* [syzbot] [media?] memory leak in vidtv_psi_service_desc_init
@ 2026-02-10 4:09 syzbot
2026-03-01 21:07 ` [PATCH] media: vidtv: fix nfeeds state corruption on start_streaming failure Ruslan Valiyev
0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2026-02-10 4:09 UTC (permalink / raw)
To: dwlsalmeida, linux-kernel, linux-media, mchehab, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 05f7e89ab973 Linux 6.19
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1143533a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d7d0fbecb37bff8
dashboard link: https://syzkaller.appspot.com/bug?extid=639ebc6ec75e96674741
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ed6a52580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1587465a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1ad63df9059c/disk-05f7e89a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4f2b44c1d6fd/vmlinux-05f7e89a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9736a52697bc/bzImage-05f7e89a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+639ebc6ec75e96674741@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888145b50820 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 19 02 0c 60 fd 02 09 ........H...`...
81 88 ff ff 0a 70 fd 02 09 81 88 ff ff 00 00 00 .....p..........
backtrace (crc 90a0c7d4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x41a/0x590 mm/slub.c:5775
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:655
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:766
dvb_dmxdev_pes_filter_set drivers/media/dvb-core/dmxdev.c:963 [inline]
dvb_demux_do_ioctl+0x7a2/0x7d0 drivers/media/dvb-core/dmxdev.c:1077
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:999
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1186
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810902fd70 (size 16):
comm "syz.0.17", pid 6068, jiffies 4294944486
hex dump (first 16 bytes):
0b 42 65 65 74 68 6f 76 65 6e 00 00 00 00 00 00 .Beethoven......
backtrace (crc e88d86b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x47b/0x690 mm/slub.c:5768
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_service_desc_init+0x17a/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:305
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:655
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:766
dvb_dmxdev_pes_filter_set drivers/media/dvb-core/dmxdev.c:963 [inline]
dvb_demux_do_ioctl+0x7a2/0x7d0 drivers/media/dvb-core/dmxdev.c:1077
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:999
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1186
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810902fd60 (size 16):
comm "syz.0.17", pid 6068, jiffies 4294944486
hex dump (first 16 bytes):
0b 4c 69 6e 75 78 54 56 2e 6f 72 67 00 00 00 00 .LinuxTV.org....
backtrace (crc b60e4fc0):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x47b/0x690 mm/slub.c:5768
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_service_desc_init+0x130/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:313
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:655
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:766
dvb_dmxdev_pes_filter_set drivers/media/dvb-core/dmxdev.c:963 [inline]
dvb_demux_do_ioctl+0x7a2/0x7d0 drivers/media/dvb-core/dmxdev.c:1077
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:999
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1186
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888145b502c0 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 05 04 42 53 53 44 00 00 ..........BSSD..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 168dca61):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x465/0x680 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
vidtv_psi_registration_desc_init+0x2d/0xd0 drivers/media/test-drivers/vidtv/vidtv_psi.c:337
vidtv_channel_s302m_init+0x132/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:107
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:655
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:766
dvb_dmxdev_pes_filter_set drivers/media/dvb-core/dmxdev.c:963 [inline]
dvb_demux_do_ioctl+0x7a2/0x7d0 drivers/media/dvb-core/dmxdev.c:1077
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:999
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1186
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] media: vidtv: fix nfeeds state corruption on start_streaming failure
2026-02-10 4:09 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init syzbot
@ 2026-03-01 21:07 ` Ruslan Valiyev
0 siblings, 0 replies; 2+ messages in thread
From: Ruslan Valiyev @ 2026-03-01 21:07 UTC (permalink / raw)
To: syzbot+639ebc6ec75e96674741, Daniel W . S . Almeida,
Mauro Carvalho Chehab
Cc: linux-media, linux-kernel, stable, syzkaller-bugs, Ruslan Valiyev
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the
nfeeds counter is left incremented even though no feed was actually
started. This corrupts the driver state: subsequent start_feed calls
see nfeeds > 1 and skip starting the mux, while stop_feed calls
eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux
and channel resources may be partially allocated during a failed
start_streaming but never cleaned up, as the stop path finds
dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping
the counter in sync with the actual number of active feeds.
[1]
BUG: memory leak
unreferenced object 0xffff888145b50820 (size 32):
comm "syz.0.17", pid 6068, jiffies 4294944486
backtrace (crc 90a0c7d4):
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+639ebc6ec75e96674741@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=639ebc6ec75e96674741
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
---
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index b6203e10e37aa..a8a76434989c2 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -237,8 +237,10 @@ static int vidtv_start_feed(struct dvb_demux_feed *feed)
if (dvb->nfeeds == 1) {
ret = vidtv_start_streaming(dvb);
- if (ret < 0)
+ if (ret < 0) {
+ dvb->nfeeds--;
rc = ret;
+ }
}
mutex_unlock(&dvb->feed_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-01 21:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-10 4:09 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init syzbot
2026-03-01 21:07 ` [PATCH] media: vidtv: fix nfeeds state corruption on start_streaming failure Ruslan Valiyev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.