2021-03-22 14:57:17

by Muhammad Usama Anjum

[permalink] [raw]
Subject: [PATCH] media: em28xx: fix memory leak

If some error occurs, URB buffers should also be freed. If they aren't
freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
buffers as dvb is set to NULL. The function in which error occurs should
do all the cleanup for the allocations it had done.

Tested the patch with the reproducer provided by syzbot. This patch
fixes the memleak.

Reported-by: [email protected]
Signed-off-by: Muhammad Usama Anjum <[email protected]>
---
drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
index 526424279637..471bd74667e3 100644
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -2010,6 +2010,7 @@ static int em28xx_dvb_init(struct em28xx *dev)
return result;

out_free:
+ em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
kfree(dvb);
dev->dvb = NULL;
goto ret;
--
2.25.1


2021-03-22 15:17:47

by Muhammad Usama Anjum

[permalink] [raw]
Subject: Re: [PATCH] media: em28xx: fix memory leak

On Mon, 2021-03-22 at 19:54 +0500, Muhammad Usama Anjum wrote:
> If some error occurs, URB buffers should also be freed. If they aren't
> freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
> buffers as dvb is set to NULL. The function in which error occurs should
> do all the cleanup for the allocations it had done.
>
> Tested the patch with the reproducer provided by syzbot. This patch
> fixes the memleak.
>
> Reported-by: [email protected]
> Signed-off-by: Muhammad Usama Anjum <[email protected]>
> ---
> drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
> index 526424279637..471bd74667e3 100644
> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
> @@ -2010,6 +2010,7 @@ static int em28xx_dvb_init(struct em28xx *dev)
> return result;
>
> out_free:
> + em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
> kfree(dvb);
> dev->dvb = NULL;
> goto ret;
I should have replied to email originated by the syzbot. Anyhow here are some
details from that email:

syzbot found the following issue on:

HEAD commit: 1a4431a5 Merge tag 'afs-fixes-20210315' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11013a7cd00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff6b8b2e9d5a1227
dashboard link: https://syzkaller.appspot.com/bug?extid=889397c820fa56adf25d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1559ae3ad00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=176985c6d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

Thanks,
Usama