From: Peilin Ye yepeilin.cs@gmail.com
mainline inclusion from mainline-v6.8-rc6 commit bf9a40ae8d722f281a2721779595d6df1c33a0bf category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I94UCW CVE: CVE-2020-36777
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h...
--------------------------------
dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required."
Link: https://syzkaller.appspot.com/bug?id=9bbe4b842c98f0ed05c5eed77a226e9de33bf29...
Link: https://lore.kernel.org/linux-media/20201211083039.521617-1-yepeilin.cs@gmai... Cc: stable@vger.kernel.org Fixes: 0230d60e4661 ("[media] dvbdev: Add RF connector if needed") Reported-by: syzbot+7f09440acc069a0d38ac@syzkaller.appspotmail.com Signed-off-by: Peilin Ye yepeilin.cs@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Wenyu Huang huangwenyu5@huawei.com --- drivers/media/dvb-core/dvbdev.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index a7d57ff7c88b..4b562238749d 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -242,6 +242,7 @@ static void dvb_media_device_free(struct dvb_device *dvbdev)
if (dvbdev->adapter->conn) { media_device_unregister_entity(dvbdev->adapter->conn); + kfree(dvbdev->adapter->conn); dvbdev->adapter->conn = NULL; kfree(dvbdev->adapter->conn_pads); dvbdev->adapter->conn_pads = NULL;