[syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources

16 views
Skip to first unread message

syzbot

unread,
Aug 2, 2024, 3:49:21 AM8/2/24
to linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 6342649c33d2 Merge tag 'block-6.11-20240726' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=159feda1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5efb917b1462a973
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f7155d1516ca/disk-6342649c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f724a979b927/vmlinux-6342649c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/480121fc37f0/bzImage-6342649c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+16062f...@syzkaller.appspotmail.com

em28xx 5-1:0.0: Closing input extension
==================================================================
BUG: KASAN: slab-use-after-free in media_device_unregister+0x154/0x470
Read of size 8 at addr ffff888058df4210 by task kworker/0:1/9

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.10.0-syzkaller-12881-g6342649c33d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
media_device_unregister+0x154/0x470
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xa7/0x230 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x1cc/0x530 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x25e/0x940 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:568 [inline]
__device_release_driver drivers/base/dd.c:1272 [inline]
device_release_driver_internal+0x503/0x7c0 drivers/base/dd.c:1295
bus_remove_device+0x34f/0x420 drivers/base/bus.c:574
device_del+0x57a/0x9b0 drivers/base/core.c:3868
usb_disable_device+0x3bf/0x850 drivers/usb/core/message.c:1418
usb_disconnect+0x340/0x950 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1eb9/0x5150 drivers/usb/core/hub.c:5903
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 31851:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4189
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
em28xx_v4l2_init+0xfd/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2534
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 31851:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kfree+0x149/0x360 mm/slub.c:4594
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x16d7/0x2f40 drivers/media/usb/em28xx/em28xx-video.c:2903
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff888058df4000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 528 bytes inside of
freed 8192-byte region [ffff888058df4000, ffff888058df6000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x58df0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff888015842280 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff888015842280 dead000000000122 0000000000000000
head: 0000000000000000 0000000080020002 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001637c01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 3922, tgid 3922 (kworker/u8:8), ts 2368883364470, free_ts 2368880799693
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3442
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4700
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x5f/0x120 mm/slub.c:2321
allocate_slab+0x5a/0x2f0 mm/slub.c:2484
new_slab mm/slub.c:2537 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
__slab_alloc+0x58/0xa0 mm/slub.c:3813
__slab_alloc_node mm/slub.c:3866 [inline]
slab_alloc_node mm/slub.c:4025 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
n_hdlc_tty_receive+0x1ce/0x4e0 drivers/tty/n_hdlc.c:393
tty_ldisc_receive_buf+0x11f/0x170 drivers/tty/tty_buffer.c:391
tty_port_default_receive_buf+0x6d/0xa0 drivers/tty/tty_port.c:37
receive_buf drivers/tty/tty_buffer.c:445 [inline]
flush_to_ldisc+0x328/0x860 drivers/tty/tty_buffer.c:495
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
page last free pid 13102 tgid 13102 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
discard_slab mm/slub.c:2583 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3051
put_cpu_partial+0x17c/0x250 mm/slub.c:3126
__slab_free+0x2ea/0x3d0 mm/slub.c:4343
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
anon_vma_chain_alloc mm/rmap.c:142 [inline]
__anon_vma_prepare+0xc4/0x4a0 mm/rmap.c:195
vmf_anon_prepare mm/memory.c:3289 [inline]
do_anonymous_page mm/memory.c:4551 [inline]
do_pte_missing mm/memory.c:3945 [inline]
handle_pte_fault+0x5788/0x6eb0 mm/memory.c:5522
__handle_mm_fault mm/memory.c:5665 [inline]
handle_mm_fault+0x1029/0x1980 mm/memory.c:5833
do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

