media: uvcvideo: Fix a memory leak in an error handling path of 'uvc_ioctl_ctrl_map()'

Commit Message

Christophe JAILLET Nov. 11, 2021, 8:06 a.m. UTC

If 'map->name' can't be allocated, 'map' must be released before returning.

Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
 drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Ricardo Ribalda Nov. 11, 2021, 8:12 a.m. UTC | #1

Hi Christophe

I believe this is a dup of:
https://lore.kernel.org/lkml/20210917114930.47261-1-colin.king@canonical.com/

Thanks

On Thu, 11 Nov 2021 at 09:06, Christophe JAILLET
<christophe.jaillet@wanadoo.fr> wrote:
>
> If 'map->name' can't be allocated, 'map' must be released before returning.
>
> Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---
>  drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> index f4e4aff8ddf7..5aa76a9a6080 100644
> --- a/drivers/media/usb/uvc/uvc_v4l2.c
> +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
>         if (v4l2_ctrl_get_name(map->id) == NULL) {
>                 map->name = kmemdup(xmap->name, sizeof(xmap->name),
>                                     GFP_KERNEL);
> -               if (!map->name)
> +               if (!map->name) {
> +                       kfree(map);
>                         return -ENOMEM;
> +               }
>         }
>         memcpy(map->entity, xmap->entity, sizeof(map->entity));
>         map->selector = xmap->selector;
> --
> 2.30.2
>

Christophe JAILLET Nov. 11, 2021, 8:24 a.m. UTC | #2

Le 11/11/2021 à 09:12, Ricardo Ribalda a écrit :
> Hi Christophe
> 
> I believe this is a dup of:
> https://lore.kernel.org/lkml/20210917114930.47261-1-colin.king@canonical.com/

Yes it is, and Colin's proposal is cleaner than mine.

Sorry for the noise.

CJ

> 
> Thanks
> 
> On Thu, 11 Nov 2021 at 09:06, Christophe JAILLET
> <christophe.jaillet@wanadoo.fr> wrote:
>>
>> If 'map->name' can't be allocated, 'map' must be released before returning.
>>
>> Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
>> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
>> ---
>>   drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
>> index f4e4aff8ddf7..5aa76a9a6080 100644
>> --- a/drivers/media/usb/uvc/uvc_v4l2.c
>> +++ b/drivers/media/usb/uvc/uvc_v4l2.c
>> @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
>>          if (v4l2_ctrl_get_name(map->id) == NULL) {
>>                  map->name = kmemdup(xmap->name, sizeof(xmap->name),
>>                                      GFP_KERNEL);
>> -               if (!map->name)
>> +               if (!map->name) {
>> +                       kfree(map);
>>                          return -ENOMEM;
>> +               }
>>          }
>>          memcpy(map->entity, xmap->entity, sizeof(map->entity));
>>          map->selector = xmap->selector;
>> --
>> 2.30.2
>>
> 
>

Dan Carpenter Nov. 11, 2021, 10:33 a.m. UTC | #3

On Thu, Nov 11, 2021 at 09:06:11AM +0100, Christophe JAILLET wrote:
> If 'map->name' can't be allocated, 'map' must be released before returning.
> 
> Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---
>  drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> index f4e4aff8ddf7..5aa76a9a6080 100644
> --- a/drivers/media/usb/uvc/uvc_v4l2.c
> +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
>  	if (v4l2_ctrl_get_name(map->id) == NULL) {
>  		map->name = kmemdup(xmap->name, sizeof(xmap->name),
>  				    GFP_KERNEL);
> -		if (!map->name)
> +		if (!map->name) {
> +			kfree(map);
>  			return -ENOMEM;
> +		}

Your patch is fine but there is a second issue.  The error handling
should free "map->name" as well.  The problem is that this function
frees everything on the success path at all, but freeing map->name on
the success path will lead to a crash so you have to do something
weird like:

diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
index f4e4aff8ddf7..953a5cbf7945 100644
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -90,6 +90,9 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
 	ret = uvc_ctrl_add_mapping(chain, map);
 
 	kfree(map->menu_info);
+free_name:
+	if (ret)
+		kfree(map->name);
 free_map:
 	kfree(map);

Ricardo Ribalda Nov. 11, 2021, 10:40 a.m. UTC | #4

I belive this is also addressed by this patch that is under review:

https://patchwork.linuxtv.org/project/linux-media/patch/20211008120914.69175-1-ribalda@chromium.org/

On Thu, 11 Nov 2021 at 11:33, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Thu, Nov 11, 2021 at 09:06:11AM +0100, Christophe JAILLET wrote:
> > If 'map->name' can't be allocated, 'map' must be released before returning.
> >
> > Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> > ---
> >  drivers/media/usb/uvc/uvc_v4l2.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> > index f4e4aff8ddf7..5aa76a9a6080 100644
> > --- a/drivers/media/usb/uvc/uvc_v4l2.c
> > +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> > @@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
> >       if (v4l2_ctrl_get_name(map->id) == NULL) {
> >               map->name = kmemdup(xmap->name, sizeof(xmap->name),
> >                                   GFP_KERNEL);
> > -             if (!map->name)
> > +             if (!map->name) {
> > +                     kfree(map);
> >                       return -ENOMEM;
> > +             }
>
> Your patch is fine but there is a second issue.  The error handling
> should free "map->name" as well.  The problem is that this function
> frees everything on the success path at all, but freeing map->name on
> the success path will lead to a crash so you have to do something
> weird like:
>
> diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
> index f4e4aff8ddf7..953a5cbf7945 100644
> --- a/drivers/media/usb/uvc/uvc_v4l2.c
> +++ b/drivers/media/usb/uvc/uvc_v4l2.c
> @@ -90,6 +90,9 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
>         ret = uvc_ctrl_add_mapping(chain, map);
>
>         kfree(map->menu_info);
> +free_name:
> +       if (ret)
> +               kfree(map->name);
>  free_map:
>         kfree(map);
>
>

Dan Carpenter Nov. 11, 2021, 11:08 a.m. UTC | #5

On Thu, Nov 11, 2021 at 11:40:32AM +0100, Ricardo Ribalda wrote:
> I belive this is also addressed by this patch that is under review:
> 
> https://patchwork.linuxtv.org/project/linux-media/patch/20211008120914.69175-1-ribalda@chromium.org/
> 

Ah perfect.  My approach was quite lazy and that's a better way.  Thanks!

regards,
dan carpenter

Patch

diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
index f4e4aff8ddf7..5aa76a9a6080 100644
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -44,8 +44,10 @@  static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
 	if (v4l2_ctrl_get_name(map->id) == NULL) {
 		map->name = kmemdup(xmap->name, sizeof(xmap->name),
 				    GFP_KERNEL);
-		if (!map->name)
+		if (!map->name) {
+			kfree(map);
 			return -ENOMEM;
+		}
 	}
 	memcpy(map->entity, xmap->entity, sizeof(map->entity));
 	map->selector = xmap->selector;