CVE-2026-31585

Summary

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: fix nfeeds state corruption on start_streaming failure

syzbot reported a memory leak in vidtv_psi_service_desc_init [1].

When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream.

This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.

Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.

[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < f8cccb427e65d725fc0ba05e8900b4676eda268eaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 60f768d46df561e06d92ffcacc00909f37a0f23daffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 80900b5424f3454256153ce386388df43b324f63affected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 17cb7957c979529cc98ff57f7ac331532f1f7c83affected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 98c22210aeadce67d9d20059f0dbbd01ba7fdbbaaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 25f19e476ab15defe698504212899fdb9f7cd61baffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 83110c2c8c46c035c2e0fc8ff3e4991183bf9ccdaffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < 4bf95f797edd63c93330eafb6d6e670982344b9baffected
LinuxLinuxf90cf6079bf67988f8b1ad1ade70fc89d0080905 < a0e5a598fe9a4612b852406b51153b881592aedeaffected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References