Memory state around the buggy address:
ffff888058df4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888058df4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888058df4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888058df4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888058df4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Jan 8, 2026, 11:22:26 PM (3 days ago) Jan 8
to laurent....@ideasonboard.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, sakari...@linux.intel.com, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1a9f5da29b00/disk-79b95d74.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c4b0c995534/vmlinux-79b95d74.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5089d6692134/bzImage-79b95d74.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+16062f...@syzkaller.appspotmail.com

em28xx 5-1:0.132: Closing input extension
==================================================================
BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093

CPU: 1 UID: 0 PID: 6093 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:571 [inline]
__device_release_driver drivers/base/dd.c:1282 [inline]
device_release_driver_internal+0x4d9/0x800 drivers/base/dd.c:1305
bus_remove_device+0x34d/0x440 drivers/base/bus.c:616
device_del+0x511/0x8e0 drivers/base/core.c:3878
usb_disable_device+0x3d4/0x8e0 drivers/usb/core/message.c:1418
usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1ca9/0x4ef0 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>

Allocated by task 5932:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 5932:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88807c114000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 528 bytes inside of
freed 8192-byte region [ffff88807c114000, ffff88807c116000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c110
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea00007dc800 0000000000000003
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea00007dc800 0000000000000003
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001f04401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5959, tgid 5959 (syz-executor), ts 109562656564, free_ts 109528923164
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
macvlan_port_create drivers/net/macvlan.c:1246 [inline]
macvlan_common_newlink+0x5a3/0x1980 drivers/net/macvlan.c:1484
macvtap_newlink+0x13c/0x1b0 drivers/net/macvtap.c:108
rtnl_newlink_create+0x310/0xb00 net/core/rtnetlink.c:3840
__rtnl_newlink net/core/rtnetlink.c:3957 [inline]
rtnl_newlink+0x16e7/0x1c90 net/core/rtnetlink.c:4072
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
page last free pid 5959 tgid 5959 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x43c/0x720 mm/slub.c:5315
__alloc_skb+0x1dc/0x3a0 net/core/skbuff.c:679
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2487
netlink_rcv_skb+0x28c/0x470 net/netlink/af_netlink.c:2556
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

Memory state around the buggy address:
ffff88807c114100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807c114180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807c114200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807c114280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807c114300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syzbot

unread,
Jan 9, 2026, 2:56:18 AM (2 days ago) Jan 9
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: [PATCH] em28xx: test
Author: xiaop...@foxmail.com

From: Pei Xiao <xiao...@kylinos.cn>

#syz test
---
drivers/media/usb/em28xx/em28xx-video.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..0c925931671f 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2899,6 +2899,7 @@ static int em28xx_v4l2_init(struct em28xx *dev)
err:
dev->v4l2 = NULL;
kref_put(&v4l2->ref, em28xx_free_v4l2);
+ dev->media_dev = NULL;
mutex_unlock(&dev->lock);
return ret;
}
--
2.25.1

syzbot

unread,
Jan 9, 2026, 4:42:06 AM (2 days ago) Jan 9
to linux-...@vger.kernel.org, syzkall...@googlegroups.com, xiao...@kylinos.cn, xiaop...@foxmail.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807f400740 by task v4l_id/6673

CPU: 0 UID: 0 PID: 6673 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4787
do_filp_open+0x1fa/0x410 fs/namei.c:4814
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6620ca7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffbb799140 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f662137b880 RCX: 00007f6620ca7407
RDX: 0000000000000000 RSI: 00007fffbb79af1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fffbb799390 R14: 00007f6621480000 R15: 000055bfa77444d8
</TASK>

Allocated by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0x108/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x168e/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88807f400000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1856 bytes inside of
freed 8192-byte region [ffff88807f400000, ffff88807f402000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f400
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001fd0001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5588, tgid 5588 (init), ts 51300794908, free_ts 50968755883
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
page last free pid 5575 tgid 5575 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x37c/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x183/0x1f70 security/tomoyo/audit.c:255
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:587
tomoyo_path_perm+0x392/0x4b0 security/tomoyo/file.c:838
security_inode_getattr+0x12f/0x330 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat fs/stat.c:281 [inline]
__do_sys_newfstat fs/stat.c:555 [inline]
__se_sys_newfstat fs/stat.c:550 [inline]
__x64_sys_newfstat+0xfc/0x200 fs/stat.c:550
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff88807f400600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f400700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f400780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 623fb991 Merge tag 'pinctrl-v6.19-2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b85074580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=142d583a580000

