[syzbot] [media?] memory leak in vidtv_psi_service_desc_init (2)

3 views

Skip to first unread message

syzbot

unread,

May 25, 2026, 10:49:24 PM (10 hours ago) May 25

to dwlsa...@gmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, syzkall...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: 45255ea1ca09 Merge tag 'pm-7.1-rc5' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13350d36580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d834308256412d7e
dashboard link: https://syzkaller.appspot.com/bug?extid=acc3b75c010446ad403f
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17350d36580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13dd9c2e580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4022925bca8d/disk-45255ea1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4a3b4dcf6879/vmlinux-45255ea1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5e129f2050a7/bzImage-45255ea1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+acc3b7...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881296e58e0 (size 32):
comm "syz.0.17", pid 5909, jiffies 4294944348
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 19 02 0c e0 22 7d 29 ........H...."})
81 88 ff ff 0a 40 29 7d 29 81 88 ff ff 00 00 00 .....@)}).......
backtrace (crc c5dd16e3):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:233
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e58c0 (size 32):
comm "syz.0.17", pid 5909, jiffies 4294944348
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 05 04 42 53 53 44 00 00 ..........BSSD..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 168dca61):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5308
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_registration_desc_init+0x2d/0xd0 drivers/media/test-drivers/vidtv/vidtv_psi.c:282
vidtv_channel_s302m_init+0x132/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:107
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812bfbd4f0 (size 8):
comm "syz.0.17", pid 5909, jiffies 4294944348
hex dump (first 8 bytes):
65 6e 67 00 00 00 00 00 eng.....
backtrace (crc 5673a685):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kmalloc_node_track_caller_noprof+0x3da/0x5c0 mm/slub.c:5408
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
vidtv_psi_short_event_desc_init+0xf3/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:407
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e5740 (size 32):
comm "syz.0.17", pid 5909, jiffies 4294944348
hex dump (first 32 bytes):
08 80 fd 80 1b 60 57 6e 29 81 88 ff ff 00 00 00 .....`Wn).......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc e829a286):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_sdt_service_init+0x32/0xa0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1386
vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:229 [inline]
vidtv_channel_si_init+0x22f/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881296e5760 (size 32):
comm "syz.0.17", pid 5909, jiffies 4294944348
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 19 02 0c 30 29 7d 29 ........H...0)})
81 88 ff ff 0a a0 9c 8e 14 81 88 ff ff 00 00 00 ................
backtrace (crc 2fbc9cf9):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:233
vidtv_psi_desc_clone+0x137/0x160 drivers/media/test-drivers/vidtv/vidtv_psi.c:451
vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:236 [inline]
vidtv_channel_si_init+0x1d7/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,

5:29 AM (3 hours ago) 5:29 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH 0/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone
Author: zhangh...@uniontech.com

Fix a memory leak in vidtv_psi_desc_clone() where partially cloned
descriptors are leaked on allocation failure, and fix error handling
in channel SI init functions for potential use-after-free.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

zhanghaotian (2):
media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation
failure
media: vidtv: fix error handling in channel SI init functions

.../media/test-drivers/vidtv/vidtv_channel.c | 55 +++++++++++++------
drivers/media/test-drivers/vidtv/vidtv_psi.c | 8 ++-
2 files changed, 45 insertions(+), 18 deletions(-)

--
2.30.2

syzbot

unread,

5:51 AM (3 hours ago) 5:51 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com, zhangh...@uniontech.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in vidtv_psi_service_desc_init

BUG: memory leak
unreferenced object 0xffff88811c520800 (size 32):
comm "syz.0.17", pid 6622, jiffies 4294946916

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 48 19 02 0c 90 bb 57 13 ........H.....W.
81 88 ff ff 0a c0 bf 57 13 81 88 ff ff 00 00 00 .......W........
backtrace (crc a194b084):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:233
vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811c520540 (size 32):
comm "syz.0.17", pid 6622, jiffies 4294946916

do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff8881293214c0 (size 64):
comm "syz.0.17", pid 6622, jiffies 4294946916

