From: Pavel Skripkin <paskripkin@xxxxxxxxx> [ Upstream commit 47d94dad8e64b2fc1d8f66ce7acf714f9462c60f ] In commit 137641287eb4 ("go7007: add sanity checking for endpoints") endpoint sanity check was introduced, but if check fails it simply returns with leaked pointers. Cutted log from my local syzbot instance: BUG: memory leak unreferenced object 0xffff8880209f0000 (size 8192): comm "kworker/0:4", pid 4916, jiffies 4295263583 (age 29.310s) hex dump (first 32 bytes): 30 b0 27 22 80 88 ff ff 75 73 62 2d 64 75 6d 6d 0.'"....usb-dumm 79 5f 68 63 64 2e 33 2d 31 00 00 00 00 00 00 00 y_hcd.3-1....... backtrace: [<ffffffff860ca856>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff860ca856>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff860ca856>] go7007_alloc+0x46/0xb40 drivers/media/usb/go7007/go7007-driver.c:696 [<ffffffff860de74e>] go7007_usb_probe+0x13e/0x2200 drivers/media/usb/go7007/go7007-usb.c:1114 [<ffffffff854a5f74>] usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 [<ffffffff845a7151>] really_probe+0x291/0xf60 drivers/base/dd.c:576 BUG: memory leak unreferenced object 0xffff88801e2f2800 (size 512): comm "kworker/0:4", pid 4916, jiffies 4295263583 (age 29.310s) hex dump (first 32 bytes): 00 87 40 8a ff ff ff ff 00 00 00 00 00 00 00 00 ..@............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff860de794>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff860de794>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff860de794>] go7007_usb_probe+0x184/0x2200 drivers/media/usb/go7007/go7007-usb.c:1118 [<ffffffff854a5f74>] usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396 [<ffffffff845a7151>] really_probe+0x291/0xf60 drivers/base/dd.c:576 Fixes: 137641287eb4 ("go7007: add sanity checking for endpoints") Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- drivers/media/usb/go7007/go7007-usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c index dbf0455d5d50..eeb85981e02b 100644 --- a/drivers/media/usb/go7007/go7007-usb.c +++ b/drivers/media/usb/go7007/go7007-usb.c @@ -1134,7 +1134,7 @@ static int go7007_usb_probe(struct usb_interface *intf, ep = usb->usbdev->ep_in[4]; if (!ep) - return -ENODEV; + goto allocfail; /* Allocate the URB and buffer for receiving incoming interrupts */ usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL); -- 2.30.2