Patch "media: dvb-usb: fix memory leak in dvb_usb_adapter_init()" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 11:50:16 -0500

This is a note to let you know that I've just added the patch titled

    media: dvb-usb: fix memory leak in dvb_usb_adapter_init()

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e45baf60f528a9b68bf0608191779a86105c379a
Author: Mazin Al Haddad <mazinalhaddad05@xxxxxxxxx>
Date:   Wed Aug 24 02:21:52 2022 +0100

    media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
    
    [ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ]
    
    Syzbot reports a memory leak in "dvb_usb_adapter_init()".
    The leak is due to not accounting for and freeing current iteration's
    adapter->priv in case of an error. Currently if an error occurs,
    it will exit before incrementing "num_adapters_initalized",
    which is used as a reference counter to free all adap->priv
    in "dvb_usb_adapter_exit()". There are multiple error paths that
    can exit from before incrementing the counter. Including the
    error handling paths for "dvb_usb_adapter_stream_init()",
    "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"
    within "dvb_usb_adapter_init()".
    
    This means that in case of an error in any of these functions the
    current iteration is not accounted for and the current iteration's
    adap->priv is not freed.
    
    Fix this by freeing the current iteration's adap->priv in the
    "stream_init_err:" label in the error path. The rest of the
    (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()
    as expected using the num_adapters_initalized variable.
    
    Syzbot report:
    
    BUG: memory leak
    unreferenced object 0xffff8881172f1a00 (size 512):
      comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    backtrace:
        [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
        [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
        [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
        [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
        [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
        [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
        [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
        [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
        [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
        [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
        [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
        [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
        [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
        [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
        [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
        [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
        [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
        [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
        [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
        [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
        [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
        [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
    
    Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be
    Reported-and-tested-by: syzbot+f66dd31987e6740657be@xxxxxxxxxxxxxxxxxxxxxxxxx
    
    Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@xxxxxxxxx
    Signed-off-by: Mazin Al Haddad <mazinalhaddad05@xxxxxxxxx>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 4b1445d806e5..16be32b19ca1 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -84,7 +84,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
 
 		ret = dvb_usb_adapter_stream_init(adap);
 		if (ret)
-			return ret;
+			goto stream_init_err;
 
 		ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
 		if (ret)
@@ -117,6 +117,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
 	dvb_usb_adapter_dvb_exit(adap);
 dvb_init_err:
 	dvb_usb_adapter_stream_exit(adap);
+stream_init_err:
+	kfree(adap->priv);
 	return ret;
 }
 






