[linux] 02/03: Add dependencies of usbvision fix
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Dec 1 03:55:55 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit f24c33db24a5d3429abe0d4696a312a87d2e1bd7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Nov 30 18:52:20 2015 +0000
Add dependencies of usbvision fix
---
debian/changelog | 2 +
...sion-fix-crash-on-detecting-device-with-i.patch | 2 +-
...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 88 ++++++++++++++++++++++
...sion-video-fix-memory-leak-of-alt_max_pkt.patch | 41 ++++++++++
...sbvision-fix-overflow-of-interfaces-array.patch | 2 +-
debian/patches/series | 2 +
6 files changed, 135 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 7c2f83e..0220db4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
linux (3.2.73-2+deb7u1) UNRELEASED; urgency=medium
+ * media: usbvision-video: fix memory leak of alt_max_pkt_size
+ * media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
* media: usbvision: fix crash on detecting device with invalid configuration
(CVE-2015-7833, partly fixed in 3.2.68-1+deb7u6)
* [x86] KVM: svm: Restore #BP handler, mistakenly removed in 3.2.73-1
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index a5573d1..69c9914 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1509,9 +1509,23 @@ static int __devinit usbvision_probe(str
+@@ -1511,9 +1511,23 @@ static int __devinit usbvision_probe(str
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
new file mode 100644
index 0000000..c8f8577
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -0,0 +1,88 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Fri, 27 Mar 2015 19:39:09 -0300
+Subject: [media] usbvision: fix leak of usb_dev on failure paths in
+ usbvision_probe()
+Origin: https://git.kernel.org/linus/afd270d1a45043cef14341bcceff62ed50e8dc9a
+
+There is no usb_put_dev() on failure paths in usbvision_probe().
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1487,7 +1487,7 @@ static int __devinit usbvision_probe(str
+ const struct usb_host_interface *interface;
+ struct usb_usbvision *usbvision = NULL;
+ const struct usb_endpoint_descriptor *endpoint;
+- int model, i;
++ int model, i, ret;
+
+ PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
+ dev->descriptor.idVendor,
+@@ -1496,7 +1496,8 @@ static int __devinit usbvision_probe(str
+ model = devid->driver_info;
+ if (model < 0 || model >= usbvision_device_data_size) {
+ PDEBUG(DBG_PROBE, "model out of bounds %d", model);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ printk(KERN_INFO "%s: %s found\n", __func__,
+ usbvision_device_data[model].model_string);
+@@ -1511,18 +1512,21 @@ static int __devinit usbvision_probe(str
+ __func__, ifnum);
+ dev_err(&intf->dev, "%s: Endpoint attributes %d",
+ __func__, endpoint->bmAttributes);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+ if (usb_endpoint_dir_out(endpoint)) {
+ dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
+ __func__, ifnum);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_usb;
+ }
+
+ usbvision = usbvision_alloc(dev, intf);
+ if (usbvision == NULL) {
+ dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n", __func__);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_usb;
+ }
+
+ if (dev->descriptor.bNumConfigurations > 1)
+@@ -1541,8 +1545,8 @@ static int __devinit usbvision_probe(str
+ usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ if (usbvision->alt_max_pkt_size == NULL) {
+ dev_err(&intf->dev, "usbvision: out of memory!\n");
+- usbvision_release(usbvision);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto err_pkt;
+ }
+
+ for (i = 0; i < usbvision->num_alt; i++) {
+@@ -1577,6 +1581,12 @@ static int __devinit usbvision_probe(str
+
+ PDEBUG(DBG_PROBE, "success");
+ return 0;
++
++err_pkt:
++ usbvision_release(usbvision);
++err_usb:
++ usb_put_dev(dev);
++ return ret;
+ }
+
+
diff --git a/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
new file mode 100644
index 0000000..90c066a
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
@@ -0,0 +1,41 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Mon, 10 Jun 2013 17:32:29 -0300
+Subject: [media] usbvision-video: fix memory leak of alt_max_pkt_size
+Origin: https://git.kernel.org/linus/090c65b694c362adb19ec9c27de216a808ee443c
+
+1. usbvision->alt_max_pkt_size is not deallocated anywhere.
+2. if allocation of usbvision->alt_max_pkt_size fails,
+there is no proper deallocation of already acquired resources.
+The patch adds kfree(usbvision->alt_max_pkt_size) to
+usbvision_release() as soon as other deallocations happen there.
+It calls usbvision_release() if allocation of
+usbvision->alt_max_pkt_size fails as soon as usbvision_release()
+is safe to work with incompletely initialized usbvision structure.
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1425,6 +1425,7 @@ static void usbvision_release(struct usb
+
+ usbvision_remove_sysfs(usbvision->vdev);
+ usbvision_unregister_video(usbvision);
++ kfree(usbvision->alt_max_pkt_size);
+
+ usb_free_urb(usbvision->ctrl_urb);
+
+@@ -1540,6 +1541,7 @@ static int __devinit usbvision_probe(str
+ usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt, GFP_KERNEL);
+ if (usbvision->alt_max_pkt_size == NULL) {
+ dev_err(&intf->dev, "usbvision: out of memory!\n");
++ usbvision_release(usbvision);
+ return -ENOMEM;
+ }
+
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index d05e6dc..7a7c348 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1500,6 +1500,13 @@ static int __devinit usbvision_probe(str
+@@ -1502,6 +1502,13 @@ static int __devinit usbvision_probe(str
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
diff --git a/debian/patches/series b/debian/patches/series
index 140da0c..aa540e6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1161,6 +1161,8 @@ debian/x86-mm-avoid-abi-change-in-3.2.72.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
+bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list