From 89b0b22f22a0e05b6586db6b5d09f7654b804972 Mon Sep 17 00:00:00 2001 From: Dongliang Mu Date: Wed, 25 Jun 2025 03:22:25 +0000 Subject: [PATCH] media: pvrusb2: fix memory leak in pvr_probe stable inclusion from stable-v4.19.257 commit 491762b3250fb06a0c97b5198656ea48359eaeed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG97Q CVE: CVE-2022-49982 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=491762b3250fb06a0c97b5198656ea48359eaeed -------------------------------- commit 945a9a8e448b65bec055d37eba58f711b39f66f0 upstream. The error handling code in pvr2_hdw_create forgets to unregister the v4l2 device. When pvr2_hdw_create returns back to pvr2_context_create, it calls pvr2_context_destroy to destroy context, but mp->hdw is NULL, which leads to that pvr2_hdw_destroy directly returns. Fix this by adding v4l2_device_unregister to decrease the refcount of usb interface. Reported-by: syzbot+77b432d57c4791183ed4@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman Signed-off-by: Cai Xinchen --- drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c index 3fb2cfe583e8..f9e97ca8a842 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c @@ -2602,6 +2602,7 @@ struct pvr2_hdw *pvr2_hdw_create(struct usb_interface *intf, del_timer_sync(&hdw->encoder_run_timer); del_timer_sync(&hdw->encoder_wait_timer); flush_work(&hdw->workpoll); + v4l2_device_unregister(&hdw->v4l2_dev); usb_free_urb(hdw->ctl_read_urb); usb_free_urb(hdw->ctl_write_urb); kfree(hdw->ctl_read_buffer); -- Gitee