1. Patchew
  2. linux
  3. View series

[PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure

Jose A. Perez de Azpillaga posted 1 patch 2 months ago 
drivers/media/dvb-core/dmxdev.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
[PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure
Posted by Jose A. Perez de Azpillaga 2 months ago 
When dvb_dmxdev_add_pid() adds a new dmxdev_feed to the filter's ts list
and then dvb_dmxdev_start_feed() fails, the function returns the error
code but leaves the orphaned feed entry in the list without cleaning up.

Fix this by removing the orphaned feed from the list and freeing it when
dvb_dmxdev_start_feed() fails in dvb_dmxdev_add_pid().

Fixes: 1cb662a31449 ("V4L/DVB (12275): Add two new ioctls: DMX_ADD_PID and DMX_REMOVE_PID")
Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
Signed-off-by: Jose A. Perez de Azpillaga <azpijr@gmail.com>
---
 drivers/media/dvb-core/dmxdev.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..401a0cbb4138 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -901,8 +901,15 @@ static int dvb_dmxdev_add_pid(struct dmxdev *dmxdev,
 	feed->pid = pid;
 	list_add(&feed->next, &filter->feed.ts);

-	if (filter->state >= DMXDEV_STATE_GO)
-		return dvb_dmxdev_start_feed(dmxdev, filter, feed);
+	if (filter->state >= DMXDEV_STATE_GO) {
+		int ret = dvb_dmxdev_start_feed(dmxdev, filter, feed);
+
+		if (ret < 0) {
+			list_del(&feed->next);
+			kfree(feed);
+		}
+		return ret;
+	}

 	return 0;
 }
--
2.53.0
Re: [PATCH] media: dvb-core: fix memory leak in dvb_dmxdev_add_pid() on start failure
Posted by Jose A. Perez de Azpillaga 1 month ago 
On Sun, Apr 12, 2026 at 08:25:51PM +0200, Jose A. Perez de Azpillaga wrote:
> When dvb_dmxdev_add_pid() adds a new dmxdev_feed to the filter's ts list
> and then dvb_dmxdev_start_feed() fails, the function returns the error
> code but leaves the orphaned feed entry in the list without cleaning up.
>
> Fix this by removing the orphaned feed from the list and freeing it when
> dvb_dmxdev_start_feed() fails in dvb_dmxdev_add_pid().
>
> Fixes: 1cb662a31449 ("V4L/DVB (12275): Add two new ioctls: DMX_ADD_PID and DMX_REMOVE_PID")
> Reported-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=afc686a471d70896c5d9
> Tested-by: syzbot+afc686a471d70896c5d9@syzkaller.appspotmail.com
> Signed-off-by: Jose A. Perez de Azpillaga <azpijr@gmail.com>

hi,

just a gentle ping for this patch. is there anything else needed from my
side?

thanks

--
jose a. p-a

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.