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 4d 8b 78 c2 28 2a 81 88 ........M.x.(*..
ff ff 20 00 de 3c 2a 81 88 ff ff 66 00 dc 32 29 .. ..<*....f..2)
backtrace (crc a9593571):

vidtv_psi_short_event_desc_init+0x9e/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:389

vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:528
vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88812a3cde00 (size 64):
comm "syz.0.17", pid 6622, jiffies 4294946916

hex dump (first 32 bytes):

0b 4c 75 64 77 69 67 20 76 61 6e 20 42 65 65 74 .Ludwig van Beet
68 6f 76 65 6e 3a 20 46 fc 72 20 45 6c 69 73 65 hoven: F.r Elise
backtrace (crc 6d5386ce):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kmalloc_node_track_caller_noprof+0x3da/0x5c0 mm/slub.c:5408
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84

vidtv_psi_short_event_desc_init+0x1f0/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:412

do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: e8c2f9fd Merge tag 'for-7.1/hpfs-fixes' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1262c62e580000

kernel config: https://syzkaller.appspot.com/x/.config?x=d834308256412d7e
dashboard link: https://syzkaller.appspot.com/bug?extid=acc3b75c010446ad403f
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Note: no patches were applied.

syzbot

unread,

6:04 AM (3 hours ago) 6:04 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH 1/2] media: vidtv: fix memory leak in vidtv_psi_desc_clone() on allocation failure
Author: zhangh...@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

vidtv_psi_desc_clone() builds a linked list of cloned descriptors by
calling descriptor init functions (e.g. vidtv_psi_service_desc_init())
that chain new entries into the accumulated "head" via
vidtv_psi_desc_chain(). When any init function or kmemdup() fails
inside the while loop, the function returns NULL without freeing the
already-built portion of head, leaking memory.

Fix this by calling vidtv_psi_desc_destroy(head) before returning NULL
in both failure paths.

Reported-by: syzbot+acc3b7...@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhangh...@uniontech.com>
---
drivers/media/test-drivers/vidtv/vidtv_psi.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_psi.c b/drivers/media/test-drivers/vidtv/vidtv_psi.c
index 1b6225d65..7f38011ae 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_psi.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_psi.c
@@ -481,11 +481,11 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
default:
curr = kmemdup(desc, sizeof(*desc) + desc->length, GFP_KERNEL);
if (!curr)
- return NULL;
+ goto free_head;
}

if (!curr)
- return NULL;
+ goto free_head;

curr->next = NULL;
if (!head)
@@ -498,6 +498,10 @@ struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc)
}

return head;
+
+free_head:
+ vidtv_psi_desc_destroy(head);
+ return NULL;
}

void vidtv_psi_desc_destroy(struct vidtv_psi_desc *desc)
--
2.30.2

syzbot

unread,

6:04 AM (3 hours ago) 6:04 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH 2/2] media: vidtv: fix error handling in channel SI init functions

Author: zhangh...@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Several functions in vidtv_channel.c have error paths that can lead to
memory leaks or use-after-free when vidtv_psi_desc_clone() fails:

1. vidtv_channel_sdt_serv_cat_into_new(): passes the accumulated "tail"
pointer to vidtv_psi_sdt_service_init() which chains the new service
before vidtv_psi_desc_clone() is called. If cloning then fails, the
"free_tail" error path destroys tail while head->next still points
to the freed memory, causing a use-after-free when "free" later
destroys head.

2. vidtv_channel_eit_event_cat_into_new(): silently ignores a NULL
return from vidtv_psi_desc_clone(), creating an EIT event with no
descriptor.

3. vidtv_channel_pmt_match_sections(): silently ignores a NULL return
from vidtv_psi_desc_clone(), creating a PMT stream with no
descriptor.

Fix all three by creating new entries without auto-chaining (passing
NULL as head), cloning before chaining, and checking the clone return
value.

