From: syzbot <syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
xiaopei01@kylinos.cn, xiaopeitux@foxmail.com
Subject: Re: [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources
Date: Fri, 09 Jan 2026 01:42:04 -0800 [thread overview]
Message-ID: <6960cd6c.050a0220.1c677c.03c2.GAE@google.com> (raw)
In-Reply-To: <tencent_7C6E5DAA21483E2FE513A83926D78B885807@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807f400740 by task v4l_id/6673
CPU: 0 UID: 0 PID: 6673 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4787
do_filp_open+0x1fa/0x410 fs/namei.c:4814
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6620ca7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffbb799140 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f662137b880 RCX: 00007f6620ca7407
RDX: 0000000000000000 RSI: 00007fffbb79af1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fffbb799390 R14: 00007f6621480000 R15: 000055bfa77444d8
</TASK>
Allocated by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0x108/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x168e/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88807f400000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1856 bytes inside of
freed 8192-byte region [ffff88807f400000, ffff88807f402000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f400
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001fd0001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5588, tgid 5588 (init), ts 51300794908, free_ts 50968755883
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
page last free pid 5575 tgid 5575 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x37c/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x183/0x1f70 security/tomoyo/audit.c:255
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:587
tomoyo_path_perm+0x392/0x4b0 security/tomoyo/file.c:838
security_inode_getattr+0x12f/0x330 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat fs/stat.c:281 [inline]
__do_sys_newfstat fs/stat.c:555 [inline]
__se_sys_newfstat fs/stat.c:550 [inline]
__x64_sys_newfstat+0xfc/0x200 fs/stat.c:550
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807f400600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f400700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f400780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 623fb991 Merge tag 'pinctrl-v6.19-2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b85074580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=142d583a580000
next prev parent reply other threads:[~2026-01-09 9:42 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-02 7:49 [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources syzbot
2026-01-09 4:22 ` syzbot
2026-01-09 7:55 ` [PATCH] em28xx: test xiaopeitux
2026-01-09 9:42 ` syzbot [this message]
2026-01-10 3:22 ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources Hillf Danton
2026-01-10 3:50 ` syzbot
2026-01-10 8:50 ` Hillf Danton
2026-01-10 10:13 ` syzbot
2026-01-11 0:23 ` Hillf Danton
2026-01-11 1:51 ` syzbot
2026-01-11 4:46 ` Edward Adam Davis
2026-01-11 5:14 ` syzbot
2026-01-11 5:29 ` [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity Edward Adam Davis
2026-01-11 15:31 ` Laurent Pinchart
2026-03-16 14:03 ` Hans Verkuil
2026-03-20 11:45 ` Edward Adam Davis
2026-03-20 12:07 ` hverkuil+cisco
2026-03-20 6:15 ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources Edward Adam Davis
2026-03-20 10:59 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6960cd6c.050a0220.1c677c.03c2.GAE@google.com \
--to=syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xiaopei01@kylinos.cn \
--cc=xiaopeitux@foxmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.