lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190827092706.29494-1-yaohongbo@huawei.com>
Date:   Tue, 27 Aug 2019 17:27:06 +0800
From:   Hongbo Yao <yaohongbo@...wei.com>
To:     <yaohongbo@...wei.com>, <mchehab@...nel.org>
CC:     <linuxarm@...wei.com>, <linux-kernel@...r.kernel.org>
Subject: [PATCH] media: v4l2-mem2mem: fix potential memory leak in  v4l2_m2m_register_media_controller

When I ran Syzkaller testsuite, I got this warning:

=====================================================================
SI: 0000000020000580 RDI: 0000000000000003
BUG: memory leak
unreferenced object 0xffff8881d6b0a270 (size 8):
  comm "syz-executor.0", pid 4859, jiffies 4296016954 (age 22.524s)
  hex dump (first 8 bytes):
    00 00 00 00 00 00 00 00                          ........
  backtrace:
    [<0000000052b54061>] __media_entity_enum_init+0x40/0xb0 [mc]
    [<000000005c05c865>] media_device_register_entity+0x294/0x3a0 [mc]
    [<0000000070832883>] v4l2_m2m_register_entity+0x161/0x220
[v4l2_mem2mem]
    [<000000004952637a>] v4l2_m2m_register_media_controller+0x72/0x2d0
[v4l2_mem2mem]
    [<0000000047350ea2>] 0xffffffffc17c2c1a
    [<000000006c6d5c0a>] platform_drv_probe+0x7e/0x100
drivers/base/platform.c:616
    [<00000000f51bf5fc>] really_probe+0x342/0x4d0 drivers/base/dd.c:548
    [<000000006960ad55>] driver_probe_device+0x8c/0x170
drivers/base/dd.c:709
    [<000000005d3c0ee4>] device_driver_attach+0x99/0xa0
drivers/base/dd.c:983
    [<000000007516b430>] __driver_attach+0xc9/0x150
drivers/base/dd.c:1060
    [<00000000c3109efd>] bus_for_each_dev+0x115/0x180
drivers/base/bus.c:304
    [<00000000d6a6574c>] bus_add_driver+0x29e/0x340
drivers/base/bus.c:645
    [<000000002e9ed7c1>] driver_register+0xf7/0x210
drivers/base/driver.c:170
    [<00000000090ecd16>] 0xffffffffc17d0030
    [<0000000020dfefad>] do_one_initcall+0xd4/0x454 init/main.c:939
    [<00000000e7a758cd>] do_init_module+0xe0/0x330 kernel/module.c:3468

=====================================================================

When the first entity was created failed, m2m_dev->source->name will
never has chance to release.

Signed-off-by: Hongbo Yao <yaohongbo@...wei.com>
---
 drivers/media/v4l2-core/v4l2-mem2mem.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-mem2mem.c b/drivers/media/v4l2-core/v4l2-mem2mem.c
index 4f5176702937..c178aaf04b0f 100644
--- a/drivers/media/v4l2-core/v4l2-mem2mem.c
+++ b/drivers/media/v4l2-core/v4l2-mem2mem.c
@@ -791,7 +791,7 @@ int v4l2_m2m_register_media_controller(struct v4l2_m2m_dev *m2m_dev,
 	ret = v4l2_m2m_register_entity(mdev, m2m_dev,
 			MEM2MEM_ENT_TYPE_SOURCE, vdev, MEDIA_ENT_F_IO_V4L);
 	if (ret)
-		return ret;
+		goto err_rel_name;
 	ret = v4l2_m2m_register_entity(mdev, m2m_dev,
 			MEM2MEM_ENT_TYPE_PROC, vdev, function);
 	if (ret)
@@ -850,12 +850,13 @@ int v4l2_m2m_register_media_controller(struct v4l2_m2m_dev *m2m_dev,
 	media_entity_remove_links(m2m_dev->source);
 err_rel_entity2:
 	media_device_unregister_entity(&m2m_dev->proc);
-	kfree(m2m_dev->proc.name);
 err_rel_entity1:
 	media_device_unregister_entity(&m2m_dev->sink);
-	kfree(m2m_dev->sink.name);
+	kfree(m2m_dev->proc.name);
 err_rel_entity0:
 	media_device_unregister_entity(m2m_dev->source);
+	kfree(m2m_dev->sink.name);
+err_rel_name:
 	kfree(m2m_dev->source->name);
 	return ret;
 	return 0;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