Reported-by: syzbot+acc3b7...@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhangh...@uniontech.com>
---

.../media/test-drivers/vidtv/vidtv_channel.c | 55 +++++++++++++------
1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
index 5f8c3af87..dee782d63 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -163,6 +163,7 @@ static struct vidtv_psi_table_eit_event
struct vidtv_psi_table_eit_event *curr = NULL;
struct vidtv_psi_table_eit_event *head = NULL;
struct vidtv_psi_table_eit_event *tail = NULL;
+ struct vidtv_psi_table_eit_event *new_event = NULL;
struct vidtv_psi_desc *desc = NULL;
u16 event_id;

@@ -179,17 +180,25 @@ static struct vidtv_psi_table_eit_event

while (curr) {
event_id = be16_to_cpu(curr->event_id);
- tail = vidtv_psi_eit_event_init(tail, event_id);
- if (!tail) {
+ new_event = vidtv_psi_eit_event_init(NULL, event_id);
+ if (!new_event) {
vidtv_psi_eit_event_destroy(head);
return NULL;
}

desc = vidtv_psi_desc_clone(curr->descriptor);
- vidtv_psi_desc_assign(&tail->descriptor, desc);
+ if (!desc) {
+ vidtv_psi_eit_event_destroy(new_event);
+ vidtv_psi_eit_event_destroy(head);
+ return NULL;
+ }
+ vidtv_psi_desc_assign(&new_event->descriptor, desc);

if (!head)
- head = tail;
+ head = new_event;
+ else
+ tail->next = new_event;
+ tail = new_event;

curr = curr->next;
}
@@ -209,6 +218,7 @@ static struct vidtv_psi_table_sdt_service
struct vidtv_psi_table_sdt_service *curr = NULL;
struct vidtv_psi_table_sdt_service *head = NULL;
struct vidtv_psi_table_sdt_service *tail = NULL;
+ struct vidtv_psi_table_sdt_service *new_service = NULL;

struct vidtv_psi_desc *desc = NULL;
u16 service_id;
@@ -226,20 +236,25 @@ static struct vidtv_psi_table_sdt_service

while (curr) {
service_id = be16_to_cpu(curr->service_id);
- tail = vidtv_psi_sdt_service_init(tail,
+ new_service = vidtv_psi_sdt_service_init(NULL,
service_id,
curr->EIT_schedule,
curr->EIT_present_following);
- if (!tail)
+ if (!new_service)
goto free;

desc = vidtv_psi_desc_clone(curr->descriptor);
- if (!desc)
- goto free_tail;
- vidtv_psi_desc_assign(&tail->descriptor, desc);
+ if (!desc) {
+ vidtv_psi_sdt_service_destroy(new_service);
+ goto free;
+ }
+ vidtv_psi_desc_assign(&new_service->descriptor, desc);

if (!head)
- head = tail;
+ head = new_service;
+ else
+ tail->next = new_service;
+ tail = new_service;

curr = curr->next;
}
@@ -249,8 +264,6 @@ static struct vidtv_psi_table_sdt_service

return head;

-free_tail:
- vidtv_psi_sdt_service_destroy(tail);
free:
vidtv_psi_sdt_service_destroy(head);
return NULL;
@@ -333,12 +346,14 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,

/* we got a match */
if (curr_id == cur_chnl->program_num) {
+ struct vidtv_psi_table_pmt_stream *prev = NULL;
+
s = cur_chnl->streams;

/* clone the streams for the PMT */
while (s) {
e_pid = vidtv_psi_pmt_stream_get_elem_pid(s);
- tail = vidtv_psi_pmt_stream_init(tail,
+ tail = vidtv_psi_pmt_stream_init(NULL,
s->type,
e_pid);
if (!tail) {
@@ -346,13 +361,21 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
return;
}

- if (!head)
- head = tail;
-
desc = vidtv_psi_desc_clone(s->descriptor);
+ if (!desc) {
+ vidtv_psi_pmt_stream_destroy(tail);
+ vidtv_psi_pmt_stream_destroy(head);
+ return;
+ }
vidtv_psi_desc_assign(&tail->descriptor,
desc);

+ if (!head)
+ head = tail;
+ if (prev)
+ prev->next = tail;
+ prev = tail;
+
s = s->next;
}

