media: [next] media: vidtv: fix a read from an object after it has been freed

Currently the call to vidtv_psi_pat_table_destroy frees the object
m->si.pat however m->si.pat->num_pmt is being accessed after the
free.  Fix this by destroying m->si.pat after the m->si.pmt_secs[]
objects have been freed.

Addresses-Coverity: ("Read from pointer after free")

Reported-by: Cengiz Can <cengiz@kernel.wtf> # sent a similar fix about the same time
Fixes: 039b7caed173 ("media: vidtv: add a PID entry for the NIT table")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
index 8ad6c07..7838e62 100644 (file)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -504,11 +504,11 @@ void vidtv_channel_si_destroy(struct vidtv_mux *m)
 {
        u32 i;
 
-       vidtv_psi_pat_table_destroy(m->si.pat);
-
        for (i = 0; i < m->si.pat->num_pmt; ++i)
                vidtv_psi_pmt_table_destroy(m->si.pmt_secs[i]);
 
+       vidtv_psi_pat_table_destroy(m->si.pat);
+
        kfree(m->si.pmt_secs);
        vidtv_psi_sdt_table_destroy(m->si.sdt);
        vidtv_psi_nit_table_destroy(m->si.nit);