drivers/media/radio/radio-keene.c | 1 + 1 file changed, 1 insertion(+)
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Fix a memory leak in usb_keene_probe() when v4l2_device_register()
fails. The v4l2 control handler was initialized and controls were
added, but if v4l2_device_register() failed, the handler was never
freed, leaking the allocated memory for the handler buckets and
control structures.
Consolidate the error handling by adding an err_hdl label that
ensures v4l2_ctrl_handler_free() is called for all error paths
after the handler is initialized.
Reported-by: syzbot+a41b73dce23962a74c72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a41b73dce23962a74c72
Fixes: 1bf20c3a0c61 ("[media] radio-keene: add a driver for the Keene FM Transmitter")
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
v2:
- Simplified fix: call v4l2_ctrl_handler_free() inline before goto
instead of adding a new error label, avoiding unused label warning
reported by Media CI.
---
drivers/media/radio/radio-keene.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/radio/radio-keene.c b/drivers/media/radio/radio-keene.c
index f3b57f0cb1ec..4a203e958a4f 100644
--- a/drivers/media/radio/radio-keene.c
+++ b/drivers/media/radio/radio-keene.c
@@ -344,6 +344,7 @@ static int usb_keene_probe(struct usb_interface *intf,
retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
if (retval < 0) {
dev_err(&intf->dev, "couldn't register v4l2_device\n");
+ v4l2_ctrl_handler_free(hdl);
goto err_v4l2;
}
--
2.34.1On Wed, Nov 26, 2025 at 12:00:00PM +0530, ssrane_b23@ee.vjti.ac.in wrote: > Fix a memory leak in usb_keene_probe() when v4l2_device_register() > fails. The v4l2 control handler was initialized and controls were > added, but if v4l2_device_register() failed, the handler was never > freed, leaking the allocated memory for the handler buckets and > control structures. > > Consolidate the error handling by adding an err_hdl label that > ensures v4l2_ctrl_handler_free() is called for all error paths > after the handler is initialized. > > --- > v2: > - Simplified fix: call v4l2_ctrl_handler_free() inline before goto > instead of adding a new error label, avoiding unused label warning > reported by Media CI. v4l2_ctrl_handler_free() has to be called in the last error path also (the one after the v4l2_device_register() call). Your v1 patch was correct and also better because it avoided repeated calls to v4l2_ctrl_handler_free() in different error paths. To fix the unused label warning just use err_v4l2 itself instead of introducing err_hdl, because both error path that goes to err_v4l2 needs to call v4l2_ctrl_handler_free() to fix the memory leak. Regards, Nihaal
© 2016 - 2025 Red Hat, Inc.