From nobody Mon Apr 6 22:15:25 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9F1F3F54C6 for ; Tue, 17 Mar 2026 17:05:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773767149; cv=none; b=inaYOu9mjvYcU7c8lZ4Jjdqv6Y4JYuve8ifTTvheL1UdfJGHRRAUeiXf4N6+Jms6K8Ewtz3auUZDCwr04FF1NPPVLlasMETxIKwe9HekrT4gbTT0+G6LRcKj+wMIP/4Qt+XGK4gnWw4kWc1YBd0HhlQGIXqM4AqsSFgLo9lE2FE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773767149; c=relaxed/simple; bh=8TdkddL8wUljLckIz/JNaqBa+jbPS/AlwOlRB7Bkmyk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hk8ESottcaJzXLyARXK1GjbI5SZunBq0Q3KY48pcVLidDSV7uNkDVSBR8KTsIsZYIdEXyWn3AgSHoKet/D/iRHBdtb2wiJ4LgNjQ0Ztlc1NkiAfguUOz+AugO6filSD0NHNoDFNpmn0iJaXJzDxZvYW4ikL0Gbkpj6GjcfNf7TQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Vz8BCvQe; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Vz8BCvQe" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4838c15e3cbso54885165e9.3 for ; Tue, 17 Mar 2026 10:05:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773767146; x=1774371946; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=2Q6gIs1HVH7tv5UkQUPeW9lOIJkrZhUZS9LfXIZmzvE=; b=Vz8BCvQeQ/L7GeeeoEer3x5t2MYjj3r5SCvYeGtXaaPe9VAWPKzReRJEK/soMRs9cY KYMPgo4Pu+3Nb/A4tN3C+VRPAwvS9hCNVwPF2Y/lNIyEQWRti/hVXUK9VM0y7Z50YrUq BPpKvsNj4UfFaJmFXMMDSLQ7SHV5vtY99ztM9OksHxwGVBRJsAdpoWPcoiH1tMqbYRuj Zy3YMQH4twCaJ2fSKeO4oro2g+UD0l+DiHw0rBxotwvOVAuu303zeiS9aEGTxB9GOUvQ wJPRPeghzb7t0kI73hVHVs15UsSMSaN79w1RpCbcCqvW8tT+wHqYysbmb3E70Fe1ZYWQ W+Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773767146; x=1774371946; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=2Q6gIs1HVH7tv5UkQUPeW9lOIJkrZhUZS9LfXIZmzvE=; b=EwTeWylACsYP31sFLvlSoCnaKDDKm45+frVYCRGgjzTXK5m5S3nhe0T/viBUlxf/7F IF8NTpGbdqJ3fA6yRf7AlZQR/XCtksFwfkPFi4fGGcnPKXrrFZJKfiYMUs4lvAjdq7xP M/rUBNCVi64IWRKrJg7yWgeWzaAVEXwkCsR7fqreOQAn9KPpxaZVFZdOlzMQw6cjESAa zI6A3N9R1g4ffDoB8JDNUMwiIkcw9VdUG1An3XPBmp8zeAZP3r7qMoLi4DtAM+/Pwf0N dx5sDosk+i9bDo84+j1v4CSicUrTtTHtzOrPrhDn8a4Jag9xAExKckghf8hXttp6mEUE 4yFg== X-Forwarded-Encrypted: i=1; AJvYcCV+RHyR1SuZjwXJ8m2aMv2WikEwkMUztxuWLKVE5/rWbe/rDKVXKNyagk9stxJVQErTjYC/tfKURZGjsFo=@vger.kernel.org X-Gm-Message-State: AOJu0YynJebG5wlRNHe9GRbJoC0Zos8k0hKhd0GhjRrD1UGEUeXo7SFF vE64VV0VUvHM/0TWJrizKrjKk4fmlehB2SqscMB0vtpn7ZZ6cLlV/T+z X-Gm-Gg: ATEYQzy2k54R7bNrido3h4xalkoSPErgzG8b5Tg+f9o3Txt+KreUv361cJCcaw59AkJ CUMyd3cLRDLFubIngHp6CgbHQ5z/p/yCIEs7LxGMrgqnxaCdhFssdtojgvsE/1c3Y+LfvRPraGa ZEMc43v1lwwBSLDDBOwhpRK4UsP7GvMhBvDvxXvUJ3ntoaapOxhCnhoo+OfDTiSYeDYT0tz/yFQ 1e1Od+c6+ebbLJoG333sabv9YH+6dj6f4fDynSeN5TcK1OEOTf5cxUG9EGFS4GmLK45wwIEZOOx RjcgK4lT8Buf27G1KDOL6Xe1Wp1HagFh4/qa0DQw0iA5jKwKbbJMmur4JENzZNGeoiSQdIRFHlg 2quyKHTCTI2J893UX9gv0FArYzz0BiX396YEg/eN5206kc2c6uX6TnIHfVWliLGUPSQ8SiAqelw == X-Received: by 2002:a05:600c:8b2e:b0:485:4bd1:4c64 with SMTP id 5b1f17b1804b1-486f446d953mr3606525e9.31.1773767145753; Tue, 17 Mar 2026 10:05:45 -0700 (PDT) Received: from kimsufi.. ([2001:41d0:303:6f54::1]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4856eae3037sm78866125e9.11.2026.03.17.10.05.