* [BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init @ 2026-06-03 3:15 Shuangpeng 2026-06-04 1:47 ` [PATCH] media: usb: pvrusb2: fix " xiaopeitux 0 siblings, 1 reply; 4+ messages in thread From: Shuangpeng @ 2026-06-03 3:15 UTC (permalink / raw) To: isely, mchehab; +Cc: linux-media, linux-kernel Hi Kernel Maintainers, I hit the following KASAN report while testing current upstream kernel: KASAN: slab-use-after-free in pvr2_v4l2_dev_init on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026) The reproducer and .config files are here. https://gist.github.com/shuangpengbai/1bb11709aa99114979c00138773e23f3 I’m happy to test debug patches or provide additional information. Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> [ 594.064526][ T2009] ================================================================== [ 594.066061][ T2009] BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) [ 594.067466][ T2009] Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009 [ 594.068813][ T2009] [ 594.069190][ T2009] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 594.069195][ T2009] Call Trace: [ 594.069199][ T2009] <TASK> [ 594.069204][ T2009] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) [ 594.069211][ T2009] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482) [ 594.069231][ T2009] kasan_report (mm/kasan/report.c:595) [ 594.069243][ T2009] pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) [ 594.069263][ T2009] pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) [ 594.069270][ T2009] pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) [ 594.069275][ T2009] pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158) [ 594.069333][ T2009] kthread (kernel/kthread.c:436) [ 594.069351][ T2009] ret_from_fork (arch/x86/kernel/process.c:158) [ 594.069375][ T2009] ret_from_fork_asm (arch/x86/entry/entry_64.S:245) [ 594.069383][ T2009] </TASK> [ 594.069385][ T2009] [ 594.087179][ T2009] Freed by task 2009 on cpu 1 at 594.064509s: [ 594.087705][ T2009] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78) [ 594.088130][ T2009] kasan_save_free_info (mm/kasan/generic.c:584) [ 594.088566][ T2009] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) [ 594.088980][ T2009] kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) [ 594.089324][ T2009] v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225) [ 594.089762][ T2009] device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690) [ 594.090164][ T2009] kobject_put (lib/kobject.c:689 lib/kobject.c:720 ./include/linux/kref.h:65 lib/kobject.c:737) [ 594.090544][ T2009] __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080) [ 594.091031][ T2009] pvr2_v4l2_dev_init (./include/media/v4l2-dev.h:390 drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218) [ 594.091460][ T2009] pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) [ 594.091943][ T2009] pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) [ 594.092348][ T2009] pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158) [ 594.092825][ T2009] kthread (kernel/kthread.c:436) [ 594.093188][ T2009] ret_from_fork (arch/x86/kernel/process.c:158) [ 594.093587][ T2009] ret_from_fork_asm (arch/x86/entry/entry_64.S:245) [ 594.094004][ T2009] [ 594.094213][ T2009] The buggy address belongs to the object at ffff88810a2aa000 [ 594.094213][ T2009] which belongs to the cache kmalloc-2k of size 2048 [ 594.095415][ T2009] The buggy address is located 1204 bytes inside of [ 594.095415][ T2009] freed 2048-byte region [ffff88810a2aa000, ffff88810a2aa800) Best, Shuangpeng ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init 2026-06-03 3:15 [BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init Shuangpeng @ 2026-06-04 1:47 ` xiaopeitux 2026-06-04 1:58 ` sashiko-bot 2026-06-04 3:20 ` Mike Isely 0 siblings, 2 replies; 4+ messages in thread From: xiaopeitux @ 2026-06-04 1:47 UTC (permalink / raw) To: shuangpeng.kernel, mchehab+huawei, hverkuil+cisco Cc: isely, linux-kernel, linux-media, mchehab, Pei Xiao From: Pei Xiao <xiaopei01@kylinos.cn> The driver attempts to register the same video_device twice if the first registration with a specific minor number fails. However, when the first video_register_device() call fails, the underlying device structure is released via put_device(), which frees the video_device object. The second call then uses the already freed pointer, causing a KASAN slab-use-after-free error. Moreover, the second call always uses -1 (automatic minor allocation), which is redundant because mindevnum already can be -1 when no fixed minor is requested. Keeping both calls does not provide any benefit but introduces a use-after-free vulnerability. Fix this by removing the second registration attempt and using only the first call with mindevnum. This preserves the ability to request a specific minor number (when mindevnum >= 0) while falling back to automatic allocation (when mindevnum == -1) without double-registering the same device. Logs: BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009 Call Trace: dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) print_report (mm/kasan/report.c:378 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:595) pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) ... Freed by task 2009 on cpu 1 at 594.064509s: kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78) kasan_save_free_info (mm/kasan/generic.c:584) __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) kfree v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225) device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690) kobject_put __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080) pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218) pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) ... Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb") Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/ stable@vger.kernel.org Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> --- drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c index 101b2e9fbaab..f9df813ca09b 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip, mindevnum = nr_ptr[unit_number]; } pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase); - if ((video_register_device(&dip->devbase, - dip->v4l_type, mindevnum) < 0) && - (video_register_device(&dip->devbase, - dip->v4l_type, -1) < 0)) { + if (video_register_device(&dip->devbase, + dip->v4l_type, mindevnum) < 0) pr_err(KBUILD_MODNAME ": Failed to register pvrusb2 v4l device\n"); - } pr_info("pvrusb2: registered device %s [%s]\n", video_device_node_name(&dip->devbase), -- 2.25.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init 2026-06-04 1:47 ` [PATCH] media: usb: pvrusb2: fix " xiaopeitux @ 2026-06-04 1:58 ` sashiko-bot 2026-06-04 3:20 ` Mike Isely 1 sibling, 0 replies; 4+ messages in thread From: sashiko-bot @ 2026-06-04 1:58 UTC (permalink / raw) To: xiaopeitux; +Cc: linux-media Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider: Pre-existing issues: - [High] Incomplete fix: Use-After-Free on video_register_device error path. - [Medium] Memory leak when video_register_device fails early. -- commit e9309ec9cc3bd0c7e640b415aa2e2d4a14232789 Author: Pei Xiao <xiaopei01@kylinos.cn> media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init This commit removes a redundant second video_register_device() call to prevent a slab-use-after-free when the first registration attempt fails. Link: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/ > diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > index 101b2e9fbaab7..f9df813ca09b7 100644 > --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip, > mindevnum = nr_ptr[unit_number]; > } > pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase); > - if ((video_register_device(&dip->devbase, > - dip->v4l_type, mindevnum) < 0) && > - (video_register_device(&dip->devbase, > - dip->v4l_type, -1) < 0)) { > + if (video_register_device(&dip->devbase, > + dip->v4l_type, mindevnum) < 0) > pr_err(KBUILD_MODNAME > ": Failed to register pvrusb2 v4l device\n"); [Severity: High] This is a pre-existing issue, but does execution fall through here if video_register_device() fails? If video_register_device() fails during device_register(), the V4L2 core drops the device reference via put_device(). This triggers the driver's pvr2_video_device_release() callback, freeing the dip structure. Since there is no early return on error, execution continues and immediately dereferences the freed dip object in the following pr_info() call and in pvr2_hdw_v4l_store_minor_number(). Additionally, since pvr2_v4l2_dev_init() returns void, the caller pvr2_v4l2_create() assumes success and retains the dangling pointer: drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:pvr2_v4l2_create() { ... vp->dev_video = kzalloc_obj(*vp->dev_video); if (!vp->dev_video) goto fail; pvr2_v4l2_dev_init(vp->dev_video, vp, VFL_TYPE_VIDEO); ... } This leads to a secondary use-after-free when pvr2_v4l2_dev_destroy() accesses vp->dev_video during device teardown. Could we add an early return after logging the error? [Severity: Medium] This is also a pre-existing issue, but what happens if video_register_device() fails early before device_register() is called? In an early failure case (such as if cdev_alloc fails), the V4L2 core returns an error without calling put_device(), meaning the dip structure is not freed by the core. Because pvr2_v4l2_dev_init() lacks error handling and falls through, it does not explicitly free dip, and vp->dev_video retains the valid but unregistered pointer. During teardown, pvr2_v4l2_dev_destroy() passes this pointer to video_unregister_device(), which checks if the device is