From: Alan Stern stern@rowland.harvard.edu
commit e469d0b09a19496e1972a20974bbf55b728151eb upstream.
The gspca driver leaks memory when a probe fails. gspca_dev_probe2() calls v4l2_device_register(), which takes a reference to the underlying device node (in this case, a USB interface). But the failure pathway neglects to call v4l2_device_unregister(), the routine responsible for dropping this reference. Consequently the memory for the USB interface and its device never gets released.
This patch adds the missing function call.
Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com
Signed-off-by: Alan Stern stern@rowland.harvard.edu CC: stable@vger.kernel.org Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/media/usb/gspca/gspca.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c index c9a2b29a60a5..93212ed80bf8 100644 --- a/drivers/media/usb/gspca/gspca.c +++ b/drivers/media/usb/gspca/gspca.c @@ -1585,6 +1585,7 @@ int gspca_dev_probe2(struct usb_interface *intf, input_unregister_device(gspca_dev->input_dev); #endif v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_unregister(&gspca_dev->v4l2_dev); kfree(gspca_dev->usb_buf); kfree(gspca_dev); return ret;