[linux] 01/02: media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Dec 1 00:41:32 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit 2042a6b22d0bd34419e3e7b35b630492009ceba3
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Nov 30 18:52:20 2015 +0000
media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
Dependency of "media: usbvision: fix crash on detecting device with invalid
configuration".
---
debian/changelog | 1 +
...sion-fix-crash-on-detecting-device-with-i.patch | 2 +-
...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 92 ++++++++++++++++++++++
...sbvision-fix-overflow-of-interfaces-array.patch | 2 +-
debian/patches/series/48squeeze17 | 1 +
5 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 59d53ea..0c1082e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
* isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
* ppp, slip: Validate VJ compression slot parameters completely
(CVE-2015-7799)
+ * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
* media: usbvision: fix overflow of interfaces array (CVE-2015-7833)
* media: usbvision: fix crash on detecting device with invalid
configuration (CVE-2015-7833)
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index fb55974..2c06c45 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -15,7 +15,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
---
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1660,10 +1660,23 @@ static int __devinit usbvision_probe(str
+@@ -1661,10 +1661,23 @@ static int __devinit usbvision_probe(str
if (usbvision_device_data[model].Interface >= 0) {
interface = &dev->actconfig->interface[usbvision_device_data[model].Interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
new file mode 100644
index 0000000..8f63eb2
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -0,0 +1,92 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in
+ usbvision_probe()
+Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 2.6.32:
+ - Call mutex_unlock() directly instead of usbvision_release()
+ - Adjust filename, context]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/video/usbvision/usbvision-video.c
+index 2579c87..12b403e 100644
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1637,7 +1637,7 @@ static int usbvision_probe(struct usb_interface *intf,
+ const struct usb_host_interface *interface;
+ struct usb_usbvision *usbvision = NULL;
+ const struct usb_endpoint_descriptor *endpoint;
+- int model,i;
++ int model, i, ret;
+
+ PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ dev->descriptor.idVendor,
+@@ -1646,7 +1646,8 @@ static int usbvision_probe(struct usb_interface *intf,
+ model = devid->driver_info;
+ if ( (model<0) || (model>=usbvision_device_data_size) ) {
+ PDEBUG(DBG_PROBE, "model out of bounds %d",model);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ printk(KERN_INFO "%s: %s found\n", __func__,
+ usbvision_device_data[model].ModelString);
+@@ -1662,18 +1663,21 @@ static int usbvision_probe(struct usb_interface *intf,
+ __func__, ifnum);
+ dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ __func__, endpoint->bmAttributes);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ if (usb_endpoint_dir_out(endpoint)) {
+ dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ __func__, ifnum);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+
+ usbvision = usbvision_alloc(dev, intf);
+ if (usbvision == NULL) {
+ dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_usb;
+ }
+
+ if (dev->descriptor.bNumConfigurations > 1) {
+@@ -1696,8 +1700,8 @@ static int usbvision_probe(struct usb_interface *intf,
+ usbvision->num_alt,GFP_KERNEL);
+ if (usbvision->alt_max_pkt_size == NULL) {
+ dev_err(&intf->dev, "usbvision: out of memory!\n");
+- mutex_unlock(&usbvision->lock);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_pkt;
+ }
+
+ for (i = 0; i < usbvision->num_alt ; i++) {
+@@ -1736,6 +1740,12 @@ static int usbvision_probe(struct usb_interface *intf,
+
+ PDEBUG(DBG_PROBE, "success");
+ return 0;
++
++err_pkt:
++ mutex_unlock(&usbvision->lock);
++err_usb:
++ usb_put_dev(dev);
++ return ret;
+ }
+
+
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index 4fd4e4f..b718295 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1651,6 +1651,13 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1652,6 +1652,13 @@ static int usbvision_probe(struct usb_interface *intf,
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].ModelString);
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index 9f4c0e0..4c97043 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -1,5 +1,6 @@
+ bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+ bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
+ bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
++ bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
+ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+ bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list