Hillf Danton

unread,
Jan 9, 2026, 10:22:25 PM (2 days ago) Jan 9
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Thu, 08 Jan 2026 20:22:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2898,6 +2898,7 @@ unregister_dev:
v4l2_device_unregister(&v4l2->v4l2_dev);
err:
dev->v4l2 = NULL;
+ em28xx_v4l2_media_release(dev);
kref_put(&v4l2->ref, em28xx_free_v4l2);

syzbot

unread,
Jan 9, 2026, 10:50:04 PM (2 days ago) Jan 9
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88802f1b8740 by task v4l_id/6806

CPU: 0 UID: 0 PID: 6806 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4637 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc5b96a7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffdbdc9110 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fc5b9d43880 RCX: 00007fc5b96a7407
RDX: 0000000000000000 RSI: 00007fffdbdcaf1c RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fffdbdc9360 R14: 00007fc5b9eaa000 R15: 000055ed108754d8
</TASK>

Allocated by task 6727:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0xfe/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6727:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x181e/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2902
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88802f1b8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1856 bytes inside of
freed 8192-byte region [ffff88802f1b8000, ffff88802f1ba000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f1b8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 0000000000000000 0000000000000001
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000bc6e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x528c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP), pid 6263, tgid 6263 (syz-executor), ts 116705980999, free_ts 116699070356
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kvmalloc_node_noprof+0x6b6/0x920 mm/slub.c:7136
kvmalloc_array_node_noprof include/linux/slab.h:1122 [inline]
__ptr_ring_init_queue_alloc_noprof include/linux/ptr_ring.h:481 [inline]
ptr_ring_init_noprof include/linux/ptr_ring.h:499 [inline]
skb_array_init_noprof include/linux/skb_array.h:182 [inline]
pfifo_fast_init+0x242/0x6c0 net/sched/sch_generic.c:870
qdisc_create_dflt+0x13b/0x4c0 net/sched/sch_generic.c:1015
attach_one_default_qdisc net/sched/sch_generic.c:1174 [inline]
netdev_for_each_tx_queue include/linux/netdevice.h:2680 [inline]
attach_default_qdiscs net/sched/sch_generic.c:1192 [inline]
dev_activate+0x378/0x1150 net/sched/sch_generic.c:1251
__dev_open+0x647/0x800 net/core/dev.c:1692
__dev_change_flags+0x1f7/0x680 net/core/dev.c:9736
netif_change_flags+0x88/0x1a0 net/core/dev.c:9799
do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
rtnl_changelink net/core/rtnetlink.c:3776 [inline]
__rtnl_newlink net/core/rtnetlink.c:3935 [inline]
rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
page last free pid 6263 tgid 6263 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3cf/0x800 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820
ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949
addrconf_add_mroute net/ipv6/addrconf.c:2552 [inline]
addrconf_add_dev+0x23f/0x320 net/ipv6/addrconf.c:2570
addrconf_gre_config net/ipv6/addrconf.c:3530 [inline]
addrconf_init_auto_addrs+0x146/0xa00 net/ipv6/addrconf.c:3559
addrconf_notify+0xb1e/0x1050 net/ipv6/addrconf.c:3740
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
__dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804

Memory state around the buggy address:
ffff88802f1b8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802f1b8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802f1b8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802f1b8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802f1b8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: cb2076b0 Merge tag 'block-6.19-20260109' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17eb519a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=12bc719a580000

