* [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init
@ 2026-04-06 20:04 syzbot
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: syzbot @ 2026-04-06 20:04 UTC (permalink / raw)
To: dwlsalmeida, linux-kernel, linux-media, mchehab, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 591cd656a1bf Linux 7.0-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ca55da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127ad46a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16cf33da580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b8983945f60/disk-591cd656.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a97f51ce06d9/vmlinux-591cd656.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e945a74880b8/bzImage-591cd656.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff8881145cb200 (size 64):
comm "syz.0.17", pid 6104, jiffies 4294941873
hex dump (first 32 bytes):
0b 4c 75 64 77 69 67 20 76 61 6e 20 42 65 65 74 .Ludwig van Beet
68 6f 76 65 6e 3a 20 46 fc 72 20 45 6c 69 73 65 hoven: F.r Elise
backtrace (crc 6d5386ce):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x3e0/0x5d0 mm/slub.c:5368
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_short_event_desc_init+0x1f0/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:467
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888127ff87a0 (size 32):
comm "syz.0.17", pid 6104, jiffies 4294941873
hex dump (first 32 bytes):
08 80 fd 80 1b e0 83 ff 27 81 88 ff ff 00 00 00 ........'.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 52407852):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_sdt_service_init+0x32/0xa0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1441
vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:229 [inline]
vidtv_channel_si_init+0x230/0x750 drivers/media/test-drivers/vidtv/vidtv_channel.c:435
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888127ff83e0 (size 32):
comm "syz.0.17", pid 6104, jiffies 4294941873
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 19 02 0c 50 85 36 11 ........H...P.6.
81 88 ff ff 0a b0 82 36 11 81 88 ff ff 00 00 00 .......6........
backtrace (crc e8912ca1):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288
vidtv_psi_desc_clone+0x137/0x160 drivers/media/test-drivers/vidtv/vidtv_psi.c:506
vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:236 [inline]
vidtv_channel_si_init+0x1d8/0x750 drivers/media/test-drivers/vidtv/vidtv_channel.c:435
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888127ff81a0 (size 32):
comm "syz.0.17", pid 6104, jiffies 4294941873
hex dump (first 32 bytes):
00 01 ee d0 18 00 00 23 59 59 80 8d 80 b0 6f 14 .......#YY....o.
81 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 79354a12):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_eit_event_init+0x6d/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1983
vidtv_channel_eit_event_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:182 [inline]
vidtv_channel_si_init+0x31b/0x750 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init
2026-04-06 20:04 [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init syzbot
@ 2026-04-12 13:11 ` Jose A. Perez de Azpillaga
2026-04-12 14:55 ` syzbot
2026-04-12 16:20 ` Jose A. Perez de Azpillaga
2026-04-12 18:25 ` [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure Jose A. Perez de Azpillaga
2 siblings, 1 reply; 6+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-12 13:11 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, linux-media, syzkaller-bugs
#syz test
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index a8a76434989c..61186d219b7b 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -543,6 +543,11 @@ static void vidtv_bridge_remove(struct platform_device *pdev)
dvb = platform_get_drvdata(pdev);
+ mutex_lock(&dvb->feed_lock);
+ if (dvb->streaming)
+ vidtv_stop_streaming(dvb);
+ mutex_unlock(&dvb->feed_lock);
+
#ifdef CONFIG_MEDIA_CONTROLLER_DVB
media_device_unregister(&dvb->mdev);
media_device_cleanup(&dvb->mdev);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
@ 2026-04-12 14:55 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-04-12 14:55 UTC (permalink / raw)
To: azpijr, linux-kernel, linux-media, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in vidtv_psi_short_event_desc_init
BUG: memory leak
unreferenced object 0xffff88812bb30d00 (size 64):
comm "syz.0.17", pid 6713, jiffies 4294945608
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 4d 8b 98 d9 e0 09 81 88 ........M.......
ff ff 20 40 d8 7a 14 81 88 ff ff 66 00 23 c3 14 .. @.z.....f.#..
backtrace (crc 3cb0610c):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_short_event_desc_init+0x9e/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:444
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888109e0d998 (size 8):
comm "syz.0.17", pid 6713, jiffies 4294945608
hex dump (first 8 bytes):
65 6e 67 00 00 00 00 00 eng.....
