Commit 8c1a8877 authored Oct 17, 2024 by Zhipeng Lu Committed by Guo Mengqi Oct 17, 2024

media: go7007: fix a memleak in go7007_load_encoder

stable inclusion
from stable-v5.10.214
commit b49fe84c6cefcc1c2336d793b53442e716c95073
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L9IB
CVE: CVE-2024-27074

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b49fe84c6cefcc1c2336d793b53442e716c95073



--------------------------------

[ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ]

In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without
a deallocation thereafter. After the following call chain:

saa7134_go7007_init
  |-> go7007_boot_encoder
        |-> go7007_load_encoder
  |-> kfree(go)

go is freed and thus bounce is leaked.

Fixes: 95ef3940 ("[media] go7007: remember boot firmware")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Guo Mengqi <guomengqi3@huawei.com>

parent 5d655da7

drivers/media/usb/go7007/go7007-driver.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -80,7 +80,7 @@ static int go7007_load_encoder(struct go7007 *go)
		const struct firmware *fw_entry;
		char fw_name[] = "go7007/go7007fw.bin";
		void *bounce;
		int fw_len, rv = 0;
		int fw_len;
		u16 intr_val, intr_data;

		if (go->boot_fw == NULL) {
		@@ -109,9 +109,11 @@ static int go7007_load_encoder(struct go7007 *go)
		go7007_read_interrupt(go, &intr_val, &intr_data) < 0 \|\|
		(intr_val & ~0x1) != 0x5a5a) {
		v4l2_err(go, "error transferring firmware\n");
		rv = -1;
		kfree(go->boot_fw);
		go->boot_fw = NULL;
		return -1;
		}
		return rv;
		return 0;
		}

		MODULE_FIRMWARE("go7007/go7007fw.bin");