lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 20 Oct 2021 19:58:24 +0800
From:   Wang Hai <wanghai38@...wei.com>
To:     <mchehab@...nel.org>, <gshark.jeong@...il.com>
CC:     <linux-media@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH] media: i2c: lm3560: Fix possible memory leak in lm3560_probe()

In the error handling path of lm3560_probe(), ctrl handler allocated by
lm3560_subdev_init() does not released, and caused memory leak as
follows:

unreferenced object 0xffff888257dbac10 (size 16):
  comm "35", pid 6061, jiffies 4299029793 (age 201.830s)
  hex dump (first 16 bytes):
    40 06 ff 0c 81 88 ff ff 40 24 ff 0c 81 88 ff ff  @.......@.......
  backtrace:
    [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
    [<ffffffff8167e3eb>] __kmalloc_node+0x16b/0x3a0
    [<ffffffff815a27df>] kvmalloc_node+0x4f/0xf0
    [<ffffffff832807a9>] v4l2_ctrl_handler_init_class+0xf9/0x160
    [<ffffffffa01f8180>] lm3560_subdev_init+0x120/0x340 [lm3560]
    [<ffffffffa01f882c>] lm3560_probe+0x17c/0x370 [lm3560]
    [<ffffffff8321d463>] i2c_device_probe+0x5d3/0x600
    [<ffffffff82b59630>] really_probe+0x190/0x480
    [<ffffffff82b59a19>] __driver_probe_device+0xf9/0x180
    [<ffffffff82b59af3>] driver_probe_device+0x53/0x130
    [<ffffffff82b5a075>] __device_attach_driver+0x105/0x130
    [<ffffffff82b55949>] bus_for_each_drv+0x129/0x190
    [<ffffffff82b593c9>] __device_attach+0x1c9/0x270
    [<ffffffff82b5a250>] device_initial_probe+0x20/0x30
    [<ffffffff82b579c2>] bus_probe_device+0x142/0x160
    [<ffffffff82b52e49>] device_add+0x829/0x1300
unreferenced object 0xffff888255118100 (size 256):

Fix the error handling path to avoid memory leak.

Fixes: 7f6b11a18c30 ("[media] media: i2c: add driver for dual LED Flash, lm3560")
Reported-by: Hulk Robot <hulkci@...wei.com>
Signed-off-by: Wang Hai <wanghai38@...wei.com>
---
 drivers/media/i2c/lm3560.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/media/i2c/lm3560.c b/drivers/media/i2c/lm3560.c
index 9e34ccce4fc3..8bd60b14b867 100644
--- a/drivers/media/i2c/lm3560.c
+++ b/drivers/media/i2c/lm3560.c
@@ -432,15 +432,22 @@ static int lm3560_probe(struct i2c_client *client,
 
 	rval = lm3560_subdev_init(flash, LM3560_LED1, "lm3560-led1");
 	if (rval < 0)
-		return rval;
+		goto err_subdev_init_led1;
 
 	rval = lm3560_init_device(flash);
 	if (rval < 0)
-		return rval;
+		goto err_init_device;
 
 	i2c_set_clientdata(client, flash);
 
 	return 0;
+
+err_init_device:
+	v4l2_ctrl_handler_free(&flash->ctrls_led[LM3560_LED1]);
+err_subdev_init_led1:
+	v4l2_ctrl_handler_free(&flash->ctrls_led[LM3560_LED0]);
+
+	return rval;
 }
 
 static int lm3560_remove(struct i2c_client *client)
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