--
2.30.2

syzbot

unread,

6:26 AM (3 hours ago) 6:26 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com, zhangh...@uniontech.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in vidtv_psi_service_desc_init

BUG: memory leak

unreferenced object 0xffff8881292c2340 (size 32):
comm "syz.0.17", pid 6591, jiffies 4294947895

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 48 19 02 0c 50 fb a0 13 ........H...P...
81 88 ff ff 0a 20 db 37 29 81 88 ff ff 00 00 00 ..... .7).......
backtrace (crc 83ef0d87):

unreferenced object 0xffff8881292c2dc0 (size 32):
comm "syz.0.17", pid 6591, jiffies 4294947895

unreferenced object 0xffff8881287a6cd0 (size 16):
comm "syz.0.17", pid 6591, jiffies 4294947895
hex dump (first 16 bytes):
00 00 e0 10 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc bba9c611):

vidtv_psi_pat_program_init+0x2e/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:847
vidtv_channel_pat_prog_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:301 [inline]
vidtv_channel_si_init+0x189/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:436
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519

vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff8881292c2b20 (size 32):
comm "syz.0.17", pid 6591, jiffies 4294947895

hex dump (first 32 bytes):

08 80 fd 80 1b 20 26 2c 29 81 88 ff ff 00 00 00 ..... &,).......

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

backtrace (crc 67819e4a):

vidtv_psi_sdt_service_init+0x32/0xa0 drivers/media/test-drivers/vidtv/vidtv_psi.c:1390

vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:229 [inline]
vidtv_channel_si_init+0x22f/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519

unreferenced object 0xffff888111e320c0 (size 16):
comm "syz.0.17", pid 6591, jiffies 4294947895
hex dump (first 16 bytes):
0b 4c 69 6e 75 78 54 56 2e 6f 72 67 00 00 00 00 .LinuxTV.org....
backtrace (crc b60e4fc0):

vidtv_psi_service_desc_init+0x130/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:258
vidtv_psi_desc_clone+0x161/0x170 drivers/media/test-drivers/vidtv/vidtv_psi.c:451

vidtv_channel_sdt_serv_cat_into_new drivers/media/test-drivers/vidtv/vidtv_channel.c:236 [inline]
vidtv_channel_si_init+0x1d7/0x770 drivers/media/test-drivers/vidtv/vidtv_channel.c:439
vidtv_mux_init+0x115/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:519

console output: https://syzkaller.appspot.com/x/log.txt?x=113d212e580000

patch: https://syzkaller.appspot.com/x/patch.diff?x=12ab22a6580000

syzbot

unread,

6:34 AM (2 hours ago) 6:34 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com, zhangh...@uniontech.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in vidtv_psi_service_desc_init

BUG: memory leak

unreferenced object 0xffff888128ec7400 (size 32):
comm "syz.0.17", pid 6589, jiffies 4294948509

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 48 19 02 0c d0 81 38 2b ........H.....8+
81 88 ff ff 0a c0 80 38 2b 81 88 ff ff 00 00 00 .......8+.......
backtrace (crc 5ee311d1):

vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:551

vidtv_mux_init+0x372/0x390 drivers/media/test-drivers/vidtv/vidtv_mux.c:515
vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]
vidtv_start_feed+0x1d4/0x260 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
dmx_ts_feed_start_filtering+0x8e/0x130 drivers/media/dvb-core/dvb_demux.c:747
dvb_dmxdev_start_feed+0x11c/0x170 drivers/media/dvb-core/dmxdev.c:658
dvb_dmxdev_filter_start+0xd8/0x440 drivers/media/dvb-core/dmxdev.c:769
dvb_demux_do_ioctl+0x297/0x7d0 drivers/media/dvb-core/dmxdev.c:1065
dvb_usercopy+0x116/0x2d0 drivers/media/dvb-core/dvbdev.c:996
dvb_demux_ioctl+0x29/0x40 drivers/media/dvb-core/dmxdev.c:1201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak

unreferenced object 0xffff888128ec7f60 (size 32):
comm "syz.0.17", pid 6589, jiffies 4294948509

hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 05 04 42 53 53 44 00 00 ..........BSSD..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 168dca61):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__do_kmalloc_node mm/slub.c:5295 [inline]
__kmalloc_noprof+0x3b7/0x550 mm/slub.c:5308
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
vidtv_psi_registration_desc_init+0x2d/0xd0 drivers/media/test-drivers/vidtv/vidtv_psi.c:282
vidtv_channel_s302m_init+0x132/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:107

vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:551

unreferenced object 0xffff8881290a5b00 (size 8):
comm "syz.0.17", pid 6589, jiffies 4294948509

hex dump (first 8 bytes):
65 6e 67 00 00 00 00 00 eng.....
backtrace (crc 5673a685):

vidtv_psi_short_event_desc_init+0xf3/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:407
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124
vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:551

unreferenced object 0xffff88811219af00 (size 64):
comm "syz.0.17", pid 6589, jiffies 4294948509

hex dump (first 32 bytes):

0b 4c 75 64 77 69 67 20 76 61 6e 20 42 65 65 74 .Ludwig van Beet
68 6f 76 65 6e 3a 20 46 fc 72 20 45 6c 69 73 65 hoven: F.r Elise
backtrace (crc 6d5386ce):

vidtv_psi_short_event_desc_init+0x1f0/0x220 drivers/media/test-drivers/vidtv/vidtv_psi.c:412
vidtv_channel_s302m_init+0x1c2/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:124

vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:551

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF

Tested on:

commit: e8c2f9fd Merge tag 'for-7.1/hpfs-fixes' of git://git.k..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=172b22f2580000

patch: https://syzkaller.appspot.com/x/patch.diff?x=129c6aa6580000

syzbot

unread,

8:49 AM (10 minutes ago) 8:49 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] media: vidtv: fix memory leak by cleaning up mux in bridge_remove

Author: zhangh...@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

The vidtv driver relies on stop_feed being called via the dmxdev file
close path to trigger vidtv_stop_streaming() which destroys the mux.
However, if the DVB core close path does not reach stop_filtering
(e.g. due to race conditions), the entire mux and all channel
descriptors are permanently leaked.

Fix this by proactively stopping streaming and destroying the mux in
vidtv_bridge_remove(), before releasing the dmxdev and dmx resources.
Use the existing feed_lock mutex to synchronize with any concurrent
stop_feed callback. After cleaning up the mux, set dvb->streaming to
false and dvb->mux to NULL so any subsequent stop_feed will return
early safely.

Also fix a pre-existing bug where mutex_destroy(&dvb->feed_lock) was
called before dvb_dmxdev_release(), which could cause vidtv_stop_feed
to operate on a destroyed mutex if the fd close path races with module
removal.

Reported-by: syzbot+acc3b7...@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhangh...@uniontech.com>
---

drivers/media/test-drivers/vidtv/vidtv_bridge.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index a8a76434989c..3ea8cc04571d 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -548,7 +548,13 @@ static void vidtv_bridge_remove(struct platform_device *pdev)
media_device_cleanup(&dvb->mdev);
#endif /* CONFIG_MEDIA_CONTROLLER_DVB */

- mutex_destroy(&dvb->feed_lock);
+ mutex_lock(&dvb->feed_lock);
+ if (dvb->streaming) {
+ dvb->streaming = false;
+ vidtv_mux_destroy(dvb->mux);
+ dvb->mux = NULL;
+ }
+ mutex_unlock(&dvb->feed_lock);

for (i = 0; i < NUM_FE; ++i) {
dvb_unregister_frontend(dvb->fe[i]);
@@ -559,6 +565,8 @@ static void vidtv_bridge_remove(struct platform_device *pdev)
dvb_dmxdev_release(&dvb->dmx_dev);
dvb_dmx_release(&dvb->demux);
dvb_unregister_adapter(&dvb->adapter);
+
+ mutex_destroy(&dvb->feed_lock);
dev_info(&pdev->dev, "Successfully removed vidtv\n");
}

--
2.30.2

Reply all

Reply to author

Forward

0 new messages