[syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 6342649c33d2 Merge tag 'block-6.11-20240726' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=159feda1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5efb917b1462a973
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f7155d1516ca/disk-6342649c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f724a979b927/vmlinux-6342649c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/480121fc37f0/bzImage-6342649c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+16062f...@syzkaller.appspotmail.com

em28xx 5-1:0.0: Closing input extension
==================================================================
BUG: KASAN: slab-use-after-free in media_device_unregister+0x154/0x470
Read of size 8 at addr ffff888058df4210 by task kworker/0:1/9

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-12881-g6342649c33d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
media_device_unregister+0x154/0x470
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xa7/0x230 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x1cc/0x530 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x25e/0x940 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:568 [inline]
__device_release_driver drivers/base/dd.c:1272 [inline]
device_release_driver_internal+0x503/0x7c0 drivers/base/dd.c:1295
bus_remove_device+0x34f/0x420 drivers/base/bus.c:574
device_del+0x57a/0x9b0 drivers/base/core.c:3868
usb_disable_device+0x3bf/0x850 drivers/usb/core/message.c:1418
usb_disconnect+0x340/0x950 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1eb9/0x5150 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 31851:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4189
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2534
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 31851:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kfree+0x149/0x360 mm/slub.c:4594
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2903
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff888058df4000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 528 bytes inside of
freed 8192-byte region [ffff888058df4000, ffff888058df6000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x58df0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff888015842280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff888015842280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001637c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 3922, tgid 3922 (kworker/u8:8), ts 2368883364470, free_ts 2368880799693
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3442
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4700
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x5f/0x120 mm/slub.c:2321
allocate_slab+0x5a/0x2f0 mm/slub.c:2484
new_slab mm/slub.c:2537 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
__slab_alloc+0x58/0xa0 mm/slub.c:3813
__slab_alloc_node mm/slub.c:3866 [inline]
slab_alloc_node mm/slub.c:4025 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
n_hdlc_tty_receive+0x1ce/0x4e0 drivers/tty/n_hdlc.c:393
tty_ldisc_receive_buf+0x11f/0x170 drivers/tty/tty_buffer.c:391
tty_port_default_receive_buf+0x6d/0xa0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:445 [inline]
flush_to_ldisc+0x328/0x860 drivers/tty/tty_buffer.c:495
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
page last free pid 13102 tgid 13102 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
discard_slab mm/slub.c:2583 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3051
put_cpu_partial+0x17c/0x250 mm/slub.c:3126
__slab_free+0x2ea/0x3d0 mm/slub.c:4343
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
anon_vma_chain_alloc mm/rmap.c:142 [inline]
__anon_vma_prepare+0xc4/0x4a0 mm/rmap.c:195
vmf_anon_prepare mm/memory.c:3289 [inline]
do_anonymous_page mm/memory.c:4551 [inline]
do_pte_missing mm/memory.c:3945 [inline]
handle_pte_fault+0x5788/0x6eb0 mm/memory.c:5522
__handle_mm_fault mm/memory.c:5665 [inline]
handle_mm_fault+0x1029/0x1980 mm/memory.c:5833
do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

Memory state around the buggy address:
ffff888058df4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888058df4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888058df4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888058df4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888058df4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1a9f5da29b00/disk-79b95d74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c4b0c995534/vmlinux-79b95d74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5089d6692134/bzImage-79b95d74.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+16062f...@syzkaller.appspotmail.com

em28xx 5-1:0.132: Closing input extension
==================================================================
BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093

CPU: 1 UID: 0 PID: 6093 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>

dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:571 [inline]
__device_release_driver drivers/base/dd.c:1282 [inline]
device_release_driver_internal+0x4d9/0x800 drivers/base/dd.c:1305
bus_remove_device+0x34d/0x440 drivers/base/bus.c:616
device_del+0x511/0x8e0 drivers/base/core.c:3878
usb_disable_device+0x3d4/0x8e0 drivers/usb/core/message.c:1418
usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1ca9/0x4ef0 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

