media: uvcvideo: Fix a memory leak in an error handling path of 'uvc_ioctl_ctrl_map()'
Message ID | 95f3fd02313ff41d6808b8e1f20e0c582f46edc8.1636617903.git.christophe.jaillet@wanadoo.fr (mailing list archive) |
---|---|
State | New |
Delegated to: | Laurent Pinchart |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1ml56D-008OFL-MN; Thu, 11 Nov 2021 08:06:21 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230400AbhKKIJF (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Thu, 11 Nov 2021 03:09:05 -0500 Received: from smtp02.smtpout.orange.fr ([80.12.242.124]:55339 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229543AbhKKIJD (ORCPT <rfc822;linux-media@vger.kernel.org>); Thu, 11 Nov 2021 03:09:03 -0500 Received: from pop-os.home ([86.243.171.122]) by smtp.orange.fr with ESMTPA id l565mStOmBazol565mZRSP; Thu, 11 Nov 2021 09:06:14 +0100 X-ME-Helo: pop-os.home X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Thu, 11 Nov 2021 09:06:14 +0100 X-ME-IP: 86.243.171.122 From: Christophe JAILLET <christophe.jaillet@wanadoo.fr> To: laurent.pinchart@ideasonboard.com, mchehab@kernel.org, ribalda@chromium.org, hverkuil-cisco@xs4all.nl Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET <christophe.jaillet@wanadoo.fr> Subject: [PATCH] media: uvcvideo: Fix a memory leak in an error handling path of 'uvc_ioctl_ctrl_map()' Date: Thu, 11 Nov 2021 09:06:11 +0100 Message-Id: <95f3fd02313ff41d6808b8e1f20e0c582f46edc8.1636617903.git.christophe.jaillet@wanadoo.fr> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.4 (--) X-LSpam-Report: No, score=-2.4 required=5.0 tests=BAYES_00=-1.9,FREEMAIL_FORGED_FROMDOMAIN=0.001,FREEMAIL_FROM=0.001,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no |
Series |
media: uvcvideo: Fix a memory leak in an error handling path of 'uvc_ioctl_ctrl_map()'
|
|
Commit Message
Christophe JAILLET
Nov. 11, 2021, 8:06 a.m. UTC
If 'map->name' can't be allocated, 'map' must be released before returning.
Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
Hi Christophe I believe this is a dup of: https://lore.kernel.org/lkml/20210917114930.47261-1-colin.king@canonical.com/ Thanks On Thu, 11 Nov 2021 at 09:06, Christophe JAILLET <christophe.jaillet@wanadoo.fr> wrote: > > If 'map->name' can't be allocated, 'map' must be released before returning. > > Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework") > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > drivers/media/usb/uvc/uvc_v4l2.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c > index f4e4aff8ddf7..5aa76a9a6080 100644 > --- a/drivers/media/usb/uvc/uvc_v4l2.c > +++ b/drivers/media/usb/uvc/uvc_v4l2.c > @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, > if (v4l2_ctrl_get_name(map->id) == NULL) { > map->name = kmemdup(xmap->name, sizeof(xmap->name), > GFP_KERNEL); > - if (!map->name) > + if (!map->name) { > + kfree(map); > return -ENOMEM; > + } > } > memcpy(map->entity, xmap->entity, sizeof(map->entity)); > map->selector = xmap->selector; > -- > 2.30.2 >
Le 11/11/2021 à 09:12, Ricardo Ribalda a écrit : > Hi Christophe > > I believe this is a dup of: > https://lore.kernel.org/lkml/20210917114930.47261-1-colin.king@canonical.com/ Yes it is, and Colin's proposal is cleaner than mine. Sorry for the noise. CJ > > Thanks > > On Thu, 11 Nov 2021 at 09:06, Christophe JAILLET > <christophe.jaillet@wanadoo.fr> wrote: >> >> If 'map->name' can't be allocated, 'map' must be released before returning. >> >> Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework") >> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> >> --- >> drivers/media/usb/uvc/uvc_v4l2.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c >> index f4e4aff8ddf7..5aa76a9a6080 100644 >> --- a/drivers/media/usb/uvc/uvc_v4l2.c >> +++ b/drivers/media/usb/uvc/uvc_v4l2.c >> @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, >> if (v4l2_ctrl_get_name(map->id) == NULL) { >> map->name = kmemdup(xmap->name, sizeof(xmap->name), >> GFP_KERNEL); >> - if (!map->name) >> + if (!map->name) { >> + kfree(map); >> return -ENOMEM; >> + } >> } >> memcpy(map->entity, xmap->entity, sizeof(map->entity)); >> map->selector = xmap->selector; >> -- >> 2.30.2 >> > >
