media: zr364xx: fix memory leaks in probe() (ea354b6d) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux

Commit ea354b6d authored Jan 21, 2021 by

Dan Carpenter Committed by Mauro Carvalho Chehab Jan 27, 2021

media: zr364xx: fix memory leaks in probe()

Syzbot discovered that the probe error handling doesn't clean up the
resources allocated in zr364xx_board_init(). There are several
related bugs in this code so I have re-written the error handling.

1) Introduce a new function zr364xx_board_uninit() which cleans up
the resources in zr364xx_board_init().
2) In zr364xx_board_init() if the call to zr364xx_start_readpipe()
fails then release the "cam->buffer.frame[i].lpvbits" memory
before returning. This way every function either allocates
everything successfully or it cleans up after itself.
3) Re-write the probe function so that each failure path goto frees
the most recent allocation. That way we don't free anything
before it has been allocated and we can also verify that
everything is freed.
4) Originally, in the probe function the "cam->v4l2_dev.release"
pointer was set to "zr364xx_release" near the start but I moved
that assignment to the end, after everything had succeeded. The
release function was never actually called during the probe cleanup
process, but with this change I wanted to make it clear that we
don't want to call zr364xx_release() until everything is
allocated successfully.

Next I re-wrote the zr364xx_release() function. Ideally this would
have been a simple matter of copy and pasting the cleanup code from
probe and adding an additional call to video_unregister_device(). But
there are a couple quirks to note.

1) The probe function does not call videobuf_mmap_free() and I don't
know where the videobuf_mmap is allocated. I left the code as-is to
avoid introducing a bug in code I don't understand.
2) The zr364xx_board_uninit() has a call to zr364xx_stop_readpipe()
which is a change from the original behavior with regards to
unloading the driver. Calling zr364xx_stop_readpipe() on a stopped
pipe is not a problem so this is safe and is potentially a bugfix.

Reported-by: <syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

parent 9d3b7ca4

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 09186174
· Mar 08, 2021

mentioned in commit 09186174

mentioned in commit 0918617449930bbc14956d25b9fd4e2a77ac729d

Toggle commit list
mirror @mirror
mentioned in commit 56320b1a
· Aug 27, 2021

mentioned in commit 56320b1a

mentioned in commit 56320b1ad4d0c6a67ab42198c40b9f43a0ed8756

Toggle commit list
mirror @mirror
mentioned in commit 705660a6
· Aug 27, 2021

mentioned in commit 705660a6

mentioned in commit 705660a6d98d22051addf7b849f6a15bec889967

Toggle commit list

Please register or to comment