In the Linux kernel, the following vulnerability has been resolved:
fbdev: smscufx: fix error handling code in ufxusbprobe
The current error handling code in ufxusbprobe have many unmatching issues, e.g., missing ufxfreeusblist, destroymodedb label should only include framebufferrelease, fbdealloccmap only matches fballoc_cmap.
My local syzkaller reports a memory leak bug:
memory leak in ufxusbprobe
BUG: memory leak unreferenced object 0xffff88802f879580 (size 128): comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s) hex dump (first 32 bytes): 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|............. 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................ backtrace: [<ffffffff814c99a0>] kmalloctrace+0x20/0x90 mm/slabcommon.c:1045 [<ffffffff824d219c>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff824d219c>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff824d219c>] ufxallocurblist drivers/video/fbdev/smscufx.c:1873 [inline] [<ffffffff824d219c>] ufxusbprobe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655 [<ffffffff82d17927>] usbprobeinterface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff82712f0d>] calldriverprobe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] reallyprobe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] _driverprobedevice+0xbf/0x140 drivers/base/dd.c:778 [<ffffffff827132da>] driverprobedevice+0x2a/0x120 drivers/base/dd.c:808 [<ffffffff82713c27>] _deviceattachdriver+0xf7/0x150 drivers/base/dd.c:936 [<ffffffff82710137>] busforeachdrv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff827136b5>] _deviceattach+0x105/0x2d0 drivers/base/dd.c:1008 [<ffffffff82711d36>] busprobedevice+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff8270e242>] deviceadd+0x642/0xdc0 drivers/base/core.c:3517 [<ffffffff82d14d5f>] usbsetconfiguration+0x8ef/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d2576c>] usbgenericdriverprobe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d16ffc>] usbprobedevice+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff82712f0d>] calldriverprobe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] reallyprobe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] _driverprobe_device+0xbf/0x140 drivers/base/dd.c:778
Fix this bug by rewriting the error handling code in ufxusbprobe.