[linux] 02/03: Add dependencies of usbvision fix

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Dec 1 03:55:55 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit f24c33db24a5d3429abe0d4696a312a87d2e1bd7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Nov 30 18:52:20 2015 +0000

    Add dependencies of usbvision fix
---
 debian/changelog                                   |  2 +
 ...sion-fix-crash-on-detecting-device-with-i.patch |  2 +-
 ...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 88 ++++++++++++++++++++++
 ...sion-video-fix-memory-leak-of-alt_max_pkt.patch | 41 ++++++++++
 ...sbvision-fix-overflow-of-interfaces-array.patch |  2 +-
 debian/patches/series                              |  2 +
 6 files changed, 135 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 7c2f83e..0220db4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
 linux (3.2.73-2+deb7u1) UNRELEASED; urgency=medium
 
+  * media: usbvision-video: fix memory leak of alt_max_pkt_size
+  * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
   * media: usbvision: fix crash on detecting device with invalid configuration
     (CVE-2015-7833, partly fixed in 3.2.68-1+deb7u6)
   * [x86] KVM: svm: Restore #BP handler, mistakenly removed in 3.2.73-1
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index a5573d1..69c9914 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1509,9 +1509,23 @@ static int __devinit usbvision_probe(str
+@@ -1511,9 +1511,23 @@ static int __devinit usbvision_probe(str
  
  	if (usbvision_device_data[model].interface >= 0)
  		interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
new file mode 100644
index 0000000..c8f8577
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -0,0 +1,88 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in
+ usbvision_probe()
+Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1487,7 +1487,7 @@ static int __devinit usbvision_probe(str
+ 	const struct usb_host_interface *interface;
+ 	struct usb_usbvision *usbvision = NULL;
+ 	const struct usb_endpoint_descriptor *endpoint;
+-	int model, i;
++	int model, i, ret;
+ 
+ 	PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ 				dev->descriptor.idVendor,
+@@ -1496,7 +1496,8 @@ static int __devinit usbvision_probe(str
+ 	model = devid->driver_info;
+ 	if (model < 0 || model >= usbvision_device_data_size) {
+ 		PDEBUG(DBG_PROBE, "model out of bounds %d", model);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	printk(KERN_INFO "%s: %s found\n", __func__,
+ 				usbvision_device_data[model].model_string);
+@@ -1511,18 +1512,21 @@ static int __devinit usbvision_probe(str
+ 		    __func__, ifnum);
+ 		dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ 		    __func__, endpoint->bmAttributes);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 	if (usb_endpoint_dir_out(endpoint)) {
+ 		dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ 		    __func__, ifnum);
+-		return -ENODEV;
++		ret = -ENODEV;
++		goto err_usb;
+ 	}
+ 
+ 	usbvision = usbvision_alloc(dev, intf);
+ 	if (usbvision == NULL) {
+ 		dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_usb;
+ 	}
+ 
+ 	if (dev->descriptor.bNumConfigurations > 1)
+@@ -1541,8 +1545,8 @@ static int __devinit usbvision_probe(str
+ 	usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ 	if (usbvision->alt_max_pkt_size == NULL) {
+ 		dev_err(&intf->dev, "usbvision: out of memory!\n");
+-		usbvision_release(usbvision);
+-		return -ENOMEM;
++		ret = -ENOMEM;
++		goto err_pkt;
+ 	}
+ 
+ 	for (i = 0; i < usbvision->num_alt; i++) {
+@@ -1577,6 +1581,12 @@ static int __devinit usbvision_probe(str
+ 
+ 	PDEBUG(DBG_PROBE, "success");
+ 	return 0;
++
++err_pkt:
++	usbvision_release(usbvision);
++err_usb:
++	usb_put_dev(dev);
++	return ret;
+ }
+ 
+ 
diff --git a/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
new file mode 100644
index 0000000..90c066a
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
@@ -0,0 +1,41 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Mon, 10 Jun 2013 17:32:29 -0300
+Subject: [media] usbvision-video: fix memory leak of alt_max_pkt_size
+Origin: https://git.kernel.org/linus/090c65b694c362adb19ec9c27de216a808ee443c
+
+1. usbvision->alt_max_pkt_size is not deallocated anywhere.
+2. if allocation of usbvision->alt_max_pkt_size fails,
+there is no proper deallocation of already acquired resources.
+The patch adds kfree(usbvision->alt_max_pkt_size) to
+usbvision_release() as soon as other deallocations happen there.
+It calls usbvision_release() if allocation of
+usbvision->alt_max_pkt_size fails as soon as usbvision_release()
+is safe to work with incompletely initialized usbvision structure.
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1425,6 +1425,7 @@ static void usbvision_release(struct usb
+ 
+ 	usbvision_remove_sysfs(usbvision->vdev);
+ 	usbvision_unregister_video(usbvision);
++	kfree(usbvision->alt_max_pkt_size);
+ 
+ 	usb_free_urb(usbvision->ctrl_urb);
+ 
+@@ -1540,6 +1541,7 @@ static int __devinit usbvision_probe(str
+ 	usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ 	if (usbvision->alt_max_pkt_size == NULL) {
+ 		dev_err(&intf->dev, "usbvision: out of memory!\n");
++		usbvision_release(usbvision);
+ 		return -ENOMEM;
+ 	}
+ 
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index d05e6dc..7a7c348 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
 
 --- a/drivers/media/video/usbvision/usbvision-video.c
 +++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1500,6 +1500,13 @@ static int __devinit usbvision_probe(str
+@@ -1502,6 +1502,13 @@ static int __devinit usbvision_probe(str
  	printk(KERN_INFO "%s: %s found\n", __func__,
  				usbvision_device_data[model].model_string);
  
diff --git a/debian/patches/series b/debian/patches/series
index 140da0c..aa540e6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1161,6 +1161,8 @@ debian/x86-mm-avoid-abi-change-in-3.2.72.patch
 
 bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
 bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
+bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
 bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
 bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list