From 18a9b21f7a9d417ac07e2d2717a6a9679b664627 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Fri, 1 Apr 2022 18:44:58 +0200 Subject: [PATCH] media: uvcvideo: Fix memory leak if uvc_ctrl_add_mapping fails Move all the life cycle of the name to add_mapping. This simplifies the error handling inside uvc_ioctl_ctrl_map and solves a memory leak when kemmdup fails. Also make sure that for custom controls, the user provides a valid name. Fixes: 07adedb5c606 ("media: uvcvideo: Use control names from framework") Signed-off-by: Ricardo Ribalda Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/uvc/uvc_ctrl.c | 10 ++++++++++ drivers/media/usb/uvc/uvc_v4l2.c | 8 ++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index b4f6edf..0e78233 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -2188,11 +2188,21 @@ static int __uvc_ctrl_add_mapping(struct uvc_video_chain *chain, if (map == NULL) return -ENOMEM; + /* For UVCIOC_CTRL_MAP custom control */ + if (mapping->name) { + map->name = kstrdup(mapping->name, GFP_KERNEL); + if (!map->name) { + kfree(map); + return -ENOMEM; + } + } + INIT_LIST_HEAD(&map->ev_subs); size = sizeof(*mapping->menu_info) * mapping->menu_count; map->menu_info = kmemdup(mapping->menu_info, size, GFP_KERNEL); if (map->menu_info == NULL) { + kfree(map->name); kfree(map); return -ENOMEM; } diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index 1771819..648dcd5 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -42,12 +42,12 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain, map->id = xmap->id; /* Non standard control id. */ if (v4l2_ctrl_get_name(map->id) == NULL) { - map->name = kmemdup(xmap->name, sizeof(xmap->name), - GFP_KERNEL); - if (!map->name) { - ret = -ENOMEM; + if (xmap->name[0] == '\0') { + ret = -EINVAL; goto free_map; } + xmap->name[sizeof(xmap->name) - 1] = '\0'; + map->name = xmap->name; } memcpy(map->entity, xmap->entity, sizeof(map->entity)); map->selector = xmap->selector; -- 2.7.4