Description: media: dvb: usb: use after free in dvb_usb_device_exit References: https://lore.kernel.org/linux-media/fe983331d14442a96db3f71066ca0488a8921840.camel%40decadent.org.uk/ https://lore.kernel.org/linux-media/20190822104147.4420-1-vasilyev@ispras.ru/ https://bugzilla.kernel.org/show_bug.cgi?id=204597 Notes: bwh> This is supposed to be fixed by commit 6cf97230cd5f "media: dvb: bwh> usb: fix use after free in dvb_usb_device_exit", but that won't fix bwh> the syzkaller report it claims to. The KASAN output shows an 8-byte bwh> access to memory that was allocated in dw2102_probe(), apparently by bwh> the statement "s421 = kmemdup(...)". But it was also freed by bwh> dw2102_probe(), so d->desc was already a dangling pointer before bwh> dvb_usb_device_exit() was called. bwh> The name strings seem to be static data that are only freed when bwh> the module containing them is unloaded. Which dvb_usb_device_exit() bwh> doesn't do. bwh> Introduced in 4.19 by commit 299c7007e936 "media: dw2102: Fix bwh> memleak on sequence of probes". Bugs: upstream: needed 6.1-upstream-stable: needed 5.10-upstream-stable: needed 4.19-upstream-stable: needed 4.9-upstream-stable: N/A "Vulnerability introduced later" 3.16-upstream-stable: N/A "Vulnerability introduced later" sid: needed 6.1-bookworm-security: needed 5.10-bullseye-security: needed 4.19-buster-security: needed 4.9-stretch-security: N/A "Vulnerability introduced later" 3.16-jessie-security: N/A "Vulnerability introduced later"