CVE-2026-31585
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix nfeeds state corruption on start_streaming failure
syzbot reported a memory leak in vidtv_psi_service_desc_init [1].
When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is left incremented even though no feed was actually started. This corrupts the driver state: subsequent start_feed calls see nfeeds > 1 and skip starting the mux, while stop_feed calls eventually try to stop a non-existent stream.
This state corruption can also lead to memory leaks, since the mux and channel resources may be partially allocated during a failed start_streaming but never cleaned up, as the stop path finds dvb->streaming == false and returns early.
Fix by decrementing nfeeds back when start_streaming fails, keeping the counter in sync with the actual number of active feeds.
[1] BUG: memory leak unreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0 drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0 drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40 drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < f8cccb427e65d725fc0ba05e8900b4676eda268e | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 60f768d46df561e06d92ffcacc00909f37a0f23d | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 80900b5424f3454256153ce386388df43b324f63 | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 17cb7957c979529cc98ff57f7ac331532f1f7c83 | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 98c22210aeadce67d9d20059f0dbbd01ba7fdbba | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 25f19e476ab15defe698504212899fdb9f7cd61b | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < 4bf95f797edd63c93330eafb6d6e670982344b9b | affected |
| Linux | Linux | f90cf6079bf67988f8b1ad1ade70fc89d0080905 < a0e5a598fe9a4612b852406b51153b881592aede | affected |
| Linux | Linux | 5.10 | affected |
| Linux | Linux | 0 < 5.10 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.83 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.24 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.14 <= 6.19.* | unaffected |
| Linux | Linux | 7.0.1 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/f8cccb427e65d725fc0ba05e8900b4676eda268e
- https://git.kernel.org/stable/c/60f768d46df561e06d92ffcacc00909f37a0f23d
- https://git.kernel.org/stable/c/80900b5424f3454256153ce386388df43b324f63
- https://git.kernel.org/stable/c/17cb7957c979529cc98ff57f7ac331532f1f7c83
- https://git.kernel.org/stable/c/98c22210aeadce67d9d20059f0dbbd01ba7fdbba
- https://git.kernel.org/stable/c/25f19e476ab15defe698504212899fdb9f7cd61b
- https://git.kernel.org/stable/c/83110c2c8c46c035c2e0fc8ff3e4991183bf9ccd
- https://git.kernel.org/stable/c/4bf95f797edd63c93330eafb6d6e670982344b9b
- https://git.kernel.org/stable/c/a0e5a598fe9a4612b852406b51153b881592aede
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.