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Mar 2026 10:05:45 -0700 (PDT) From: Ruslan Valiyev To: "Daniel W . S . Almeida" , Mauro Carvalho Chehab Cc: Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com, stable@vger.kernel.org, Ruslan Valiyev Subject: [PATCH] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Date: Tue, 17 Mar 2026 17:05:44 +0000 Message-ID: <20260317170544.1888757-1-linuxoid@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a general protection fault in vidtv_psi_ts_psi_write_into [1]. vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does not check for this before dereferencing the returned pointer to access the continuity counter. This leads to a general protection fault when accessing a near-NULL address. The root cause is that vidtv_mux_pid_ctx_init() does not check the return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs. If the allocation fails, the PID context is never created, but init returns success. The subsequent vidtv_mux_push_si() call then gets NULL from vidtv_mux_get_pid_ctx() and crashes. Fix both the root cause (add error check in vidtv_mux_pid_ctx_init for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for all vidtv_mux_get_pid_ctx() calls. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc= 0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events vidtv_mux_tick RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-driver= s/vidtv/vidtv_psi.c:197 Call Trace: vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_p= si.c:799 [inline] vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidt= v_psi.c:1231 vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c= :196 vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:4= 08 Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") Cc: stable@vger.kernel.org Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D814c351d094f4f1a1b86 Signed-off-by: Ruslan Valiyev --- drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/media/test-drivers/vidtv/vidtv_mux.c b/drivers/media/t= est-drivers/vidtv/vidtv_mux.c index 403fbedb86636..bc52f51418f25 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_mux.c +++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c @@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct vidtv_mux *m) /* add a ctx for all PMT sections */ while (p) { pid =3D vidtv_psi_get_pat_program_pid(p); - vidtv_mux_create_pid_ctx_once(m, pid); + if (!vidtv_mux_create_pid_ctx_once(m, pid)) + goto free; p =3D p->next; } =20 @@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidtv_mux *m) nit_ctx =3D vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID); eit_ctx =3D vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID); =20 + if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx) + return 0; + pat_args.offset =3D m->mux_buf_offset; pat_args.continuity_counter =3D &pat_ctx->cc; =20 @@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidtv_mux *m) } =20 pmt_ctx =3D vidtv_mux_get_pid_ctx(m, pmt_pid); + if (!pmt_ctx) + continue; =20 pmt_args.offset =3D m->mux_buf_offset; pmt_args.pmt =3D m->si.pmt_secs[i]; --=20 2.43.0