Allocated by task 5932:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 5932:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88807c114000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 528 bytes inside of

freed 8192-byte region [ffff88807c114000, ffff88807c116000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c110

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea00007dc800 0000000000000003
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea00007dc800 0000000000000003
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f04401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5959, tgid 5959 (syz-executor), ts 109562656564, free_ts 109528923164
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
macvlan_port_create drivers/net/macvlan.c:1246 [inline]
macvlan_common_newlink+0x5a3/0x1980 drivers/net/macvlan.c:1484
macvtap_newlink+0x13c/0x1b0 drivers/net/macvtap.c:108
rtnl_newlink_create+0x310/0xb00 net/core/rtnetlink.c:3840
__rtnl_newlink net/core/rtnetlink.c:3957 [inline]
rtnl_newlink+0x16e7/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
page last free pid 5959 tgid 5959 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x43c/0x720 mm/slub.c:5315
__alloc_skb+0x1dc/0x3a0 net/core/skbuff.c:679
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2487
netlink_rcv_skb+0x28c/0x470 net/netlink/af_netlink.c:2556
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

Memory state around the buggy address:

ffff88807c114100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807c114180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807c114200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807c114280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807c114300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[syzbot]

For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: [PATCH] em28xx: test
Author: xiaop...@foxmail.com

From: Pei Xiao <xiao...@kylinos.cn>

#syz test
---
drivers/media/usb/em28xx/em28xx-video.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..0c925931671f 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2899,6 +2899,7 @@ static int em28xx_v4l2_init(struct em28xx *dev)
err:
dev->v4l2 = NULL;
kref_put(&v4l2->ref, em28xx_free_v4l2);
+ dev->media_dev = NULL;
mutex_unlock(&dev->lock);
return ret;
}
--
2.25.1

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807f400740 by task v4l_id/6673

CPU: 0 UID: 0 PID: 6673 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025

Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595

v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4787
do_filp_open+0x1fa/0x410 fs/namei.c:4814
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6620ca7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffbb799140 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f662137b880 RCX: 00007f6620ca7407
RDX: 0000000000000000 RSI: 00007fffbb79af1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fffbb799390 R14: 00007f6621480000 R15: 000055bfa77444d8
</TASK>

Allocated by task 6594:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

em28xx_v4l2_init+0x108/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6594:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]

em28xx_v4l2_init+0x168e/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88807f400000

which belongs to the cache kmalloc-8k of size 8192

The buggy address is located 1856 bytes inside of
freed 8192-byte region [ffff88807f400000, ffff88807f402000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f400

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)

raw: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002

raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002

head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000003 ffffea0001fd0001 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5588, tgid 5588 (init), ts 51300794908, free_ts 50968755883

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
page last free pid 5575 tgid 5575 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]

__kmalloc_cache_noprof+0x37c/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x183/0x1f70 security/tomoyo/audit.c:255
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:587
tomoyo_path_perm+0x392/0x4b0 security/tomoyo/file.c:838
security_inode_getattr+0x12f/0x330 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat fs/stat.c:281 [inline]
__do_sys_newfstat fs/stat.c:555 [inline]
__se_sys_newfstat fs/stat.c:550 [inline]
__x64_sys_newfstat+0xfc/0x200 fs/stat.c:550

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff88807f400600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f400700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f400780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 623fb991 Merge tag 'pinctrl-v6.19-2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b85074580000

kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=142d583a580000

[Hillf Danton]

> Date: Thu, 08 Jan 2026 20:22:24 -0800

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2898,6 +2898,7 @@ unregister_dev:
v4l2_device_unregister(&v4l2->v4l2_dev);

err:
dev->v4l2 = NULL;

+ em28xx_v4l2_media_release(dev);
kref_put(&v4l2->ref, em28xx_free_v4l2);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64

Read of size 8 at addr ffff88802f1b8740 by task v4l_id/6806

CPU: 0 UID: 0 PID: 6806 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094

do_open fs/namei.c:4637 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823

do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc5b96a7407

Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff

RSP: 002b:00007fffdbdc9110 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fc5b9d43880 RCX: 00007fc5b96a7407
RDX: 0000000000000000 RSI: 00007fffdbdcaf1c RDI: ffffffffffffff9c

RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000

R13: 00007fffdbdc9360 R14: 00007fc5b9eaa000 R15: 000055ed108754d8
</TASK>

Allocated by task 6727:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

em28xx_v4l2_init+0xfe/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2532

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6727:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]

em28xx_v4l2_init+0x181e/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2902

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88802f1b8000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1856 bytes inside of

freed 8192-byte region [ffff88802f1b8000, ffff88802f1ba000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f1b8

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 0000000000000000 0000000000000001

raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000040 ffff88813ffa7280 0000000000000000 0000000000000001

head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000003 ffffea0000bc6e01 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0x528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP), pid 6263, tgid 6263 (syz-executor), ts 116705980999, free_ts 116699070356

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]

__do_kmalloc_node mm/slub.c:5656 [inline]
__kvmalloc_node_noprof+0x6b6/0x920 mm/slub.c:7136
kvmalloc_array_node_noprof include/linux/slab.h:1122 [inline]
__ptr_ring_init_queue_alloc_noprof include/linux/ptr_ring.h:481 [inline]
ptr_ring_init_noprof include/linux/ptr_ring.h:499 [inline]
skb_array_init_noprof include/linux/skb_array.h:182 [inline]
pfifo_fast_init+0x242/0x6c0 net/sched/sch_generic.c:870
qdisc_create_dflt+0x13b/0x4c0 net/sched/sch_generic.c:1015
attach_one_default_qdisc net/sched/sch_generic.c:1174 [inline]
netdev_for_each_tx_queue include/linux/netdevice.h:2680 [inline]
attach_default_qdiscs net/sched/sch_generic.c:1192 [inline]
dev_activate+0x378/0x1150 net/sched/sch_generic.c:1251
__dev_open+0x647/0x800 net/core/dev.c:1692
__dev_change_flags+0x1f7/0x680 net/core/dev.c:9736
netif_change_flags+0x88/0x1a0 net/core/dev.c:9799
do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
page last free pid 6263 tgid 6263 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]

__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3cf/0x800 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820
ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949
addrconf_add_mroute net/ipv6/addrconf.c:2552 [inline]
addrconf_add_dev+0x23f/0x320 net/ipv6/addrconf.c:2570
addrconf_gre_config net/ipv6/addrconf.c:3530 [inline]
addrconf_init_auto_addrs+0x146/0xa00 net/ipv6/addrconf.c:3559
addrconf_notify+0xb1e/0x1050 net/ipv6/addrconf.c:3740
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
__dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804

Memory state around the buggy address:

ffff88802f1b8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802f1b8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802f1b8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802f1b8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802f1b8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: cb2076b0 Merge tag 'block-6.19-20260109' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17eb519a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5

dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=12bc719a580000

[Hillf Danton]

> Date: Thu, 08 Jan 2026 20:22:24 -0800

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c

@@ -2150,6 +2150,10 @@ static int em28xx_v4l2_open(struct file
if (mutex_lock_interruptible(&dev->lock))
return -ERESTARTSYS;

+ if (dev->v4l2 == NULL) {
+ mutex_unlock(&dev->lock);
+ return -EINVAL;
+ }
ret = v4l2_fh_open(filp);
if (ret) {
dev_err(&dev->intf->dev,
@@ -2898,6 +2902,7 @@ unregister_dev:

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in v4l2_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
Read of size 4 at addr ffff88802882c808 by task v4l_id/6679

CPU: 1 UID: 0 PID: 6679 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595

v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444

chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4637 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f25280a7407

Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff

RSP: 002b:00007ffd5d4c3160 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f25287b8880 RCX: 00007f25280a7407
RDX: 0000000000000000 RSI: 00007ffd5d4c3f1b RDI: ffffffffffffff9c

RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000

R13: 00007ffd5d4c33b0 R14: 00007f252891f000 R15: 00005609bc9d64d8
</TASK>

Allocated by task 6566:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

em28xx_v4l2_init+0xfe/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2536

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6566:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]

em28xx_v4l2_init+0x181e/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2906

em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88802882c000

which belongs to the cache kmalloc-8k of size 8192

The buggy address is located 2056 bytes inside of
freed 8192-byte region [ffff88802882c000, ffff88802882e000)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28828

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea0000bc1600 dead000000000003

raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000040 ffff88813ffa7280 ffffea0000bc1600 dead000000000003

head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000

head: 00fff00000000003 ffffea0000a20a01 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5649, tgid 5649 (dhcpcd-run-hook), ts 51915061807, free_ts 51914952418

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]

__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771

kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]

tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859

page last free pid 5649 tgid 5649 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3cf/0x800 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]

tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204

tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859

do_execve fs/exec.c:1933 [inline]
__do_sys_execve fs/exec.c:2009 [inline]
__se_sys_execve fs/exec.c:2004 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2004

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

Memory state around the buggy address:

ffff88802882c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802882c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802882c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802882c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802882c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: b6151c4e Merge tag 'erofs-for-6.19-rc5-fixes' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1213f83a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5

dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=153d3f92580000

[Hillf Danton]

> Date: Thu, 08 Jan 2026 20:22:24 -0800

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2150,6 +2150,10 @@ static int em28xx_v4l2_open(struct file
if (mutex_lock_interruptible(&dev->lock))
return -ERESTARTSYS;

+ if (dev->v4l2 == NULL) {
+ mutex_unlock(&dev->lock);
+ return -EINVAL;
+ }
ret = v4l2_fh_open(filp);
if (ret) {
dev_err(&dev->intf->dev,

@@ -2898,7 +2902,6 @@ unregister_dev:

v4l2_device_unregister(&v4l2->v4l2_dev);
err:
dev->v4l2 = NULL;

- kref_put(&v4l2->ref, em28xx_free_v4l2);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com

Tested on:

commit: 97313d61 Merge tag 'iommu-fixes-v6.19-rc4' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146ff19a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5

dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1022699a580000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

#syz test

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..490ac7548fa3 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)

for (i = 0; i < MAX_EM28XX_INPUT; i++) {
if (!INPUT(i)->type)
- return;
+ break;
media_device_unregister_entity(&dev->input_ent[i]);
}
+ media_device_unregister_entity(&dev->v4l2->vdev.entity);
+ if (em28xx_vbi_supported(dev))
+ media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
#endif
}

@@ -2126,10 +2129,19 @@ static int em28xx_v4l2_open(struct file *filp)
{
struct video_device *vdev = video_devdata(filp);
struct em28xx *dev = video_drvdata(filp);
- struct em28xx_v4l2 *v4l2 = dev->v4l2;
+ struct em28xx_v4l2 *v4l2;
enum v4l2_buf_type fh_type = 0;
int ret;

+ if (mutex_lock_interruptible(&dev->lock))
+ return -ERESTARTSYS;
+
+ v4l2 = dev->v4l2;
+ if (!v4l2) {
+ mutex_unlock(&dev->lock);
+ return -EIO;
+ }
+
switch (vdev->vfl_type) {
case VFL_TYPE_VIDEO:
fh_type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
@@ -2140,6 +2152,7 @@ static int em28xx_v4l2_open(struct file *filp)
case VFL_TYPE_RADIO:
break;
default:
+ mutex_unlock(&dev->lock);
return -EINVAL;
}

@@ -2147,8 +2160,6 @@ static int em28xx_v4l2_open(struct file *filp)
video_device_node_name(vdev), v4l2_type_names[fh_type],
v4l2->users);

- if (mutex_lock_interruptible(&dev->lock))
- return -ERESTARTSYS;

ret = v4l2_fh_open(filp);
if (ret) {

diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
index 10a126e50c1c..72dd761d6ec8 100644
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -441,6 +441,9 @@ static int v4l2_open(struct inode *inode, struct file *filp)
}

done:
+ if (ret == -EIO)
+ return ret;
+
if (vdev->dev_debug & V4L2_DEV_DEBUG_FOP)
dprintk("%s: open (%d)\n",
video_device_node_name(vdev), ret);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com

Tested on:

commit: 755bc133 Merge tag 'riscv-for-linus-6.19-rc5' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109c499a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=123325fa580000

[Edward Adam Davis]

When creating a media graph, a failure occurred due to the lack of
a corresponding decoder. During the subsequent media device release
process, the video and VBI devices were not properly unregistered,
leading to a use-after-free vulnerability reported by syzbot [1].