registered: drivers/media/v4l2-core/v4l2-dev.c:video_unregister_device() { ... /* Check if vdev was ever registered at all */ if (!vdev || !video_is_registered(vdev)) return; ... } Since the flag was never set, video_unregister_device() returns immediately without unregistering or dropping the reference. Thus, pvr2_video_device_release() is never invoked, permanently leaking the dip memory allocation. Would explicitly freeing the dip structure on early failure resolve this memory leak? > > pr_info("pvrusb2: registered device %s [%s]\n", > video_device_node_name(&dip->devbase), > pvr2_config_get_name(dip->config)); > > pvr2_hdw_v4l_store_minor_number(hdw, > dip->minor_type,dip->devbase.minor); -- Sashiko AI review · https://sashiko.dev/#/patchset/tencent_B85DFB2210B877A85021C1BC064E70E61C09@qq.com?part=1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init 2026-06-04 1:47 ` [PATCH] media: usb: pvrusb2: fix " xiaopeitux 2026-06-04 1:58 ` sashiko-bot @ 2026-06-04 3:20 ` Mike Isely 1 sibling, 0 replies; 4+ messages in thread From: Mike Isely @ 2026-06-04 3:20 UTC (permalink / raw) To: xiaopeitux Cc: shuangpeng.kernel, mchehab+huawei, hverkuil+cisco, Linux Kernel Mailing List, linux-media, mchehab, Pei Xiao, Mike Isely at pobox Acked-By: Mike Isely <isely@pobox.com> On Thu, 4 Jun 2026, xiaopeitux@foxmail.com wrote: > From: Pei Xiao <xiaopei01@kylinos.cn> > > The driver attempts to register the same video_device twice if the first > registration with a specific minor number fails. However, when the first > video_register_device() call fails, the underlying device structure is > released via put_device(), which frees the video_device object. The second > call then uses the already freed pointer, causing a KASAN > slab-use-after-free error. > > Moreover, the second call always uses -1 (automatic minor allocation), > which is redundant because mindevnum already can be -1 when no fixed > minor is requested. Keeping both calls does not provide any benefit but > introduces a use-after-free vulnerability. > > Fix this by removing the second registration attempt and using only > the first call with mindevnum. This preserves the ability to request > a specific minor number (when mindevnum >= 0) while falling back to > automatic allocation (when mindevnum == -1) without double-registering > the same device. > > Logs: > BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init > (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) > Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009 > > Call Trace: > dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) > print_report (mm/kasan/report.c:378 mm/kasan/report.c:482) > kasan_report (mm/kasan/report.c:595) > pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221) > pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) > pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) > ... > > Freed by task 2009 on cpu 1 at 594.064509s: > kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78) > kasan_save_free_info (mm/kasan/generic.c:584) > __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) > kfree > v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225) > device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690) > kobject_put > __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080) > pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218) > pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249) > pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40) > ... > > Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb") > Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com> > Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/ > stable@vger.kernel.org > Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> > --- > drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > index 101b2e9fbaab..f9df813ca09b 100644 > --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c > @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip, > mindevnum = nr_ptr[unit_number]; > } > pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase); > - if ((video_register_device(&dip->devbase, > - dip->v4l_type, mindevnum) < 0) && > - (video_register_device(&dip->devbase, > - dip->v4l_type, -1) < 0)) { > + if (video_register_device(&dip->devbase, > + dip->v4l_type, mindevnum) < 0) > pr_err(KBUILD_MODNAME > ": Failed to register pvrusb2 v4l device\n"); > - } > > pr_info("pvrusb2: registered device %s [%s]\n", > video_device_node_name(&dip->devbase), > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-04 3:26 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-03 3:15 [BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init Shuangpeng 2026-06-04 1:47 ` [PATCH] media: usb: pvrusb2: fix " xiaopeitux 2026-06-04 1:58 ` sashiko-bot 2026-06-04 3:20 ` Mike Isely
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.