[Linux Kernel Bug] memory leak in dvb_dmxdev_add_pid

Chenyuan Yang <chenyuan0y@xxxxxxxxx> · Sat, 2 Mar 2024 15:12:48 -0600

Dear Linux Developers for DVB,

We encountered "memory leak in dvb_dmxdev_add_pid" when testing the
DVB driver with Syzkaller and our generated specifications.

The C reproducer and the config for the kernel are attached.

The memory leak originates from the allocated dmxdev_feed structure,
as referenced in the code at
[https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L881].
This structure fails to be freed upon entering the code branch found
at [https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L891].

```
ioctl$KGPT_DMX_START(r0, 0x6f29, 0x0)
BUG: memory leak
unreferenced object 0xffff88802e9ae7e0 (size 32):
  comm "syz-executor.0", pid 27777, jiffies 4295115050 (age 15.550s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    08 c0 6a 05 00 c9 ff ff 08 c0 6a 05 00 c9 ff ff  ..j.......j.....
  backtrace:
    [<ffffffff8169126f>] kmemleak_alloc_recursive
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/kmemleak.h:42
[inline]
    [<ffffffff8169126f>] slab_post_alloc_hook
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slab.h:766
[inline]
    [<ffffffff8169126f>] slab_alloc_node
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slub.c:3478
[inline]
    [<ffffffff8169126f>] __kmem_cache_alloc_node+0x2ff/0x3e0
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slub.c:3517
    [<ffffffff815d9da9>] kmalloc_trace+0x29/0x90
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/mm/slab_common.c:1098
    [<ffffffff83db2e09>] kmalloc
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/slab.h:600
[inline]
    [<ffffffff83db2e09>] kzalloc
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/./include/linux/slab.h:721
[inline]
    [<ffffffff83db2e09>] dvb_dmxdev_add_pid+0xa9/0x160
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:881
    [<ffffffff83db48de>] dvb_dmxdev_pes_filter_set
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:956
[inline]
    [<ffffffff83db48de>] dvb_demux_do_ioctl+0x67e/0xa80
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:1076
    [<ffffffff83db1252>] dvb_usercopy+0x82/0x220
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dvbdev.c:986
    [<ffffffff83db1b51>] dvb_demux_ioctl+0x31/0x40
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/drivers/media/dvb-core/dmxdev.c:1185
    [<ffffffff8171ca88>] vfs_ioctl
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:51
[inline]
    [<ffffffff8171ca88>] __do_sys_ioctl
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:871
[inline]
    [<ffffffff8171ca88>] __se_sys_ioctl
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:857
[inline]
    [<ffffffff8171ca88>] __x64_sys_ioctl+0x108/0x150
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/fs/ioctl.c:857
    [<ffffffff8540b150>] do_syscall_x64
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/arch/x86/entry/common.c:51
[inline]
    [<ffffffff8540b150>] do_syscall_64+0x40/0x110
scratch/zijie-data/LLM-Kernel/spec-eval/shared_linux_builds/syzbot-leak-more_631373bc9e824969/arch/x86/entry/common.c:82
    [<ffffffff8560008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
```

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx>

Best,
Chenyuan
Attachment:
config

Description: Binary data
Attachment:
dvb_memleak.c

Description: Binary data