media: uvcvideo: Fix error path in control parsing failure

commit 8c279e9394cade640ed86ec6c6645a0e7df5e0b6 upstream.

When parsing the UVC control descriptors fails, the error path tries to
cleanup a media device that hasn't been initialised, potentially
resulting in a crash. Fix this by initialising the media device before
the error handling path can be reached.

Fixes: 5a254d751e52 ("[media] uvcvideo: Register a v4l2_device")
Reported-by: syzbot+c86454eb3af9e8a4da20@syzkaller.appspotmail.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index 66ee168..428235c 100644 (file)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -2151,6 +2151,20 @@ static int uvc_probe(struct usb_interface *intf,
                           sizeof(dev->name) - len);
        }
 
+       /* Initialize the media device. */
+#ifdef CONFIG_MEDIA_CONTROLLER
+       dev->mdev.dev = &intf->dev;
+       strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model));
+       if (udev->serial)
+               strscpy(dev->mdev.serial, udev->serial,
+                       sizeof(dev->mdev.serial));
+       usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info));
+       dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);
+       media_device_init(&dev->mdev);
+
+       dev->vdev.mdev = &dev->mdev;
+#endif
+
        /* Parse the Video Class control descriptor. */
        if (uvc_parse_control(dev) < 0) {
                uvc_trace(UVC_TRACE_PROBE, "Unable to parse UVC "
@@ -2171,19 +2185,7 @@ static int uvc_probe(struct usb_interface *intf,
                        "linux-uvc-devel mailing list.\n");
        }
 
-       /* Initialize the media device and register the V4L2 device. */
-#ifdef CONFIG_MEDIA_CONTROLLER
-       dev->mdev.dev = &intf->dev;
-       strscpy(dev->mdev.model, dev->name, sizeof(dev->mdev.model));
-       if (udev->serial)
-               strscpy(dev->mdev.serial, udev->serial,
-                       sizeof(dev->mdev.serial));
-       usb_make_path(udev, dev->mdev.bus_info, sizeof(dev->mdev.bus_info));
-       dev->mdev.hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);
-       media_device_init(&dev->mdev);
-
-       dev->vdev.mdev = &dev->mdev;
-#endif
+       /* Register the V4L2 device. */
        if (v4l2_device_register(&intf->dev, &dev->vdev) < 0)
                goto error;