backtrace (crc 5673a685):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x3e0/0x5d0 mm/slub.c:5368
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_short_event_desc_init+0xf3/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:462
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff8881147ad840 (size 64):
comm "syz.0.17", pid 6713, jiffies 4294945608
hex dump (first 32 bytes):
0b 4c 75 64 77 69 67 20 76 61 6e 20 42 65 65 74 .Ludwig van Beet
68 6f 76 65 6e 3a 20 46 fc 72 20 45 6c 69 73 65 hoven: F.r Elise
backtrace (crc 6d5386ce):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__do_kmalloc_node mm/slub.c:5259 [inline]
__kmalloc_node_track_caller_noprof+0x3e0/0x5d0 mm/slub.c:5368
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_short_event_desc_init+0x1f0/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:467
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88812a3536e0 (size 32):
comm "syz.0.17", pid 6713, jiffies 4294945608
hex dump (first 32 bytes):
08 80 fd 80 1b e0 30 35 2a 81 88 ff ff 00 00 00 ......05*.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 47116e02):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4543 [inline]
slab_alloc_node mm/slub.c:4866 [inline]
__kmalloc_cache_noprof+0x377/0x480 mm/slub.c:5375
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_sdt_service_init+0x32/0xa0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1441
vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:229 [inline]
vidtv_channel_si_init+0x230/0x750 drivers/media/test-drivers/vidtv/vidtv_channel.c:435
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: f5459048 Merge tag 'i2c-for-7.0-final' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15ce1036580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=11dcdcd2580000
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init
2026-04-06 20:04 [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init syzbot
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
@ 2026-04-12 16:20 ` Jose A. Perez de Azpillaga
2026-04-12 17:13 ` syzbot
2026-04-12 18:25 ` [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure Jose A. Perez de Azpillaga
2 siblings, 1 reply; 6+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-12 16:20 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, linux-media, syzkaller-bugs
#syz test
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..fdd9fa5cc24c 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -901,8 +901,14 @@ static int dvb_dmxdev_add_pid(struct dmxdev *dmxdev,
feed->pid = pid;
list_add(&feed->next, &filter->feed.ts);
- if (filter->state >= DMXDEV_STATE_GO)
- return dvb_dmxdev_start_feed(dmxdev, filter, feed);
+ if (filter->state >= DMXDEV_STATE_GO) {
+ int ret = dvb_dmxdev_start_feed(dmxdev, filter, feed);
+ if (ret < 0) {
+ list_del(&feed->next);
+ kfree(feed);
+ }
+ return ret;
+ }
return 0;
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init
2026-04-12 16:20 ` Jose A. Perez de Azpillaga
@ 2026-04-12 17:13 ` syzbot
0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2026-04-12 17:13 UTC (permalink / raw)
To: azpijr, linux-kernel, linux-media, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Tested on:
commit: f5459048 Merge tag 'i2c-for-7.0-final' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=169f9b02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2bba615ee79faa5
dashboard link: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=16111036580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure
2026-04-06 20:04 [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init syzbot
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
2026-04-12 16:20 ` Jose A. Perez de Azpillaga
@ 2026-04-12 18:25 ` Jose A. Perez de Azpillaga
2 siblings, 0 replies; 6+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-12 18:25 UTC (permalink / raw)
To: syzbot; +Cc: dwlsalmeida, linux-kernel, linux-media, mchehab, syzkaller-bugs
When dvb_dmxdev_add_pid() adds a new dmxdev_feed to the filter's ts list
and then dvb_dmxdev_start_feed() fails, the function returns the error
code but leaves the orphaned feed entry in the list without cleaning up.
Fix this by removing the orphaned feed from the list and freeing it when
dvb_dmxdev_start_feed() fails in dvb_dmxdev_add_pid().
Fixes: 1cb662a31449 ("V4L/DVB (12275): Add two new ioctls: DMX_ADD_PID and DMX_REMOVE_PID")
Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Signed-off-by: Jose A. Perez de Azpillaga <azpijr@gmail.com>
---
drivers/media/dvb-core/dmxdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..401a0cbb4138 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -901,8 +901,15 @@ static int dvb_dmxdev_add_pid(struct dmxdev *dmxdev,
feed->pid = pid;
list_add(&feed->next, &filter->feed.ts);
- if (filter->state >= DMXDEV_STATE_GO)
- return dvb_dmxdev_start_feed(dmxdev, filter, feed);
+ if (filter->state >= DMXDEV_STATE_GO) {
+ int ret = dvb_dmxdev_start_feed(dmxdev, filter, feed);
+
+ if (ret < 0) {
+ list_del(&feed->next);
+ kfree(feed);
+ }
+ return ret;
+ }
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-12 18:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-06 20:04 [syzbot] [media?] memory leak in vidtv_psi_short_event_desc_init syzbot
2026-04-12 13:11 ` Jose A. Perez de Azpillaga
2026-04-12 14:55 ` syzbot
2026-04-12 16:20 ` Jose A. Perez de Azpillaga
2026-04-12 17:13 ` syzbot
2026-04-12 18:25 ` [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure Jose A. Perez de Azpillaga
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox