[syzbot] [media?] memory leak in vidtv_psi_service_desc

All of lore.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2)
@ 2026-05-26  2:49 syzbot
  2026-05-26  9:29 ` Forwarded: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone syzbot
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: syzbot @ 2026-05-26  2:49 UTC (permalink / raw)
  To: dwlsalmeida, linux-kernel, linux-media, mchehab, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    45255ea1ca09 Merge tag 'pm-7.1-rc5' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13350d36580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d834308256412d7e
dashboard link: https://syzkaller.appspot.com/bug?extid=acc3b75c010446ad403f
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17350d36580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13dd9c2e580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4022925bca8d/disk-45255ea1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4a3b4dcf6879/vmlinux-45255ea1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5e129f2050a7/bzImage-45255ea1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881296e58e0 (size 32):
  comm "syz.0.17", pid 5909, jiffies 4294944348
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 19 02 0c e0 22 7d 29  ........H...."})
    81 88 ff ff 0a 40 29 7d 29 81 88 ff ff 00 00 00  .....@)}).......
  backtrace (crc c5dd16e3):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:233
    vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
    vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
    vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
    vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
    vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
    dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
    dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
    dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
    dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e58c0 (size 32):
  comm "syz.0.17", pid 5909, jiffies 4294944348
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 05 04 42 53 53 44 00 00  ..........BSSD..
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 168dca61):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __do_kmalloc_node mm/slub.c:5295 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5308
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    vidtv_psi_registration_desc_init+0x2d/0xd0 drivers/media/test-drivers/vidtv/vidtv_psi.c:282
    vidtv_channel_s302m_init+0x132/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:107
    vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
    vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
    vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
    vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
    dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
    dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
    dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
    dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812bfbd4f0 (size 8):
  comm "syz.0.17", pid 5909, jiffies 4294944348
  hex dump (first 8 bytes):
    65 6e 67 00 00 00 00 00                          eng.....
  backtrace (crc 5673a685):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __do_kmalloc_node mm/slub.c:5295 [inline]
    __kmalloc_node_track_caller_noprof+0x3da/0x5c0 mm/slub.c:5408
    __kmemdup_nul mm/util.c:64 [inline]
    kstrdup+0x3c/0x80 mm/util.c:84
    vidtv_psi_short_event_desc_init+0xf3/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:407
    vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
    vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
    vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
    vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
    vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
    dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
    dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
    dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
    dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e5740 (size 32):
  comm "syz.0.17", pid 5909, jiffies 4294944348
  hex dump (first 32 bytes):
    08 80 fd 80 1b 60 57 6e 29 81 88 ff ff 00 00 00  .....`Wn).......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc e829a286):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    vidtv_psi_sdt_service_init+0x32/0xa0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1386
    vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:229 [inline]
    vidtv_channel_si_init+0x22f/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
    vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
    vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
    vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
    dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
    dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
    dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
    dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e5760 (size 32):
  comm "syz.0.17", pid 5909, jiffies 4294944348
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 19 02 0c 30 29 7d 29  ........H...0)})
    81 88 ff ff 0a a0 9c 8e 14 81 88 ff ff 00 00 00  ................
  backtrace (crc 2fbc9cf9):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:233
    vidtv_psi_desc_clone+0x137/0x160 drivers/media/test-drivers/vidtv/vidtv_psi.c:451
    vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:236 [inline]
    vidtv_channel_si_init+0x1d7/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
    vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
    vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
    vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
    dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
    dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
    dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
    dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
    dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
    dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Forwarded: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone
  2026-05-26  2:49 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2) syzbot
@ 2026-05-26  9:29 ` syzbot
  2026-05-26 10:04 ` Forwarded: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure syzbot
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-26  9:29 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone
Author: zhanghaotian@uniontech.com

Fix a memory leak in vidtv_psi_desc_clone() where partially cloned
descriptors are leaked on allocation failure, and fix error handling
in channel SI init functions for potential use-after-free.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

zhanghaotian (2):
  media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation
    failure
  media: vidtv: fix error handling in channel SI init functions

 .../media/test-drivers/vidtv/vidtv_channel.c  | 55 +++++++++++++------
 drivers/media/test-drivers/vidtv/vidtv_psi.c  |  8 ++-
 2 files changed, 45 insertions(+), 18 deletions(-)

-- 
2.30.2


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Forwarded: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure
  2026-05-26  2:49 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2) syzbot
  2026-05-26  9:29 ` Forwarded: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone syzbot
@ 2026-05-26 10:04 ` syzbot
  2026-05-26 10:04 ` Forwarded: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions syzbot
  2026-05-26 12:49 ` Forwarded: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove syzbot
  3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-26 10:04 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure
Author: zhanghaotian@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

vidtv_psi_desc_clone() builds a linked list of cloned descriptors by
calling descriptor init functions (e.g. vidtv_psi_service_desc_init())
that chain new entries into the accumulated "head" via
vidtv_psi_desc_chain().  When any init function or kmemdup() fails
inside the while loop, the function returns NULL without freeing the
already-built portion of head, leaking memory.

