From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com,
Ruslan Valiyev <linuxoid@gmail.com>,
Hans Verkuil <hverkuil+cisco@kernel.org>
Subject: [PATCH 7.0 44/76] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
Date: Mon, 20 Apr 2026 17:41:55 +0200 [thread overview]
Message-ID: <20260420153912.429789524@linuxfoundation.org> (raw)
In-Reply-To: <20260420153910.810034134@linuxfoundation.org>
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit f8e1fc918a9fe67103bcda01d20d745f264d00a7 upstream.
syzbot reported a general protection fault in vidtv_psi_desc_assign [1].
vidtv_psi_pmt_stream_init() can return NULL on memory allocation
failure, but vidtv_channel_pmt_match_sections() does not check for
this. When tail is NULL, the subsequent call to
vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL
pointer offset, causing a general protection fault.
Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean
up the already-allocated stream chain and return.
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629
Call Trace:
<TASK>
vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]
vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479
vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -341,6 +341,10 @@ vidtv_channel_pmt_match_sections(struct
tail = vidtv_psi_pmt_stream_init(tail,
s->type,
e_pid);
+ if (!tail) {
+ vidtv_psi_pmt_stream_destroy(head);
+ return;
+ }
if (!head)
head = tail;
next prev parent reply other threads:[~2026-04-20 15:45 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 15:41 [PATCH 7.0 00/76] 7.0.1-rc1 review Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 01/76] nfc: llcp: add missing return after LLCP_CLOSED checks Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 02/76] x86/CPU: Fix FPDSS on Zen1 Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 03/76] can: raw: fix ro->uniq use-after-free in raw_rcv() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 04/76] i2c: s3c24xx: check the size of the SMBUS message before using it Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 05/76] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 06/76] HID: alps: fix NULL pointer dereference in alps_raw_event() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 07/76] HID: core: clamp report_size in s32ton() to avoid undefined shift Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 08/76] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 09/76] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 10/76] drm/vc4: platform_get_irq_byname() returns an int Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 11/76] bnge: return after auxiliary_device_uninit() in error path Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 12/76] ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 13/76] ALSA: fireworks: bound device-supplied status before string array lookup Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 14/76] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 15/76] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 16/76] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 17/76] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 18/76] smb: client: fix off-by-8 bounds check in check_wsl_eas() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 19/76] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 20/76] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 21/76] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 22/76] ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 23/76] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 24/76] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 25/76] usbip: validate number_of_packets in usbip_pack_ret_submit() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 26/76] usb: typec: fusb302: Switch to threaded IRQ handler Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 27/76] usb: storage: Expand range of matched versions for VL817 quirks entry Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 28/76] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 29/76] usb: gadget: f_hid: dont call cdev_init while cdev in use Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 30/76] usb: port: add delay after usb_hub_set_port_power() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 31/76] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 32/76] scripts/gdb/symbols: handle module path parameters Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 33/76] scripts: generate_rust_analyzer.py: avoid FD leak Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 34/76] wifi: rtw88: fix device leak on probe failure Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 35/76] staging: sm750fb: fix division by zero in ps_to_hz() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 36/76] selftests/mm: hmm-tests: dont hardcode THP size to 2MB Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 37/76] USB: serial: option: add Telit Cinterion FN990A MBIM composition Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 38/76] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 39/76] Docs/admin-guide/mm/damon/lru_sort: " Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 40/76] ALSA: ctxfi: Limit PTP to a single page Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 41/76] dcache: Limit the minimal number of bucket to two Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 42/76] vfio/xe: Reorganize the init to decouple migration from reset Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 43/76] arm64: mm: Handle invalid large leaf mappings correctly Greg Kroah-Hartman
2026-04-20 15:41 ` Greg Kroah-Hartman [this message]
2026-04-20 15:41 ` [PATCH 7.0 45/76] ocfs2: fix possible deadlock between unlink and dio_end_io_write Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 46/76] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 47/76] ocfs2: handle invalid dinode in ocfs2_group_extend Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 48/76] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 49/76] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 50/76] KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES migrate test Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 51/76] KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 52/76] KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 53/76] KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 54/76] KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 55/76] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 56/76] mm: call ->free_folio() directly in folio_unmap_invalidate() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 57/76] checkpatch: add support for Assisted-by tag Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 58/76] x86-64: rename misleadingly named __copy_user_nocache() function Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 59/76] x86: rename and clean up __copy_from_user_inatomic_nocache() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 60/76] x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 61/76] KVM: x86: Use scratch field in MMIO fragment to hold small write values Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 62/76] ASoC: qcom: q6apm: move component registration to unmanaged version Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 63/76] mm/kasan: fix double free for kasan pXds Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 64/76] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 65/76] media: vidtv: fix nfeeds state corruption on start_streaming failure Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 66/76] media: mediatek: vcodec: fix use-after-free in encoder release path Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 67/76] media: em28xx: fix use-after-free in em28xx_v4l2_open() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 68/76] hwmon: (powerz) Fix use-after-free on USB disconnect Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 69/76] ALSA: 6fire: fix use-after-free on disconnect Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 70/76] bcache: fix cached_dev.sb_bio use-after-free and crash Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 71/76] wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 72/76] media: as102: fix to not free memory after the device is registered in as102_usb_probe() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 73/76] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 74/76] media: vidtv: fix pass-by-value structs causing MSAN warnings Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 75/76] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 76/76] mm/userfaultfd: fix hugetlb fault mutex hash calculation Greg Kroah-Hartman
2026-04-20 17:32 ` [PATCH 7.0 00/76] 7.0.1-rc1 review Ronald Warsow
2026-04-20 18:17 ` Florian Fainelli
2026-04-20 21:58 ` Luna Jernberg
2026-04-20 22:28 ` Peter Schneider
2026-04-20 23:08 ` Takeshi Ogasawara
2026-04-21 6:52 ` Ron Economos
2026-04-21 8:09 ` Brett A C Sheffield
2026-04-21 10:22 ` Miguel Ojeda
2026-04-21 16:45 ` Shuah Khan
2026-04-21 16:47 ` Josh Law
2026-04-21 20:04 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420153912.429789524@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hverkuil+cisco@kernel.org \
--cc=linuxoid@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox