Re: [Linux Kernel Bug] memory leak in dvb_dmxdev_add_pid

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
To: Chenyuan Yang <chenyuan0y@gmail.com>
Cc: mchehab@kernel.org, linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller@googlegroups.com,
	Zijie Zhao <zzjas98@gmail.com>
Subject: Re: [Linux Kernel Bug] memory leak in dvb_dmxdev_add_pid
Date: Fri, 11 Oct 2024 06:57:34 +0200	[thread overview]
Message-ID: <20241011065734.471f3774@foz.lan> (raw)
In-Reply-To: <CALGdzur5uoqM-8H_MfPJNdPNL1nMhRbttN95kNWi2q-p3-n9hg@mail.gmail.com>

Em Thu, 10 Oct 2024 20:06:29 -0500
Chenyuan Yang <chenyuan0y@gmail.com> escreveu:

> Dear Linux Developers for DVB,
> 
> I am writing to inquire if there have been any updates regarding the
> memory leak issue. The issue remains reproducible on the latest stable
> Linux version (6.12-rc2, commit
> 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b).

The DVB demux has internally a state machine to filter MPEG-TS streams. It
needs to allocate data and buffers when setting such filters. So, the ioctls
described at https://www.kernel.org/doc/html/v4.10/media/uapi/dvb/dmx_fcalls.html
work together.

Having a report that calling DMX functions on a fuzz testing result on
memory keeping allocated sounds a normal behavior to me, as such filters
are meant to be persistent. 

I need to double-check, but I'm almost sure this is persistent even after
device close(). So, de-allocation should happen when the device driver is
removed or when a new set of filters is set. In the last case, the old 
buffers will be freed and a new set of buffers will be allocated.

> 
> Thank you for your attention to this matter.
> 
> Best,
> Chenyuan
> 
> On Sat, Mar 2, 2024 at 3:12 PM Chenyuan Yang <chenyuan0y@gmail.com> wrote:
> >
> > Dear Linux Developers for DVB,
> >
> > We encountered "memory leak in dvb_dmxdev_add_pid" when testing the
> > DVB driver with Syzkaller and our generated specifications.
> >
> > The C reproducer and the config for the kernel are attached.
> >
> > The memory leak originates from the allocated dmxdev_feed structure,
> > as referenced in the code at
> > [https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L881].
> > This structure fails to be freed upon entering the code branch found
> > at [https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L891].
> >
> > ```
> > ioctl$KGPT_DMX_START(r0, 0x6f29, 0x0)
> > BUG: memory leak
> > unreferenced object 0xffff88802e9ae7e0 (size 32):
> >   comm "syz-executor.0", pid 27777, jiffies 4295115050 (age 15.550s)
> >   hex dump (first 32 bytes):
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >     08 c0 6a 05 00 c9 ff ff 08 c0 6a 05 00 c9 ff ff  ..j.......j.....
> >   backtrace:
> >     [<ffffffff8169126f>] kmemleak_alloc_recursive
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/kmemleak.h:42
> > [inline]
> >     [<ffffffff8169126f>] slab_post_alloc_hook
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slab.h:766
> > [inline]
> >     [<ffffffff8169126f>] slab_alloc_node
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slub.c:3478
> > [inline]
> >     [<ffffffff8169126f>] __kmem_cache_alloc_node+0x2ff/0x3e0
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slub.c:3517
> >     [<ffffffff815d9da9>] kmalloc_trace+0x29/0x90
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slab_common.c:1098
> >     [<ffffffff83db2e09>] kmalloc
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/slab.h:600
> > [inline]
> >     [<ffffffff83db2e09>] kzalloc
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/slab.h:721
> > [inline]
> >     [<ffffffff83db2e09>] dvb_dmxdev_add_pid+0xa9/0x160
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:881
> >     [<ffffffff83db48de>] dvb_dmxdev_pes_filter_set
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:956
> > [inline]
> >     [<ffffffff83db48de>] dvb_demux_do_ioctl+0x67e/0xa80
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:1076
> >     [<ffffffff83db1252>] dvb_usercopy+0x82/0x220
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dvbdev.c:986
> >     [<ffffffff83db1b51>] dvb_demux_ioctl+0x31/0x40
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:1185
> >     [<ffffffff8171ca88>] vfs_ioctl
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:51
> > [inline]
> >     [<ffffffff8171ca88>] __do_sys_ioctl
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:871
> > [inline]
> >     [<ffffffff8171ca88>] __se_sys_ioctl
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:857
> > [inline]
> >     [<ffffffff8171ca88>] __x64_sys_ioctl+0x108/0x150
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:857
> >     [<ffffffff8540b150>] do_syscall_x64
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/arch/x86/entry/common.c:51
> > [inline]
> >     [<ffffffff8540b150>] do_syscall_64+0x40/0x110
> > scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/arch/x86/entry/common.c:82
> >     [<ffffffff8560008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > ```
> >
> > If you have any questions or require more information, please feel
> > free to contact us.
> >
> > Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
> >
> > Best,
> > Chenyuan  



Thanks,
Mauro

     prev parent reply	other threads:[~2024-10-11  4:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-02 21:12 [Linux Kernel Bug] memory leak in dvb_dmxdev_add_pid Chenyuan Yang
2024-10-11  1:06 ` Chenyuan Yang
2024-10-11  4:57   ` Mauro Carvalho Chehab [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241011065734.471f3774@foz.lan \
    --to=mchehab+huawei@kernel.org \
    --cc=chenyuan0y@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=zzjas98@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.