Fix this by calling vidtv_psi_desc_destroy(head) before returning NULL
in both failure paths.

Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhanghaotian@uniontech.com>
---
 drivers/media/test-drivers/vidtv/vidtv_psi.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_psi.c b/drivers/media/test-drivers/vidtv/vidtv_psi.c
index 1b6225d65..7f38011ae 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_psi.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_psi.c
@@ -481,11 +481,11 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
 		default:
 			curr = kmemdup(desc, sizeof(*desc) + desc->length, GFP_KERNEL);
 			if (!curr)
-				return NULL;
+				goto free_head;
 		}
 
 		if (!curr)
-			return NULL;
+			goto free_head;
 
 		curr->next = NULL;
 		if (!head)
@@ -498,6 +498,10 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
 	}
 
 	return head;
+
+free_head:
+	vidtv_psi_desc_destroy(head);
+	return NULL;
 }
 
 void vidtv_psi_desc_destroy(struct vidtv_psi_desc *desc)
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Forwarded: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions
  2026-05-26  2:49 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2) syzbot
  2026-05-26  9:29 ` Forwarded: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone syzbot
  2026-05-26 10:04 ` Forwarded: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure syzbot
@ 2026-05-26 10:04 ` syzbot
  2026-05-26 12:49 ` Forwarded: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove syzbot
  3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-26 10:04 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions
Author: zhanghaotian@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Several functions in vidtv_channel.c have error paths that can lead to
memory leaks or use-after-free when vidtv_psi_desc_clone() fails:

1. vidtv_channel_sdt_serv_cat_into_new(): passes the accumulated "tail"
   pointer to vidtv_psi_sdt_service_init() which chains the new service
   before vidtv_psi_desc_clone() is called.  If cloning then fails, the
   "free_tail" error path destroys tail while head->next still points
   to the freed memory, causing a use-after-free when "free" later
   destroys head.

2. vidtv_channel_eit_event_cat_into_new(): silently ignores a NULL
   return from vidtv_psi_desc_clone(), creating an EIT event with no
   descriptor.

3. vidtv_channel_pmt_match_sections(): silently ignores a NULL return
   from vidtv_psi_desc_clone(), creating a PMT stream with no
   descriptor.

Fix all three by creating new entries without auto-chaining (passing
NULL as head), cloning before chaining, and checking the clone return
value.

Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhanghaotian@uniontech.com>
---
 .../media/test-drivers/vidtv/vidtv_channel.c  | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
index 5f8c3af87..dee782d63 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -163,6 +163,7 @@ static struct vidtv_psi_table_eit_event
 	struct vidtv_psi_table_eit_event *curr = NULL;
 	struct vidtv_psi_table_eit_event *head = NULL;
 	struct vidtv_psi_table_eit_event *tail = NULL;
+	struct vidtv_psi_table_eit_event *new_event = NULL;
 	struct vidtv_psi_desc *desc = NULL;
 	u16 event_id;
 
@@ -179,17 +180,25 @@ static struct vidtv_psi_table_eit_event
 
 		while (curr) {
 			event_id = be16_to_cpu(curr->event_id);
-			tail = vidtv_psi_eit_event_init(tail, event_id);
-			if (!tail) {
+			new_event = vidtv_psi_eit_event_init(NULL, event_id);
+			if (!new_event) {
 				vidtv_psi_eit_event_destroy(head);
 				return NULL;
 			}
 
 			desc = vidtv_psi_desc_clone(curr->descriptor);
-			vidtv_psi_desc_assign(&tail->descriptor, desc);
+			if (!desc) {
+				vidtv_psi_eit_event_destroy(new_event);
+				vidtv_psi_eit_event_destroy(head);
+				return NULL;
+			}
+			vidtv_psi_desc_assign(&new_event->descriptor, desc);
 
 			if (!head)
-				head = tail;
+				head = new_event;
+			else
+				tail->next = new_event;
+			tail = new_event;
 
 			curr = curr->next;
 		}
@@ -209,6 +218,7 @@ static struct vidtv_psi_table_sdt_service
 	struct vidtv_psi_table_sdt_service *curr = NULL;
 	struct vidtv_psi_table_sdt_service *head = NULL;
 	struct vidtv_psi_table_sdt_service *tail = NULL;
+	struct vidtv_psi_table_sdt_service *new_service = NULL;
 
 	struct vidtv_psi_desc *desc = NULL;
 	u16 service_id;
@@ -226,20 +236,25 @@ static struct vidtv_psi_table_sdt_service
 
 		while (curr) {
 			service_id = be16_to_cpu(curr->service_id);
-			tail = vidtv_psi_sdt_service_init(tail,
+			new_service = vidtv_psi_sdt_service_init(NULL,
 							  service_id,
 							  curr->EIT_schedule,
 							  curr->EIT_present_following);
-			if (!tail)
+			if (!new_service)
 				goto free;
 
