[linux] 02/02: media: usbvision-video: fix memory leak of alt_max_pkt_size
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 2 23:04:28 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit 1ff9893458ce1eb9e3aead95ef0420eee676667b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 2 23:03:40 2015 +0000
media: usbvision-video: fix memory leak of alt_max_pkt_size
This is sort of a dependency of the other fixes.
---
debian/changelog | 1 +
...sion-fix-crash-on-detecting-device-with-i.patch | 2 +-
...sion-fix-leak-of-usb_dev-on-failure-paths.patch | 20 +++++------
...sion-video-fix-memory-leak-of-alt_max_pkt.patch | 41 ++++++++++++++++++++++
...sbvision-fix-overflow-of-interfaces-array.patch | 2 +-
debian/patches/series/48squeeze17 | 1 +
6 files changed, 54 insertions(+), 13 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index e36e008..0c40e96 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
* isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
* ppp, slip: Validate VJ compression slot parameters completely
(CVE-2015-7799)
+ * media: usbvision-video: fix memory leak of alt_max_pkt_size
* media: usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
* media: usbvision: fix overflow of interfaces array (CVE-2015-7833)
* media: usbvision: fix crash on detecting device with invalid
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
index 2c06c45..6a6caab 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
@@ -15,7 +15,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
---
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1661,10 +1661,23 @@ static int __devinit usbvision_probe(str
+@@ -1662,10 +1662,23 @@ static int __devinit usbvision_probe(str
if (usbvision_device_data[model].Interface >= 0) {
interface = &dev->actconfig->interface[usbvision_device_data[model].Interface]->altsetting[0];
diff --git a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
index 1e8de3f..cbba45c 100644
--- a/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
+++ b/debian/patches/bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
@@ -11,9 +11,7 @@ Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
-[bwh: Backported to 2.6.32:
- - The extra cleanup needed at err_pkt is mutex_unlock()
- - Adjust filename, context]
+[bwh: Backported to 2.6.32: adjust filename, context]
---
drivers/media/video/usbvision/usbvision-video.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
@@ -22,7 +20,7 @@ diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/vid
index 2579c87..12b403e 100644
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1637,7 +1637,7 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1638,7 +1638,7 @@ static int usbvision_probe(struct usb_interface *intf,
const struct usb_host_interface *interface;
struct usb_usbvision *usbvision = NULL;
const struct usb_endpoint_descriptor *endpoint;
@@ -31,7 +29,7 @@ index 2579c87..12b403e 100644
PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
dev->descriptor.idVendor,
-@@ -1646,7 +1646,8 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1647,7 +1647,8 @@ static int usbvision_probe(struct usb_interface *intf,
model = devid->driver_info;
if ( (model<0) || (model>=usbvision_device_data_size) ) {
PDEBUG(DBG_PROBE, "model out of bounds %d",model);
@@ -41,7 +39,7 @@ index 2579c87..12b403e 100644
}
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].ModelString);
-@@ -1662,18 +1663,21 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1663,18 +1664,21 @@ static int usbvision_probe(struct usb_interface *intf,
__func__, ifnum);
dev_err(&intf->dev, "%s: Endpoint attributes %d",
__func__, endpoint->bmAttributes);
@@ -66,24 +64,24 @@ index 2579c87..12b403e 100644
}
if (dev->descriptor.bNumConfigurations > 1) {
-@@ -1696,8 +1700,8 @@ static int usbvision_probe(struct usb_interface *intf,
- usbvision->num_alt,GFP_KERNEL);
+@@ -1698,8 +1702,8 @@ static int usbvision_probe(struct usb_interface *intf,
if (usbvision->alt_max_pkt_size == NULL) {
dev_err(&intf->dev, "usbvision: out of memory!\n");
-- mutex_unlock(&usbvision->lock);
+ mutex_unlock(&usbvision->lock);
+- usbvision_release(usbvision);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto err_pkt;
}
for (i = 0; i < usbvision->num_alt ; i++) {
-@@ -1736,6 +1740,12 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1737,6 +1741,12 @@ static int usbvision_probe(struct usb_interface *intf,
PDEBUG(DBG_PROBE, "success");
return 0;
+
+err_pkt:
-+ mutex_unlock(&usbvision->lock);
++ usbvision_release(usbvision);
+err_usb:
+ usb_put_dev(dev);
+ return ret;
diff --git a/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
new file mode 100644
index 0000000..b237d64
--- /dev/null
+++ b/debian/patches/bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
@@ -0,0 +1,41 @@
+From: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Date: Mon, 10 Jun 2013 17:32:29 -0300
+Subject: [media] usbvision-video: fix memory leak of alt_max_pkt_size
+Origin: https://git.kernel.org/linus/090c65b694c362adb19ec9c27de216a808ee443c
+
+1. usbvision->alt_max_pkt_size is not deallocated anywhere.
+2. if allocation of usbvision->alt_max_pkt_size fails,
+there is no proper deallocation of already acquired resources.
+The patch adds kfree(usbvision->alt_max_pkt_size) to
+usbvision_release() as soon as other deallocations happen there.
+It calls usbvision_release() if allocation of
+usbvision->alt_max_pkt_size fails as soon as usbvision_release()
+is safe to work with incompletely initialized usbvision structure.
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+[bwh: Backported to 2.6.32: adjust filename, context]
+---
+ drivers/media/video/usbvision/usbvision-video.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/video/usbvision/usbvision-video.c
++++ b/drivers/media/video/usbvision/usbvision-video.c
+@@ -1575,6 +1575,7 @@ static void usbvision_release(struct usb
+
+ usbvision_remove_sysfs(usbvision->vdev);
+ usbvision_unregister_video(usbvision);
++ kfree(usbvision->alt_max_pkt_size);
+
+ if (usbvision->ctrlUrb) {
+ usb_free_urb(usbvision->ctrlUrb);
+@@ -1697,6 +1698,7 @@ static int __devinit usbvision_probe(str
+ if (usbvision->alt_max_pkt_size == NULL) {
+ dev_err(&intf->dev, "usbvision: out of memory!\n");
+ mutex_unlock(&usbvision->lock);
++ usbvision_release(usbvision);
+ return -ENOMEM;
+ }
+
diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
index b718295..951706a 100644
--- a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
@@ -18,7 +18,7 @@ Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
--- a/drivers/media/video/usbvision/usbvision-video.c
+++ b/drivers/media/video/usbvision/usbvision-video.c
-@@ -1652,6 +1652,13 @@ static int usbvision_probe(struct usb_interface *intf,
+@@ -1653,6 +1653,13 @@ static int usbvision_probe(struct usb_interface *intf,
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].ModelString);
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index 89e2438..1f70412 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -1,6 +1,7 @@
+ bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+ bugfix/all/isdn_ppp-add-checks-for-allocation-failure-in-isdn_p.patch
+ bugfix/all/ppp-slip-validate-vj-compression-slot-parameters-com.patch
++ bugfix/all/media-usbvision-video-fix-memory-leak-of-alt_max_pkt.patch
+ bugfix/all/media-usbvision-fix-leak-of-usb_dev-on-failure-paths.patch
+ bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
+ bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list