[PATCH] media: dvb-core: release pid memory when set filter to sec

[Edward Adam Davis]

The user first executes set pes filter to create a PID, and subsequently
executes set filter to sec. Within dvb_dmxdev_filter_set(), however, only
the PES filter is stopped, and the memory associated with the PID is not
reclaimed. Consequently, when dvb_demux_release() is executed upon file
closure at which point the filter type has already been updated to
DMXDEV_TYPE_SEC, the memory consumed by the PID originally generated for
the PES filter is never reclaimed. This triggers the memory leak reported
in [1].

Added a call to dvb_dmxdev_filter_reset() during the execution of
dvb_dmxdev_filter_set() to free the PID memory.

[1]
BUG: memory leak
unreferenced object 0xffff88810b771800 (size 32):
  backtrace (crc 1a56a8d7):
    dvb_dmxdev_add_pid+0x9c/0x160 drivers/media/dvb-core/dmxdev.c:897
    dvb_dmxdev_pes_filter_set drivers/media/dvb-core/dmxdev.c:972 [inline]
    dvb_demux_do_ioctl+0x3c6/0x7d0 drivers/media/dvb-core/dmxdev.c:1092
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201

Reported-by: syzbot+ba83b7db8e644b8b7c19@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=ba83b7db8e644b8b7c19
Tested-by: syzbot+ba83b7db8e644b8b7c19@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
 drivers/media/dvb-core/dmxdev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..62733859f639 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -937,6 +937,7 @@ static int dvb_dmxdev_filter_set(struct dmxdev *dmxdev,
 		__func__, params->pid, params->flags, params->timeout);
 
 	dvb_dmxdev_filter_stop(dmxdevfilter);
+	dvb_dmxdev_filter_reset(dmxdevfilter);
 
 	dmxdevfilter->type = DMXDEV_TYPE_SEC;
 	memcpy(&dmxdevfilter->params.sec,
-- 
2.43.0