On Thu, Nov 11, 2021 at 09:06:11AM +0100, Christophe JAILLET wrote: > If 'map->name' can't be allocated, 'map' must be released before returning. > > Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework") > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > drivers/media/usb/uvc/uvc_v4l2.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c > index f4e4aff8ddf7..5aa76a9a6080 100644 > --- a/drivers/media/usb/uvc/uvc_v4l2.c > +++ b/drivers/media/usb/uvc/uvc_v4l2.c > @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, > if (v4l2_ctrl_get_name(map->id) == NULL) { > map->name = kmemdup(xmap->name, sizeof(xmap->name), > GFP_KERNEL); > - if (!map->name) > + if (!map->name) { > + kfree(map); > return -ENOMEM; > + } Your patch is fine but there is a second issue. The error handling should free "map->name" as well. The problem is that this function frees everything on the success path at all, but freeing map->name on the success path will lead to a crash so you have to do something weird like: diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index f4e4aff8ddf7..953a5cbf7945 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -90,6 +90,9 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, ret = uvc_ctrl_add_mapping(chain, map); kfree(map->menu_info); +free_name: + if (ret) + kfree(map->name); free_map: kfree(map);
I belive this is also addressed by this patch that is under review: https://patchwork.linuxtv.org/project/linux-media/patch/20211008120914.69175-1-ribalda@chromium.org/ On Thu, 11 Nov 2021 at 11:33, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Thu, Nov 11, 2021 at 09:06:11AM +0100, Christophe JAILLET wrote: > > If 'map->name' can't be allocated, 'map' must be released before returning. > > > > Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework") > > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > > --- > > drivers/media/usb/uvc/uvc_v4l2.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c > > index f4e4aff8ddf7..5aa76a9a6080 100644 > > --- a/drivers/media/usb/uvc/uvc_v4l2.c > > +++ b/drivers/media/usb/uvc/uvc_v4l2.c > > @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, > > if (v4l2_ctrl_get_name(map->id) == NULL) { > > map->name = kmemdup(xmap->name, sizeof(xmap->name), > > GFP_KERNEL); > > - if (!map->name) > > + if (!map->name) { > > + kfree(map); > > return -ENOMEM; > > + } > > Your patch is fine but there is a second issue. The error handling > should free "map->name" as well. The problem is that this function > frees everything on the success path at all, but freeing map->name on > the success path will lead to a crash so you have to do something > weird like: > > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c > index f4e4aff8ddf7..953a5cbf7945 100644 > --- a/drivers/media/usb/uvc/uvc_v4l2.c > +++ b/drivers/media/usb/uvc/uvc_v4l2.c > @@ -90,6 +90,9 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, > ret = uvc_ctrl_add_mapping(chain, map); > > kfree(map->menu_info); > +free_name: > + if (ret) > + kfree(map->name); > free_map: > kfree(map); > >
On Thu, Nov 11, 2021 at 11:40:32AM +0100, Ricardo Ribalda wrote: > I belive this is also addressed by this patch that is under review: > > https://patchwork.linuxtv.org/project/linux-media/patch/20211008120914.69175-1-ribalda@chromium.org/ > Ah perfect. My approach was quite lazy and that's a better way. Thanks! regards, dan carpenter
diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index f4e4aff8ddf7..5aa76a9a6080 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, if (v4l2_ctrl_get_name(map->id) == NULL) { map->name = kmemdup(xmap->name, sizeof(xmap->name), GFP_KERNEL); - if (!map->name) + if (!map->name) { + kfree(map); return -ENOMEM; + } } memcpy(map->entity, xmap->entity, sizeof(map->entity)); map->selector = xmap->selector;