 			desc = vidtv_psi_desc_clone(curr->descriptor);
-			if (!desc)
-				goto free_tail;
-			vidtv_psi_desc_assign(&tail->descriptor, desc);
+			if (!desc) {
+				vidtv_psi_sdt_service_destroy(new_service);
+				goto free;
+			}
+			vidtv_psi_desc_assign(&new_service->descriptor, desc);
 
 			if (!head)
-				head = tail;
+				head = new_service;
+			else
+				tail->next = new_service;
+			tail = new_service;
 
 			curr = curr->next;
 		}
@@ -249,8 +264,6 @@ static struct vidtv_psi_table_sdt_service
 
 	return head;
 
-free_tail:
-	vidtv_psi_sdt_service_destroy(tail);
 free:
 	vidtv_psi_sdt_service_destroy(head);
 	return NULL;
@@ -333,12 +346,14 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
 
 			/* we got a match */
 			if (curr_id == cur_chnl->program_num) {
+				struct vidtv_psi_table_pmt_stream *prev = NULL;
+
 				s = cur_chnl->streams;
 
 				/* clone the streams for the PMT */
 				while (s) {
 					e_pid = vidtv_psi_pmt_stream_get_elem_pid(s);
-					tail = vidtv_psi_pmt_stream_init(tail,
+					tail = vidtv_psi_pmt_stream_init(NULL,
 									 s->type,
 									 e_pid);
 					if (!tail) {
@@ -346,13 +361,21 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
 						return;
 					}
 
-					if (!head)
-						head = tail;
-
 					desc = vidtv_psi_desc_clone(s->descriptor);
+					if (!desc) {
+						vidtv_psi_pmt_stream_destroy(tail);
+						vidtv_psi_pmt_stream_destroy(head);
+						return;
+					}
 					vidtv_psi_desc_assign(&tail->descriptor,
 							      desc);
 
+					if (!head)
+						head = tail;
+					if (prev)
+						prev->next = tail;
+					prev = tail;
+
 					s = s->next;
 				}
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Forwarded: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove
  2026-05-26  2:49 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2) syzbot
                   ` (2 preceding siblings ...)
  2026-05-26 10:04 ` Forwarded: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions syzbot
@ 2026-05-26 12:49 ` syzbot
  3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2026-05-26 12:49 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove
Author: zhanghaotian@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

The vidtv driver relies on stop_feed being called via the dmxdev file
close path to trigger vidtv_stop_streaming() which destroys the mux.
However, if the DVB core close path does not reach stop_filtering
(e.g. due to race conditions), the entire mux and all channel
descriptors are permanently leaked.

Fix this by proactively stopping streaming and destroying the mux in
vidtv_bridge_remove(), before releasing the dmxdev and dmx resources.
Use the existing feed_lock mutex to synchronize with any concurrent
stop_feed callback.  After cleaning up the mux, set dvb->streaming to
false and dvb->mux to NULL so any subsequent stop_feed will return
early safely.

Also fix a pre-existing bug where mutex_destroy(&dvb->feed_lock) was
called before dvb_dmxdev_release(), which could cause vidtv_stop_feed
to operate on a destroyed mutex if the fd close path races with module
removal.

Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhanghaotian@uniontech.com>
---
 drivers/media/test-drivers/vidtv/vidtv_bridge.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index a8a76434989c..3ea8cc04571d 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -548,7 +548,13 @@ static void vidtv_bridge_remove(struct platform_device *pdev)
 	media_device_cleanup(&dvb->mdev);
 #endif /* CONFIG_MEDIA_CONTROLLER_DVB */

-	mutex_destroy(&dvb->feed_lock);
+	mutex_lock(&dvb->feed_lock);
+	if (dvb->streaming) {
+		dvb->streaming = false;
+		vidtv_mux_destroy(dvb->mux);
+		dvb->mux = NULL;
+	}
+	mutex_unlock(&dvb->feed_lock);

 	for (i = 0; i < NUM_FE; ++i) {
 		dvb_unregister_frontend(dvb->fe[i]);
@@ -559,6 +565,8 @@ static void vidtv_bridge_remove(struct platform_device *pdev)
 	dvb_dmxdev_release(&dvb->dmx_dev);
 	dvb_dmx_release(&dvb->demux);
 	dvb_unregister_adapter(&dvb->adapter);
+
+	mutex_destroy(&dvb->feed_lock);
 	dev_info(&pdev->dev, "Successfully removed vidtv\n");
 }

-- 
2.30.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-26 12:49 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26  2:49 [syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2) syzbot
2026-05-26  9:29 ` Forwarded: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone syzbot
2026-05-26 10:04 ` Forwarded: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure syzbot
2026-05-26 10:04 ` Forwarded: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions syzbot
2026-05-26 12:49 ` Forwarded: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.