CVE-2022-50626

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-usb: fix memory leak in dvbusbadapter_init()

Syzbot reports a memory leak in "dvbusbadapterinit()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "numadaptersinitalized", which is used as a reference counter to free all adap->priv in "dvbusbadapterexit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvbusbadapterstreaminit()", "dvbusbadapterdvbinit()" and "dvbusbadapterfrontendinit()" within "dvbusbadapter_init()".

This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed.

Fix this by freeing the current iteration's adap->priv in the "streaminiterr:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvbusbadapterexit() as expected using the numadapters_initalized variable.

Syzbot report:

BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff844af012>] dvbusbadapterinit drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [<ffffffff844af012>] dvbusbinit drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [<ffffffff844af012>] dvbusbdeviceinit.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [<ffffffff830db21d>] dib0700probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700core.c:883 [<ffffffff82d3fdc7>] usbprobeinterface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff8274ab37>] calldriverprobe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] reallyprobe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] reallyprobe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driverprobedevice+0x10c/0x1e0 drivers/base/dd.c:752 [<ffffffff8274af6a>] driverprobedevice+0x2a/0x120 drivers/base/dd.c:782 [<ffffffff8274b786>] __deviceattachdriver+0xf6/0x140 drivers/base/dd.c:899 [<ffffffff82747c87>] busforeach_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff8274b352>] __deviceattach+0x122/0x260 drivers/base/dd.c:970 [<ffffffff827498f6>] busprobedevice+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff82745cdb>] deviceadd+0x5fb/0xdf0 drivers/base/core.c:3405 [<ffffffff82d3d202>] usbsetconfiguration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d4dbfc>] usbgenericdriverprobe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d3f49c>] usbprobedevice+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff8274ab37>] calldriverprobe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] reallyprobe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driverprobedevice+0x10c/0x1e0 drivers/base/dd.c:752