From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
mchehab@kernel.org, sakari.ailus@linux.intel.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity
Date: Sun, 11 Jan 2026 17:31:56 +0200 [thread overview]
Message-ID: <20260111153156.GA4474@pendragon.ideasonboard.com> (raw)
In-Reply-To: <tencent_0D8C88E7C506C4D2C2064149816ECB6EDB06@qq.com>
On Sun, Jan 11, 2026 at 01:29:10PM +0800, Edward Adam Davis wrote:
> When creating a media graph, a failure occurred due to the lack of
> a corresponding decoder. During the subsequent media device release
> process, the video and VBI devices were not properly unregistered,
> leading to a use-after-free vulnerability reported by syzbot [1].
You have no idea what this means, do you ?
> The fix involves adding the necessary unregister operations.
>
> [1]
> BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
> Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093
> Call Trace:
> media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
> em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
> em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
> em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
> usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
>
> Allocated by task 5932:
> em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
> em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
>
> Freed by task 5932:
> em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
> kref_put include/linux/kref.h:65 [inline]
> em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
>
> Reported-by: syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> Tested-by: syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/media/usb/em28xx/em28xx-video.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
> index 2dfa3242a7ab..45b68ebf2e9c 100644
> --- a/drivers/media/usb/em28xx/em28xx-video.c
> +++ b/drivers/media/usb/em28xx/em28xx-video.c
> @@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)
>
> for (i = 0; i < MAX_EM28XX_INPUT; i++) {
> if (!INPUT(i)->type)
> - return;
> + break;
> media_device_unregister_entity(&dev->input_ent[i]);
> }
> + media_device_unregister_entity(&dev->v4l2->vdev.entity);
> + if (em28xx_vbi_supported(dev))
> + media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
> #endif
> }
>
--
Regards,
Laurent Pinchart
next prev parent reply other threads:[~2026-01-11 15:32 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 7:49 [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources syzbot
2026-01-09 4:22 ` syzbot
2026-01-09 7:55 ` [PATCH] em28xx: test xiaopeitux
2026-01-09 9:42 ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources syzbot
2026-01-10 3:22 ` Hillf Danton
2026-01-10 3:50 ` syzbot
2026-01-10 8:50 ` Hillf Danton
2026-01-10 10:13 ` syzbot
2026-01-11 0:23 ` Hillf Danton
2026-01-11 1:51 ` syzbot
2026-01-11 4:46 ` Edward Adam Davis
2026-01-11 5:14 ` syzbot
2026-01-11 5:29 ` [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity Edward Adam Davis
2026-01-11 15:31 ` Laurent Pinchart [this message]
2026-03-16 14:03 ` Hans Verkuil
2026-03-20 11:45 ` Edward Adam Davis
2026-03-20 12:07 ` hverkuil+cisco
2026-03-20 6:15 ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources Edward Adam Davis
2026-03-20 10:59 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260111153156.GA4474@pendragon.ideasonboard.com \
--to=laurent.pinchart@ideasonboard.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.