
On Fri, Oct 08, 2021 at 02:09:14PM +0200, Ricardo Ribalda wrote:
> If the mapping fails, the name field is not freed on exit.
> Take the same approach as with the menu_info and have two different
> allocations with two different life cycles.
>
> Fixes: 07adedb5c606 ("media: uvcvideo: Use control names from framework")
> Signed-off-by: Ricardo Ribalda <ribalda@xxxxxxxxxxxx>
> ---
> To be applied after [PATCH][next] media: uvcvideo: Fix memory leak of object map on error exit path
>
> Changelog v2: use kstrdup functions
>
> drivers/media/usb/uvc/uvc_ctrl.c | 10 ++++++++++
> drivers/media/usb/uvc/uvc_v4l2.c | 12 +++++++-----
> 2 files changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index 30bfe9069a1f..6bd7c30dfb75 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -2188,11 +2188,21 @@ static int __uvc_ctrl_add_mapping(struct uvc_video_chain *chain,
> if (map == NULL)
> return -ENOMEM;
>
> + /* For UVCIOC_CTRL_MAP custom controls */
> + if (mapping->name) {
> + map->name = kstrdup(mapping->name, GFP_KERNEL);
> + if (!map->name) {
> + kfree(map);
> + return -ENOMEM;
> + }
> + }
> +
> INIT_LIST_HEAD(&map->ev_subs);
>
> size = sizeof(*mapping->menu_info) * mapping->menu_count;
> map->menu_info = kmemdup(mapping->menu_info, size, GFP_KERNEL);
> if (map->menu_info == NULL) {
> + kfree(map->name);
> kfree(map);
> return -ENOMEM;
> }
Looks good to me.
> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> index 711556d13d03..43bd8809241c 100644
> --- a/drivers/media/usb/uvc/uvc_v4l2.c
> +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> @@ -42,8 +42,8 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
> map->id = xmap->id;
> /* Non standard control id. */
> if (v4l2_ctrl_get_name(map->id) == NULL) {
> - map->name = kmemdup(xmap->name, sizeof(xmap->name),
> - GFP_KERNEL);
> + map->name = kstrndup(xmap->name, sizeof(xmap->name),
> + GFP_KERNEL);
> if (!map->name) {
> ret = -ENOMEM;
> goto free_map;
But do we actually have to duplicate the name here, can't we set
map->name = xmap->name;
? We probably want to also set
xmap->name[sizeof(xmap->name) - 1] = '\0';
> @@ -69,14 +69,14 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
> if (xmap->menu_count == 0 ||
> xmap->menu_count > UVC_MAX_CONTROL_MENU_ENTRIES) {
> ret = -EINVAL;
> - goto free_map;
> + goto free_map_name;
> }
>
> size = xmap->menu_count * sizeof(*map->menu_info);
> map->menu_info = memdup_user(xmap->menu_info, size);
> if (IS_ERR(map->menu_info)) {
> ret = PTR_ERR(map->menu_info);
> - goto free_map;
> + goto free_map_name;
> }
>
> map->menu_count = xmap->menu_count;
> @@ -86,12 +86,14 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
> uvc_dbg(chain->dev, CONTROL,
> "Unsupported V4L2 control type %u\n", xmap->v4l2_type);
> ret = -ENOTTY;
> - goto free_map;
> + goto free_map_name;
> }
>
> ret = uvc_ctrl_add_mapping(chain, map);
>
> kfree(map->menu_info);
> +free_map_name:
> + kfree(map->name);
> free_map:
> kfree(map);
>
> --
> 2.33.0.882.g93a45727a2-goog
>
--
Regards,
Laurent Pinchart
