Description
In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov772x: Fix memleak in ov772x_probe() A memory leak was reported when testing ov772x with bpf mock device: AssertionError: unreferenced object 0xffff888109afa7a8 (size 8): comm "python3", pid 279, jiffies 4294805921 (age 20.681s) hex dump (first 8 bytes): 80 22 88 15 81 88 ff ff ."...... backtrace: [<000000009990b438>] __kmalloc_node+0x44/0x1b0 [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 [<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] [<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x] [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 [<00000000e0b6db89>] really_probe+0x17c/0x3f0 [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 [<0000000048370519>] driver_probe_device+0x49/0x120 [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 [<00000000358e5596>] __device_attach+0x1e5/0x2d0 [<0000000043f83c5d>] bus_probe_device+0x126/0x140 [<00000000ee0f3046>] device_add+0x810/0x1130 [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 [<00000000a9f2159d>] of_i2c_notify+0x100/0x160 unreferenced object 0xffff888119825c00 (size 256): comm "python3", pid 279, jiffies 4294805921 (age 20.681s) hex dump (first 32 bytes): 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^...... 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\.......\...... backtrace: [<000000009990b438>] __kmalloc_node+0x44/0x1b0 [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 [<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev] [<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev] [<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x] [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 [<00000000e0b6db89>] really_probe+0x17c/0x3f0 [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 [<0000000048370519>] driver_probe_device+0x49/0x120 [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 [<00000000358e5596>] __device_attach+0x1e5/0x2d0 [<0000000043f83c5d>] bus_probe_device+0x126/0x140 [<00000000ee0f3046>] device_add+0x810/0x1130 [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 The reason is that if priv->hdl.error is set, ov772x_probe() jumps to the error_mutex_destroy without doing v4l2_ctrl_handler_free(), and all resources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() are leaked.
Product status
1112babde21483d86ed3fbad1320b0ddf9ab2ece before cc3b6011d7a9f149489eb9420c6305a779162c57
1112babde21483d86ed3fbad1320b0ddf9ab2ece before 448ce1cd50387b1345ec14eb191ef05f7afc2a26
1112babde21483d86ed3fbad1320b0ddf9ab2ece before dfaafeb8e9537969e8dba75491f732478c7fa9d6
1112babde21483d86ed3fbad1320b0ddf9ab2ece before 1da495101ef7507eb4f4b1dbec2874d740eff251
1112babde21483d86ed3fbad1320b0ddf9ab2ece before ac93f8ac66e60227bed42d5a023f0e6c15b52c0a
1112babde21483d86ed3fbad1320b0ddf9ab2ece before c86d760c1c6855a6131e78d0ddacc48c79324ac3
1112babde21483d86ed3fbad1320b0ddf9ab2ece before 7485edb2b6ca5960205c0a49bedfd09bba30e521
4.17
Any version before 4.17
4.19.276
5.4.235
5.10.173
5.15.99
6.1.16
6.2.3
6.3
References
git.kernel.org/...c/cc3b6011d7a9f149489eb9420c6305a779162c57
git.kernel.org/...c/448ce1cd50387b1345ec14eb191ef05f7afc2a26
git.kernel.org/...c/dfaafeb8e9537969e8dba75491f732478c7fa9d6
git.kernel.org/...c/1da495101ef7507eb4f4b1dbec2874d740eff251
git.kernel.org/...c/ac93f8ac66e60227bed42d5a023f0e6c15b52c0a
git.kernel.org/...c/c86d760c1c6855a6131e78d0ddacc48c79324ac3
git.kernel.org/...c/7485edb2b6ca5960205c0a49bedfd09bba30e521
