For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure
Author: zhanghaotian@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

vidtv_psi_desc_clone() builds a linked list of cloned descriptors by
calling descriptor init functions (e.g. vidtv_psi_service_desc_init())
that chain new entries into the accumulated "head" via
vidtv_psi_desc_chain().  When any init function or kmemdup() fails
inside the while loop, the function returns NULL without freeing the
already-built portion of head, leaking memory.

Fix this by calling vidtv_psi_desc_destroy(head) before returning NULL
in both failure paths.

Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhanghaotian@uniontech.com>
---
 drivers/media/test-drivers/vidtv/vidtv_psi.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_psi.c b/drivers/media/test-drivers/vidtv/vidtv_psi.c
index 1b6225d65..7f38011ae 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_psi.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_psi.c
@@ -481,11 +481,11 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
 		default:
 			curr = kmemdup(desc, sizeof(*desc) + desc->length, GFP_KERNEL);
 			if (!curr)
-				return NULL;
+				goto free_head;
 		}
 
 		if (!curr)
-			return NULL;
+			goto free_head;
 
 		curr->next = NULL;
 		if (!head)
@@ -498,6 +498,10 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
 	}
 
 	return head;
+
+free_head:
+	vidtv_psi_desc_destroy(head);
+	return NULL;
 }
 
 void vidtv_psi_desc_destroy(struct vidtv_psi_desc *desc)
-- 
2.30.2