From: "Jose A. Perez de Azpillaga" <azpijr@gmail.com>
To: syzbot <syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com>
Cc: dwlsalmeida@gmail.com, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, mchehab@kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure
Date: Sun, 12 Apr 2026 20:25:51 +0200 [thread overview]
Message-ID: <advi5yTDwVkRTpV5@gmail.com> (raw)
In-Reply-To: <69d411c9.a70a0220.a26f2.003e.GAE@google.com>
When dvb_dmxdev_add_pid() adds a new dmxdev_feed to the filter's ts list
and then dvb_dmxdev_start_feed() fails, the function returns the error
code but leaves the orphaned feed entry in the list without cleaning up.
Fix this by removing the orphaned feed from the list and freeing it when
dvb_dmxdev_start_feed() fails in dvb_dmxdev_add_pid().
Fixes: 1cb662a31449 ("V4L/DVB (12275): Add two new ioctls: DMX_ADD_PID and DMX_REMOVE_PID")
Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Signed-off-by: Jose A. Perez de Azpillaga <azpijr@gmail.com>
---
drivers/media/dvb-core/dmxdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..401a0cbb4138 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -901,8 +901,15 @@ static int dvb_dmxdev_add_pid(struct dmxdev *dmxdev,
feed->pid = pid;
list_add(&feed->next, &filter->feed.ts);
- if (filter->state >= DMXDEV_STATE_GO)
- return dvb_dmxdev_start_feed(dmxdev, filter, feed);
+ if (filter->state >= DMXDEV_STATE_GO) {
+ int ret = dvb_dmxdev_start_feed(dmxdev, filter, feed);
+
+ if (ret < 0) {
+ list_del(&feed->next);
+ kfree(feed);
+ }
+ return ret;
+ }
return 0;
}
--
2.53.0
prev parent reply other threads:[~2026-04-12 18:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 20:04 [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init syzbot
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
2026-04-12 14:55 ` syzbot
2026-04-12 16:20 ` Jose A. Perez de Azpillaga
2026-04-12 17:13 ` syzbot
2026-04-12 18:25 ` Jose A. Perez de Azpillaga [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=advi5yTDwVkRTpV5@gmail.com \
--to=azpijr@gmail.com \
--cc=dwlsalmeida@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox