From nobody Mon Jun  8 21:58:56 2026
Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com
 [209.85.161.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C88AF3CFF69
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 10:04:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.71
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779789884; cv=none;
 b=X2mtrGtpMlxYUQtB5b22vKlwhdFC+7ODeMnD7pwqN9hOsJEtDAWOuwKEaSq+KnJhqqUbHPKW5/MNzErEGH+w5XX6eObgJW6/Nn1CLHtyDJpEkQaCnBYIspbhCsLrZPh0qd7rOKNEyiaUyoH3oDS85K0GkCfe7yzK8IaUHPBcXrA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779789884; c=relaxed/simple;
	bh=3mBT7u+tbooUSIQbfatYHRNLTXKQDpBQhyOwUTA9GGE=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=ryhlfnhQU3bq4YZCZ3LXcnUL2GDFkgl15iwQ3cMf9iGgMI9zuVMWWEKQN+HgtwMTNHoHymzjKukong1YyU7dN3pCsv3R202JTwvSm+Q1ZyoWsfKn1CLAt13Hr+hfaUvnrjS2Btk30q2arWsXzndIez7RLtKGwiSNylpI6CJcuZI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.71
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f71.google.com with SMTP id
 006d021491bc7-69d8e718acbso4102483eaf.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 26 May 2026 03:04:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779789882; x=1780394682;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=k2WbnYP4uUGZN50kCCnYfO0RfNh8WRFgzJX0b0PQ3Ug=;
        b=CJ0/Q/i2l2BZGZBEsU9G0xUxgix8K8VcXgYlgw2WUl95hQjN/QyqLhoOmAVKI9IWUs
         IfjNYOTFhRUu7zY/Poms+Z755soY3k4HVLic+9Eaezbz01hSMaffWPPz1w5J98Rf9PxT
         cuWfVXlheJPS7w7NdRmp7KK3TI7/Mjv+/sWR/3Jy4g+nkFcgZkfHnXLy5WbW5bIddtcu
         hco4KpYBIg6SUuN2+cBehX21Y84r4On4RjEyY/PthR7I3MmnwL5d0kfDjVZsxOHk4jv3
         R3hJ8s5uMsfhea8yqkSe80JxzX7+Agfv7okwGv8tY38W8FQfcc3D3zbChcwlaAxbqxCy
         /WhA==
X-Gm-Message-State: AOJu0YwJZsC1VovVbuP3J1BeMz6t7n8j43xnWSswMV2IoyuUVYMY0dHG
	kBxA2KWAV9BnAUUMnE5snOEOcw6/sBR5j11+PXUNJPtCtPqJaSDBgFFfkkPWmEEcw0mhxP61QtK
	kZvaqAOS3DUFSv0PAG7Osmc6yXpXTVpjn02nlsBuJugBZhnQWOTlpJX1ySY4=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:180a:b0:696:7697:647a with SMTP id
 006d021491bc7-69d7eb4c791mr9370963eaf.16.1779789882024; Tue, 26 May 2026
 03:04:42 -0700 (PDT)
Date: Tue, 26 May 2026 03:04:42 -0700
In-Reply-To: <6a150a33.2b0a0220.185dbd.0004.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6a15703a.170a0220.89b5.0008.GAE@google.com>
Subject: Forwarded: [PATCH 2/2] media: vidtv: fix error handling in channel SI
 init functions
From: syzbot <syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH 2/2] media: vidtv: fix error handling in channel SI init fu=
nctions
Author: zhanghaotian@uniontech.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master

Several functions in vidtv_channel.c have error paths that can lead to
memory leaks or use-after-free when vidtv_psi_desc_clone() fails:

1. vidtv_channel_sdt_serv_cat_into_new(): passes the accumulated "tail"
   pointer to vidtv_psi_sdt_service_init() which chains the new service
   before vidtv_psi_desc_clone() is called.  If cloning then fails, the
   "free_tail" error path destroys tail while head->next still points
   to the freed memory, causing a use-after-free when "free" later
   destroys head.

2. vidtv_channel_eit_event_cat_into_new(): silently ignores a NULL
   return from vidtv_psi_desc_clone(), creating an EIT event with no
   descriptor.

3. vidtv_channel_pmt_match_sections(): silently ignores a NULL return
   from vidtv_psi_desc_clone(), creating a PMT stream with no
   descriptor.

Fix all three by creating new entries without auto-chaining (passing
NULL as head), cloning before chaining, and checking the clone return
value.