Hillf Danton

unread,
Jan 10, 2026, 3:50:51 AM (yesterday) Jan 10
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Thu, 08 Jan 2026 20:22:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2150,6 +2150,10 @@ static int em28xx_v4l2_open(struct file
if (mutex_lock_interruptible(&dev->lock))
return -ERESTARTSYS;

+ if (dev->v4l2 == NULL) {
+ mutex_unlock(&dev->lock);
+ return -EINVAL;
+ }
ret = v4l2_fh_open(filp);
if (ret) {
dev_err(&dev->intf->dev,
@@ -2898,6 +2902,7 @@ unregister_dev:

syzbot

unread,
Jan 10, 2026, 5:13:05 AM (yesterday) Jan 10
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_open

==================================================================
BUG: KASAN: slab-use-after-free in v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
Read of size 4 at addr ffff88802882c808 by task v4l_id/6679

CPU: 1 UID: 0 PID: 6679 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4637 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4796
do_filp_open+0x1fa/0x410 fs/namei.c:4823
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f25280a7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffd5d4c3160 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f25287b8880 RCX: 00007f25280a7407
RDX: 0000000000000000 RSI: 00007ffd5d4c3f1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffd5d4c33b0 R14: 00007f252891f000 R15: 00005609bc9d64d8
</TASK>

Allocated by task 6566:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0xfe/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2536
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Freed by task 6566:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x181e/0x30c0 drivers/media/usb/em28xx/em28xx-video.c:2906
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

The buggy address belongs to the object at ffff88802882c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2056 bytes inside of
freed 8192-byte region [ffff88802882c000, ffff88802882e000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28828
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea0000bc1600 dead000000000003
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea0000bc1600 dead000000000003
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000a20a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5649, tgid 5649 (dhcpcd-run-hook), ts 51915061807, free_ts 51914952418
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
page last free pid 5649 tgid 5649 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_noprof+0x3cf/0x800 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
do_execve fs/exec.c:1933 [inline]
__do_sys_execve fs/exec.c:2009 [inline]
__se_sys_execve fs/exec.c:2004 [inline]
__x64_sys_execve+0x94/0xb0 fs/exec.c:2004
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94

Memory state around the buggy address:
ffff88802882c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802882c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802882c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802882c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802882c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: b6151c4e Merge tag 'erofs-for-6.19-rc5-fixes' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1213f83a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=153d3f92580000

Hillf Danton

unread,
Jan 10, 2026, 7:23:51 PM (16 hours ago) Jan 10
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Thu, 08 Jan 2026 20:22:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2150,6 +2150,10 @@ static int em28xx_v4l2_open(struct file
if (mutex_lock_interruptible(&dev->lock))
return -ERESTARTSYS;

+ if (dev->v4l2 == NULL) {
+ mutex_unlock(&dev->lock);
+ return -EINVAL;
+ }
ret = v4l2_fh_open(filp);
if (ret) {
dev_err(&dev->intf->dev,
@@ -2898,7 +2902,6 @@ unregister_dev:
v4l2_device_unregister(&v4l2->v4l2_dev);
err:
dev->v4l2 = NULL;
- kref_put(&v4l2->ref, em28xx_free_v4l2);

syzbot

unread,
Jan 10, 2026, 8:51:05 PM (15 hours ago) Jan 10
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com

Tested on:

commit: 97313d61 Merge tag 'iommu-fixes-v6.19-rc4' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146ff19a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1022699a580000

Note: testing is done by a robot and is best-effort only.

Edward Adam Davis

unread,
Jan 10, 2026, 11:46:09 PM (12 hours ago) Jan 10
to syzbot+16062f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..490ac7548fa3 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)

for (i = 0; i < MAX_EM28XX_INPUT; i++) {
if (!INPUT(i)->type)
- return;
+ break;
media_device_unregister_entity(&dev->input_ent[i]);
}
+ media_device_unregister_entity(&dev->v4l2->vdev.entity);
+ if (em28xx_vbi_supported(dev))
+ media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
#endif
}

@@ -2126,10 +2129,19 @@ static int em28xx_v4l2_open(struct file *filp)
{
struct video_device *vdev = video_devdata(filp);
struct em28xx *dev = video_drvdata(filp);
- struct em28xx_v4l2 *v4l2 = dev->v4l2;
+ struct em28xx_v4l2 *v4l2;
enum v4l2_buf_type fh_type = 0;
int ret;

+ if (mutex_lock_interruptible(&dev->lock))
+ return -ERESTARTSYS;
+
+ v4l2 = dev->v4l2;
+ if (!v4l2) {
+ mutex_unlock(&dev->lock);
+ return -EIO;
+ }
+
switch (vdev->vfl_type) {
case VFL_TYPE_VIDEO:
fh_type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
@@ -2140,6 +2152,7 @@ static int em28xx_v4l2_open(struct file *filp)
case VFL_TYPE_RADIO:
break;
default:
+ mutex_unlock(&dev->lock);
return -EINVAL;
}

@@ -2147,8 +2160,6 @@ static int em28xx_v4l2_open(struct file *filp)
video_device_node_name(vdev), v4l2_type_names[fh_type],
v4l2->users);

- if (mutex_lock_interruptible(&dev->lock))
- return -ERESTARTSYS;

ret = v4l2_fh_open(filp);
if (ret) {
diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
index 10a126e50c1c..72dd761d6ec8 100644
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -441,6 +441,9 @@ static int v4l2_open(struct inode *inode, struct file *filp)
}

done:
+ if (ret == -EIO)
+ return ret;
+
if (vdev->dev_debug & V4L2_DEV_DEBUG_FOP)
dprintk("%s: open (%d)\n",
video_device_node_name(vdev), ret);

syzbot

unread,
12:14 AM (11 hours ago) 12:14 AM
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com

Tested on:

commit: 755bc133 Merge tag 'riscv-for-linus-6.19-rc5' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109c499a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=323fe5bdde2384a5
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=123325fa580000

Edward Adam Davis

unread,
12:29 AM (11 hours ago) 12:29 AM
to syzbot+16062f...@syzkaller.appspotmail.com, laurent....@ideasonboard.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, sakari...@linux.intel.com, syzkall...@googlegroups.com
When creating a media graph, a failure occurred due to the lack of
a corresponding decoder. During the subsequent media device release
process, the video and VBI devices were not properly unregistered,
leading to a use-after-free vulnerability reported by syzbot [1].

The fix involves adding the necessary unregister operations.

[1]
BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093
Call Trace:
media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458

Allocated by task 5932:
em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117

Freed by task 5932:
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901

Reported-by: syzbot+16062f...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
Tested-by: syzbot+16062f...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/media/usb/em28xx/em28xx-video.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 2dfa3242a7ab..45b68ebf2e9c 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)

for (i = 0; i < MAX_EM28XX_INPUT; i++) {
if (!INPUT(i)->type)
- return;
+ break;
media_device_unregister_entity(&dev->input_ent[i]);
}
+ media_device_unregister_entity(&dev->v4l2->vdev.entity);
+ if (em28xx_vbi_supported(dev))
+ media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
#endif
}

--
2.43.0

Laurent Pinchart

unread,
10:32 AM (1 hour ago) 10:32 AM
to Edward Adam Davis, syzbot+16062f...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, sakari...@linux.intel.com, syzkall...@googlegroups.com
On Sun, Jan 11, 2026 at 01:29:10PM +0800, Edward Adam Davis wrote:
> When creating a media graph, a failure occurred due to the lack of
> a corresponding decoder. During the subsequent media device release
> process, the video and VBI devices were not properly unregistered,
> leading to a use-after-free vulnerability reported by syzbot [1].

You have no idea what this means, do you ?
Regards,

Laurent Pinchart
Reply all
Reply to author
Forward
0 new messages