Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1670002pxy; Fri, 23 Apr 2021 13:59:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz031zj9A8KYZEyWf7FRlLLny2stUEAnFdbB7T5opst2YfHVGUKUzC5JdbsZlVQMJGPEtr2 X-Received: by 2002:a17:907:1b20:: with SMTP id mp32mr6218624ejc.495.1619211595418; Fri, 23 Apr 2021 13:59:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619211595; cv=none; d=google.com; s=arc-20160816; b=B/XdgaqHNBzJQ3adX3R7lpt8Tt4O/E2wPa/lqBXIad+nUIx5bTfWQPlEkqQ9h+GRhA K5Djl47A+/PU51KjOcPSg/SAvLvU/uAN35ZqIvcGgnuvWxr27W/72XzNJPMx9ZKKzEIk w/IqHD1jPplb8nkjnp4w4GC+zNFE8X+gy3NIMW+rZDztGPjqMr0LmekXZJZNHlXArdb/ WhsVzodH29cDqUmPocI2e3H8fkdv/XiqRr1avND04hL/qFcs2OJc7FTKrZ6VmRR2WhVY KariGR8dv7+jYk5cz9/fKU5hXshp8Je17IL7+7gAQsCjcGY1XK/m+hO6yc3Y5OSMyZs2 gL6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=JwpEMfsFJcI5faK7sa42v6n59XW+1jdGvUyeeBhOqjo=; b=LMS2HQ4wXCCS033y1JTHDreq7ul0otmrBZ47ubNUt/BsFZ2zdBlXXUxi4afmJ9xQWh wkkpCgKv2ylmuFalX6ZcUBeOmaFlgbExAw5DYyCB3dBMBMIAE50GvDSZoKUybiEKnC7D 2QsETEJFTwWo8v035f4OyuDDIoSF4FGUnhofM4KLQftcH06Wqim528aCtSVCHD25fsiG /aXhW6oaYbDqHuyks1HZ1hk1LuawebUtAxKEY4ZNMlUsrzHF2a10AzCoMRz9Iwaw4DEK k1Kr0cn8mEzdjk332CRM9MTJTyNFBujoAMWq4VUla+HRe0ykdvCQq3cIhodgUxr9/lsr 3UHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=DRV0si9b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l5si6710397ejq.495.2021.04.23.13.59.31; Fri, 23 Apr 2021 13:59:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b=DRV0si9b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244004AbhDWU5H (ORCPT + 99 others); Fri, 23 Apr 2021 16:57:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232523AbhDWU5F (ORCPT ); Fri, 23 Apr 2021 16:57:05 -0400 Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B867C061574 for ; Fri, 23 Apr 2021 13:56:28 -0700 (PDT) Received: by mail-io1-xd30.google.com with SMTP id q25so6662916iog.5 for ; Fri, 23 Apr 2021 13:56:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=JwpEMfsFJcI5faK7sa42v6n59XW+1jdGvUyeeBhOqjo=; b=DRV0si9bOzUTGGgpFw81OQNtdjhTfuUuEd36od41RbPd0935mr0YEfMgMVBeBXwrgh Vr0p82y6/uujl53uFleN8IzDiDtQDnhNdTEET3ubWalfMmFxNQA/htqAllppkgTm2v1i 1QSZj65QwbqgtwdqPu6RzY98fiEpTxH3VMbdU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=JwpEMfsFJcI5faK7sa42v6n59XW+1jdGvUyeeBhOqjo=; b=eSbvmYP0Hfyck21YwVpOvMHbeD0lhi8HLLzQEfMRacJIXNEoCHiWm9nKYaZXu/tyIR /mYhAK+i4NIPwkZXq+c2MK62cxeSf8aSpCX6ttP8EgIPqQUCdBmeD2+Oe2r9e6Q0hhdW quZgB7jTs7WeC1exzSucKFvQnz9qTeA+lqDRorWYFGmxp1u66uYwZoUZYCz5Rxp8alsG VdiOaxSIu16VfinOpn5RGFzZKrEXXcKiQVVWnbgrpmpIc7fX6Z3rJ7VUea76zAyMKFuP Ua4DIwNfWl9I2BYE86Lf225jJ8l3wbQTlzL7O8w/6vsbqqtTDhGBLEhvfG6yhhd3ZlR3 krHQ== X-Gm-Message-State: AOAM533BB4qEyuis46UiuZIJeYKX1f2HPczEITguwYMyTdYazeviJJiR jwpm0BzbTKKoPVbTVs4sn+zrLQ== X-Received: by 2002:a02:a69a:: with SMTP id j26mr5343989jam.5.1619211387969; Fri, 23 Apr 2021 13:56:27 -0700 (PDT) Received: from [192.168.1.112] (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id m8sm3056064ilc.13.2021.04.23.13.56.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 23 Apr 2021 13:56:27 -0700 (PDT) Subject: Re: [PATCH] media: gspca: stv06xx: Fix memleak in stv06xx subdrivers To: Pavel Skripkin , hverkuil-cisco@xs4all.nl Cc: Atul Gopinathan , syzbot+990626a4ef6f043ed4cd@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, mchehab@kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, linux-media@vger.kernel.org, Shuah Khan References: <20210422160742.7166-1-atulgopinathan@gmail.com> <20210422215511.01489adb@gmail.com> <36f126fc-6a5e-a078-4cf0-c73d6795a111@linuxfoundation.org> <20210423234458.3f754de2@gmail.com> From: Shuah Khan Message-ID: <4c22cfa5-5702-6181-0f9a-d1d8d4041156@linuxfoundation.org> Date: Fri, 23 Apr 2021 14:56:26 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: <20210423234458.3f754de2@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/23/21 2:44 PM, Pavel Skripkin wrote: > Hi! > > On Fri, 23 Apr 2021 14:19:15 -0600 > Shuah Khan wrote: >> On 4/22/21 12:55 PM, Pavel Skripkin wrote: >>> Hi! >>> >>> On Thu, 22 Apr 2021 21:37:42 +0530 >>> Atul Gopinathan wrote: >>>> During probing phase of a gspca driver in "gspca_dev_probe2()", the >>>> stv06xx subdrivers have certain sensor variants (namely, hdcs_1x00, >>>> hdcs_1020 and pb_0100) that allocate memory for their respective >>>> sensor which is passed to the "sd->sensor_priv" field. During the >>>> same probe routine, after "sensor_priv" allocation, there are >>>> chances of later functions invoked to fail which result in the >>>> probing routine to end immediately via "goto out" path. While >>>> doing so, the memory allocated earlier for the sensor isn't taken >>>> care of resulting in memory leak. >>>> >>>> Fix this by adding operations to the gspca, stv06xx and down to the >>>> sensor levels to free this allocated memory during gspca probe >>>> failure. >>>> >>>> - >>>> The current level of hierarchy looks something like this: >>>> >>>> gspca (main driver) represented by struct gspca_dev >>>> | >>>> ___________|_____________________________________ >>>> | | | | | | (subdrivers) >>>> | represented >>>> stv06xx by >>>> "struct sd" | >>>> _______________|_______________ >>>> | | | | | (sensors) >>>> | | >>>> hdcs_1x00/1020 pb01000 >>>> |_________________| >>>> | >>>> These three sensor variants >>>> allocate memory for >>>> "sd->sensor_priv" field. >>>> >>>> Here, "struct gspca_dev" is the representation used in the top >>>> level. In the sub-driver levels, "gspca_dev" pointer is cast to >>>> "struct sd*", something like this: >>>> >>>> struct sd *sd = (struct sd *)gspca_dev; >>>> >>>> This is possible because the first field of "struct sd" is >>>> "gspca_dev": >>>> >>>> struct sd { >>>> struct gspca_dev; >>>> . >>>> . >>>> } >>>> >>>> Therefore, to deallocate the "sd->sensor_priv" fields from >>>> "gspca_dev_probe2()" which is at the top level, the patch creates >>>> operations for the subdrivers and sensors to be invoked from the >>>> gspca driver levels. These operations essentially free the >>>> "sd->sensor_priv" which were allocated by the "config" and >>>> "init_controls" operations in the case of stv06xx sub-drivers and >>>> the sensor levels. >>>> >>>> This patch doesn't affect other sub-drivers or even sensors who >>>> never allocate memory to "sensor_priv". It has also been tested by >>>> syzbot and it returned an "OK" result. >>>> >>>> https://syzkaller.appspot.com/bug?id=ab69427f2911374e5f0b347d0d7795bfe384016c >>>> - >>>> >>>> Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New >>>> subdriver.") Cc: stable@vger.kernel.org >>>> Suggested-by: Shuah Khan >>>> Reported-by: syzbot+990626a4ef6f043ed4cd@syzkaller.appspotmail.com >>>> Tested-by: syzbot+990626a4ef6f043ed4cd@syzkaller.appspotmail.com >>>> Signed-off-by: Atul Gopinathan >>> >>> AFAIK, something similar is already applied to linux-media tree >>> https://git.linuxtv.org/media_tree.git/commit/?id=4f4e6644cd876c844cdb3bea2dd7051787d5ae25 >>> >> >> Pavel, >> >> Does the above handle the other drivers hdcs_1x00/1020 and pb01000? >> >> Atul's patch handles those cases. If thoese code paths need to be >> fixes, Atul could do a patch on top of yours perhaps? >> >> thanks, >> -- Shuah >> >> > > It's not my patch. I've sent a patch sometime ago, but it was reject > by Mauro (we had a small discussion on linux-media mailing-list), then > Hans wrote the patch based on my leak discoverage. > Yes my bad. :) > I added Hans to CC, maybe, he will help :) > Will wait for Hans to take a look. thanks, -- Shuah