Reported-by: syzbot+acc3b75c010446ad403f@syzkaller.appspotmail.com
Signed-off-by: zhanghaotian <zhanghaotian@uniontech.com>
---
 .../media/test-drivers/vidtv/vidtv_channel.c  | 55 +++++++++++++------
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/med=
ia/test-drivers/vidtv/vidtv_channel.c
index 5f8c3af87..dee782d63 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -163,6 +163,7 @@ static struct vidtv_psi_table_eit_event
 	struct vidtv_psi_table_eit_event *curr =3D NULL;
 	struct vidtv_psi_table_eit_event *head =3D NULL;
 	struct vidtv_psi_table_eit_event *tail =3D NULL;
+	struct vidtv_psi_table_eit_event *new_event =3D NULL;
 	struct vidtv_psi_desc *desc =3D NULL;
 	u16 event_id;
=20
@@ -179,17 +180,25 @@ static struct vidtv_psi_table_eit_event
=20
 		while (curr) {
 			event_id =3D be16_to_cpu(curr->event_id);
-			tail =3D vidtv_psi_eit_event_init(tail, event_id);
-			if (!tail) {
+			new_event =3D vidtv_psi_eit_event_init(NULL, event_id);
+			if (!new_event) {
 				vidtv_psi_eit_event_destroy(head);
 				return NULL;
 			}
=20
 			desc =3D vidtv_psi_desc_clone(curr->descriptor);
-			vidtv_psi_desc_assign(&tail->descriptor, desc);
+			if (!desc) {
+				vidtv_psi_eit_event_destroy(new_event);
+				vidtv_psi_eit_event_destroy(head);
+				return NULL;
+			}
+			vidtv_psi_desc_assign(&new_event->descriptor, desc);
=20
 			if (!head)
-				head =3D tail;
+				head =3D new_event;
+			else
+				tail->next =3D new_event;
+			tail =3D new_event;
=20
 			curr =3D curr->next;
 		}
@@ -209,6 +218,7 @@ static struct vidtv_psi_table_sdt_service
 	struct vidtv_psi_table_sdt_service *curr =3D NULL;
 	struct vidtv_psi_table_sdt_service *head =3D NULL;
 	struct vidtv_psi_table_sdt_service *tail =3D NULL;
+	struct vidtv_psi_table_sdt_service *new_service =3D NULL;
=20
 	struct vidtv_psi_desc *desc =3D NULL;
 	u16 service_id;
@@ -226,20 +236,25 @@ static struct vidtv_psi_table_sdt_service
=20
 		while (curr) {
 			service_id =3D be16_to_cpu(curr->service_id);
-			tail =3D vidtv_psi_sdt_service_init(tail,
+			new_service =3D vidtv_psi_sdt_service_init(NULL,
 							  service_id,
 							  curr->EIT_schedule,
 							  curr->EIT_present_following);
-			if (!tail)
+			if (!new_service)
 				goto free;
=20
 			desc =3D vidtv_psi_desc_clone(curr->descriptor);
-			if (!desc)
-				goto free_tail;
-			vidtv_psi_desc_assign(&tail->descriptor, desc);
+			if (!desc) {
+				vidtv_psi_sdt_service_destroy(new_service);
+				goto free;
+			}
+			vidtv_psi_desc_assign(&new_service->descriptor, desc);
=20
 			if (!head)
-				head =3D tail;
+				head =3D new_service;
+			else
+				tail->next =3D new_service;
+			tail =3D new_service;
=20
 			curr =3D curr->next;
 		}
@@ -249,8 +264,6 @@ static struct vidtv_psi_table_sdt_service
=20
 	return head;
=20
-free_tail:
-	vidtv_psi_sdt_service_destroy(tail);
 free:
 	vidtv_psi_sdt_service_destroy(head);
 	return NULL;
@@ -333,12 +346,14 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel=
 *channels,
=20
 			/* we got a match */
 			if (curr_id =3D=3D cur_chnl->program_num) {
+				struct vidtv_psi_table_pmt_stream *prev =3D NULL;
+
 				s =3D cur_chnl->streams;
=20
 				/* clone the streams for the PMT */
 				while (s) {
 					e_pid =3D vidtv_psi_pmt_stream_get_elem_pid(s);
-					tail =3D vidtv_psi_pmt_stream_init(tail,
+					tail =3D vidtv_psi_pmt_stream_init(NULL,
 									 s->type,
 									 e_pid);
 					if (!tail) {
@@ -346,13 +361,21 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel=
 *channels,
 						return;
 					}
=20
-					if (!head)
-						head =3D tail;
-
 					desc =3D vidtv_psi_desc_clone(s->descriptor);
+					if (!desc) {
+						vidtv_psi_pmt_stream_destroy(tail);
+						vidtv_psi_pmt_stream_destroy(head);
+						return;
+					}
 					vidtv_psi_desc_assign(&tail->descriptor,
 							      desc);
=20
+					if (!head)
+						head =3D tail;
+					if (prev)
+						prev->next =3D tail;
+					prev =3D tail;
+
 					s =3D s->next;
 				}
=20
--=20
2.30.2