Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp77405pxf;
        Tue, 23 Mar 2021 22:47:30 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyPVbVur7RixAv3yJjXskX6aM0CN9fETHIm7R3EMWlfcgapwnIX0WRUDTtatvpziC9js1B8
X-Received: by 2002:a05:6402:8c2:: with SMTP id d2mr1627108edz.4.1616564850442;
        Tue, 23 Mar 2021 22:47:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616564850; cv=none;
        d=google.com; s=arc-20160816;
        b=IGITjUT8SQH41nL/L9NnyDEK1e+jjnc81kxLDhWGmLCHEI02YBoXewVXnmcgMhmgjU
         Zw2tvPmIDFeEr1tIS9SJ573dMCTMKc1B7p8KdtWwze3ABWlc0ALRZS6i0fTX2R5QtiEA
         uuONtcNJfuCPtLbN3SqCqNlZe/TcCt7Mw3CLVrNpBheSpzJ6Pdf6H8MZS6plpRXbuRcd
         XojKQHpGgcMo/Pfcm4doOMl1ui9Snap1oaPWcnN1pTUCHPSQcIKvdKYOJhCh+KBDfzaj
         Wr39fE5QYVlSx4wcoR9LXVDFU1am+04NdVie2BJeAvHT5wrZmUBHUZTK939AhkjP6FKd
         f4hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=FYBotwLM7ssZnKoBd8bvxIEO/yLcwJ3W1FFpaYrqaYI=;
        b=kNQq495gqvPzUSE979UPwTjTnj87ilTN6MQKiqWGZiHQ2ONPPEzvDAgm4fwKQ9yvDG
         EhpobEK4aRU6+U/s/MkSABhKu8Cya1P3DUx0GN/lycmFPiFa8dRT9nFna0kWGdORqeWg
         4u1ocr2nL1D9Mak5EJxeCMdC13XeLUBi5F9113Br1/ocR9ERe2AG/hawQOs0I5GgdDMi
         Ve0prpDxhmXZqMyC60gxY4iSjxHqYP2OeYdYPsKQL6G9vGZUAYHuq4ZXH6EEuiBM5zmV
         fH4XbwEGNGsli6k0Sl9d7emOqRIzWCkRrkLvmUeslCE6qFB8HeCl2TYGZh0QbwftK59T
         VlIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CH5Rd5oW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v23si1014537eja.176.2021.03.23.22.47.08;
        Tue, 23 Mar 2021 22:47:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CH5Rd5oW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233108AbhCWQO1 (ORCPT <rfc822;mafatlaija@gmail.com> + 99 others);
        Tue, 23 Mar 2021 12:14:27 -0400
Received: from mail.kernel.org ([198.145.29.99]:37310 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232975AbhCWQOB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Mar 2021 12:14:01 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 03D0D61581;
        Tue, 23 Mar 2021 16:13:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1616516041;
        bh=G7qWYnfuXmcc7Hx62LV75USvChYBgumrNgfmyjFgdPM=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=CH5Rd5oWudKfFmamH/1yNE1f86ekYLvZUftjWdyV5BwN4q+3wOsVokfMulM/g9u8g
         IehBwAK0BHymGc3qbI9DwCPXKSc4shJ3bmRcejfjU1atrLC+bnXWJ+kJz15qqwLwuI
         A4uFNWCIrn+qfUe//o6JyFnfb5uqI/qRbwFBIQUrXFnEO47yhOLYtPy3CashiF+WLY
         Nqgn7LHDT53vDD+cnQhgQ9Aty1dEWVyyQe21VwtpOcpp80Vf8qjsZkSQf2W2ZYtruM
         JpPd89JCTgMyH3Ft7+izvEkvB85xdDRHd63pdhoOASi9+zhpo9eXXYUZW69fl3HwEr
         kTA+ba81Jvxzg==
Date:   Tue, 23 Mar 2021 17:13:56 +0100
From:   Mauro Carvalho Chehab <mchehab@kernel.org>
To:     Pavel Skripkin <paskripkin@gmail.com>
Cc:     hverkuil@xs4all.nl, linux-media@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
Subject: Re: [PATCH] drivers/media/usb/gspca/stv06xx: fix memory leak
Message-ID: <20210323171356.4a613351@coco.lan>
In-Reply-To: <20210226233731.614553-1-paskripkin@gmail.com>
References: <20210226233731.614553-1-paskripkin@gmail.com>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Em Sat, 27 Feb 2021 02:37:31 +0300
Pavel Skripkin <paskripkin@gmail.com> escreveu:

> Syzbot reported memory leak in hdcs_probe_1x00()[1].
> hdcs_probe_1x00() allocates memory for struct hdcs, but if hdcs_init() fails in gspca_dev_probe2()
> this memory becomes leaked.
> 
> int gspca_dev_probe2(struct usb_interface *intf,
> 		const struct usb_device_id *id,
> 		const struct sd_desc *sd_desc,
> 		int dev_size,
> 		struct module *module)
> {
> ...
> 
> 	ret = sd_desc->config(gspca_dev, id);
> 	if (ret < 0)
> 		goto out;
> 	ret = sd_desc->init(gspca_dev);
> 	if (ret < 0)
> 		goto out;
> ...
> out:
> 	if (gspca_dev->input_dev)
> 		input_unregister_device(gspca_dev->input_dev);
> 	v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
> 	v4l2_device_unregister(&gspca_dev->v4l2_dev);
> 	kfree(gspca_dev->usb_buf);
> 	kfree(gspca_dev);
> 	return ret;
> }
> 
> Reported-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> Change-Id: Ia198671177ee346de61780813025110c7c491d7a
> ---
>  drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
> index 5a47dcbf1c8e..24df13b33a02 100644
> --- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
> +++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
> @@ -485,7 +485,7 @@ static int hdcs_init(struct sd *sd)
>  					   stv_bridge_init[i][1]);
>  	}
>  	if (err < 0)
> -		return err;
> +		goto error;
>  
>  	/* sensor soft reset */
>  	hdcs_reset(sd);
> @@ -496,12 +496,12 @@ static int hdcs_init(struct sd *sd)
>  					     stv_sensor_init[i][1]);
>  	}
>  	if (err < 0)
> -		return err;
> +		goto error;
>  
>  	/* Enable continuous frame capture, bit 2: stop when frame complete */
>  	err = stv06xx_write_sensor(sd, HDCS_REG_CONFIG(sd), BIT(3));
>  	if (err < 0)
> -		return err;
> +		goto error;
>  
>  	/* Set PGA sample duration
>  	(was 0x7E for the STV602, but caused slow framerate with HDCS-1020) */
> @@ -512,9 +512,13 @@ static int hdcs_init(struct sd *sd)
>  		err = stv06xx_write_sensor(sd, HDCS_TCTRL,
>  				(HDCS_ADC_START_SIG_DUR << 5) | hdcs->psmp);
>  	if (err < 0)
> -		return err;
> +		goto error;
>  
>  	return hdcs_set_size(sd, hdcs->array.width, hdcs->array.height);
> +
> +error:
> +	kfree(hdcs);
> +	return err;
>  }

This doesn't seem the right fix here, as it is not the _init function
that allocates it. Also, when the device is disconnected, a memory leak
will happen.

I suspect that the right fix would be to move this:

	hdcs = kmalloc(sizeof(struct hdcs), GFP_KERNEL);
	if (!hdcs)
		return -ENOMEM;

To the main driver (stv06xx.c) - probably replacing it by kzalloc(),
and then handle the free code both both sd_probe() and sd_disconnect().


Thanks,
Mauro