The fix involves adding the necessary unregister operations.

[1]

BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093

Call Trace:

media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458

Allocated by task 5932:

em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117

Freed by task 5932:

em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/media/usb/em28xx/em28xx-video.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..45b68ebf2e9c 100644

--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)

for (i = 0; i < MAX_EM28XX_INPUT; i++) {
if (!INPUT(i)->type)
- return;
+ break;
media_device_unregister_entity(&dev->input_ent[i]);
}
+ media_device_unregister_entity(&dev->v4l2->vdev.entity);
+ if (em28xx_vbi_supported(dev))
+ media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
#endif
}

--
2.43.0

[Laurent Pinchart]

On Sun, Jan 11, 2026 at 01:29:10PM +0800, Edward Adam Davis wrote:
> When creating a media graph, a failure occurred due to the lack of
> a corresponding decoder. During the subsequent media device release
> process, the video and VBI devices were not properly unregistered,
> leading to a use-after-free vulnerability reported by syzbot [1].

You have no idea what this means, do you ?

Regards,

Laurent Pinchart

[Hans Verkuil]

This is definitely wrong: these are registered and unregistered in v4l2-dev.c,
so it makes no sense to unregister them here.

This is a very complicated driver, and fixing life-time issues is very hard.

Regards,

Hans

> #endif
> }
>

[Edward Adam Davis]

#syz test

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index b0c184f237a7..563b4267588e 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2147,7 +2147,7 @@ static int em28xx_v4l2_open(struct file *filp)

video_device_node_name(vdev), v4l2_type_names[fh_type],
v4l2->users);

- if (mutex_lock_interruptible(&dev->lock))

+ if (!mutex_trylock(&dev->lock))

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com

Tested on:

commit: 0e4f8f1a Merge tag 'parisc-for-7.0-rc5' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146efed6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c6ed5b87493cedd8
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11dc3cf6580000

[Edward Adam Davis]

You are only half right. Under normal circumstances, these devices
would indeed be unregistered via media_device_unregister() in v4l2-dev.c.
However, did you notice that if em28xx_v4l2_init() fails to create
the media graph, it will release the corresponding v4l2, including
its members vdev and vbi_dev, before media_device_unregister() is called?

Furthermore, both vdev and vbi_dev are instances of struct video_device.
Since they are inserted into the media framework as entities, they are,
in essence, the corresponding video_device instances themselves (as the
first member of struct video_device is, in fact, the entity instance).

Therefore, the UAF vulnerability described in [1] is ultimately triggered
when media_device_unregister() attempts to remove the entity from the
mdev instance at a em28xx usb disconnect.

Why is the execution of media_device_unregister() delayed in this context?
There is a high probability that the open syscall acquires em28xx->lock
*before* the unregistration path for media devices can proceed. This
scenario is identical to the one described in patch [2]; consequently,
this issue can also be resolved by applying the fix provided in [2].

[2] https://lore.kernel.org/all/tencent_5DCCB375C36949...@qq.com

BR,
Edward

[hverkui...@kernel.org]

To properly fix em28xx it has to be redesigned: all clean up would have to
be done in the v4l2_device release callback, similar to how au0282 does that.

There is no point in working around issues, without going for that approach.

The em28xx driver predates that callback, and nobody ever took the time and
substantial effort to convert it.

We regularly get patches for em28xx, but they are basically addressing symptoms
rather than the cause.

If someone wants to take on this task, then that would be great and I'm willing
to help with advice etc., but you also need to have at least some em28xx devices
to test with.

Regards,

Hans