On 06/04/2021 11:44, Muhammad Usama Anjum wrote:
On Wed, 2021-03-31 at 13:22 +0500, Muhammad Usama Anjum wrote:
On Wed, 2021-03-24 at 23:07 +0500, Muhammad Usama Anjum wrote:
If some error occurs, URB buffers should also be freed. If they aren't freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB buffers as dvb is set to NULL. The function in which error occurs should do all the cleanup for the allocations it had done.
Tested the patch with the reproducer provided by syzbot. This patch fixes the memleak.
Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com Signed-off-by: Muhammad Usama Anjum musamaanjum@gmail.com
Resending the same path as some email addresses were missing from the earlier email.
syzbot found the following issue on:
HEAD commit: 1a4431a5 Merge tag 'afs-fixes-20210315' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11013a7cd00000 kernel config: https://syzkaller.appspot.com/x/.config?x=ff6b8b2e9d5a1227 dashboard link: https://syzkaller.appspot.com/bug?extid=889397c820fa56adf25d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1559ae3ad00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=176985c6d00000
drivers/media/usb/em28xx/em28xx-dvb.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c index 526424279637..471bd74667e3 100644 --- a/drivers/media/usb/em28xx/em28xx-dvb.c +++ b/drivers/media/usb/em28xx/em28xx-dvb.c @@ -2010,6 +2010,7 @@ static int em28xx_dvb_init(struct em28xx *dev) return result; out_free:
- em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE); kfree(dvb); dev->dvb = NULL; goto ret;
I'd received the following notice and waiting for the review: On Thu, 2021-03-25 at 09:06 +0000, Patchwork wrote:
Hello,
The following patch (submitted by you) has been updated in Patchwork:
- linux-media: media: em28xx: fix memory leak
- http://patchwork.linuxtv.org/project/linux-media/patch/20210324180753.GA4103...
- for: Linux Media kernel patches
This patch has been accepted. This bug was introduced by 27ba0dac. Will it be backported and submitted for inclusion in stable release by maintainer automatically?
That might not happen since there was no 'Fixes:' tag. Without that it will depend on the stable tree maintainers whether they'll pick it up or not.
Regards,
Hans