CVE-2022-50626
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/12/2025
Last modified:
08/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()<br />
<br />
Syzbot reports a memory leak in "dvb_usb_adapter_init()".<br />
The leak is due to not accounting for and freeing current iteration&#39;s<br />
adapter->priv in case of an error. Currently if an error occurs,<br />
it will exit before incrementing "num_adapters_initalized",<br />
which is used as a reference counter to free all adap->priv<br />
in "dvb_usb_adapter_exit()". There are multiple error paths that<br />
can exit from before incrementing the counter. Including the<br />
error handling paths for "dvb_usb_adapter_stream_init()",<br />
"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"<br />
within "dvb_usb_adapter_init()".<br />
<br />
This means that in case of an error in any of these functions the<br />
current iteration is not accounted for and the current iteration&#39;s<br />
adap->priv is not freed.<br />
<br />
Fix this by freeing the current iteration&#39;s adap->priv in the<br />
"stream_init_err:" label in the error path. The rest of the<br />
(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()<br />
as expected using the num_adapters_initalized variable.<br />
<br />
Syzbot report:<br />
<br />
BUG: memory leak<br />
unreferenced object 0xffff8881172f1a00 (size 512):<br />
comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)<br />
hex dump (first 32 bytes):<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
backtrace:<br />
[] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]<br />
[] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]<br />
[] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308<br />
[] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883<br />
[] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396<br />
[] call_driver_probe drivers/base/dd.c:542 [inline]<br />
[] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621<br />
[] really_probe drivers/base/dd.c:583 [inline]<br />
[] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752<br />
[] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782<br />
[] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899<br />
[] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427<br />
[] __device_attach+0x122/0x260 drivers/base/dd.c:970<br />
[] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487<br />
[] device_add+0x5fb/0xdf0 drivers/base/core.c:3405<br />
[] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170<br />
[] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238<br />
[] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293<br />
[] call_driver_probe drivers/base/dd.c:542 [inline]<br />
[] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621<br />
[] really_probe drivers/base/dd.c:583 [inline]<br />
[] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239
- https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40
- https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd
- https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8
- https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8
- https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d
- https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4
- https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15
- https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f