[linux] 01/02: media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Dec 1 00:41:32 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 2042a6b22d0bd34419e3e7b35b630492009ceba3
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Nov 30 18:52:20 2015 +0000

    media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
    
    Dependency of "media: usbvision: fix crash on detecting device with invalid
    configuration".
---
 debian/changelog                                   |  1 +
 ...sion-fix-crash-on-detecting-device-with-i.patch |  2 +-
 ...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 92 ++++++++++++++++++++++
 ...sbvision-fix-overflow-of-interfaces-array.patch |  2 +-
 debian/patches/series/48squeeze17                  |  1 +
 5 files changed, 96 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 59d53ea..0c1082e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
   * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
   * ppp, slip: Validate VJ compression slot parameters completely
     (CVE-2015-7799)
+  * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
   * media: usbvision: fix overflow of interfaces array (CVE-2015-7833)
   * media: usbvision: fix crash on detecting device with invalid
     configuration (CVE-2015-7833)
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index fb55974..2c06c45 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -15,7 +15,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 ---
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1660,10 +1660,23 @@ static int __devinit usbvision_probe(str
+@@ -1661,10 +1661,23 @@ static int __devinit usbvision_probe(str
  
  	if (usbvision_device_data[model].Interface >= 0) {
  		interface = &dev->actconfig->interface[usbvision_device_data[model].Interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
new file mode 100644
index 0000000..8f63eb2
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -0,0 +1,92 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in
+ usbvision_probe()
+Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 2.6.32:
+ - Call mutex_unlock() directly instead of usbvision_release()
+ - Adjust filename, context]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/video/usbvision/usbvision-video.c
+index 2579c87..12b403e 100644
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1637,7 +1637,7 @@ static int usbvision_probe(struct usb_interface *intf,
+ 	const struct usb_host_interface *interface;
+ 	struct usb_usbvision *usbvision = NULL;
+ 	const struct usb_endpoint_descriptor *endpoint;
+-	int model,i;
++	int model, i, ret;
+ 
+ 	PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ 				dev->descriptor.idVendor,
+@@ -1646,7 +1646,8 @@ static int usbvision_probe(struct usb_interface *intf,
+ 	model = devid->driver_info;
+ 	if ( (model<0) || (model>=usbvision_device_data_size) ) {
+ 		PDEBUG(DBG_PROBE, "model out of bounds %d",model);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	printk(KERN_INFO "%s: %s found\n", __func__,
+ 				usbvision_device_data[model].ModelString);
+@@ -1662,18 +1663,21 @@ static int usbvision_probe(struct usb_interface *intf,
+ 		    __func__, ifnum);
+ 		dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ 		    __func__, endpoint->bmAttributes);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	if (usb_endpoint_dir_out(endpoint)) {
+ 		dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ 		    __func__, ifnum);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 
+ 	usbvision = usbvision_alloc(dev, intf);
+ 	if (usbvision == NULL) {
+ 		dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_usb;
+ 	}
+ 
+ 	if (dev->descriptor.bNumConfigurations > 1) {
+@@ -1696,8 +1700,8 @@ static int usbvision_probe(struct usb_interface *intf,
+ 					      usbvision->num_alt,GFP_KERNEL);
+ 	if (usbvision->alt_max_pkt_size == NULL) {
+ 		dev_err(&intf->dev, "usbvision: out of memory!\n");
+-		mutex_unlock(&usbvision->lock);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_pkt;
+ 	}
+ 
+ 	for (i = 0; i < usbvision->num_alt ; i++) {
+@@ -1736,6 +1740,12 @@ static int usbvision_probe(struct usb_interface *intf,
+ 
+ 	PDEBUG(DBG_PROBE, "success");
+ 	return 0;
++
++err_pkt:
++	mutex_unlock(&usbvision->lock);
++err_usb:
++	usb_put_dev(dev);
++	return ret;
+ }
+ 
+ 
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index 4fd4e4f..b718295 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1651,6 +1651,13 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1652,6 +1652,13 @@ static int usbvision_probe(struct usb_interface *intf,
  	printk(KERN_INFO "%s: %s found\n", __func__,
  				usbvision_device_data[model].ModelString);
  
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index 9f4c0e0..4c97043 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -1,5 +1,6 @@
 + bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
 + bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
 + bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
++ bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
 + bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 + bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list