* [PATCH v3] media: rtl2832: fix use-after-free in rtl2832_remove()
@ 2026-04-22 14:47 Deepanshu Kartikey
2026-04-23 5:02 ` Deepanshu Kartikey
0 siblings, 1 reply; 2+ messages in thread
From: Deepanshu Kartikey @ 2026-04-22 14:47 UTC (permalink / raw)
To: mchehab
Cc: kees, peda, wsa, crope, linux-media, linux-kernel,
Deepanshu Kartikey, stable, syzbot+019ced393ab913002b75
cancel_delayed_work_sync() is called before i2c_mux_del_adapters()
in rtl2832_remove(). While the cancel waits for any running instance
of i2c_gate_work to finish, it does not prevent the timer from being
rescheduled by a concurrent thread.
During probe, the r820t_attach() call attempts I2C transfers through
the mux adapter. These transfers go through i2c_mux_master_xfer(),
which calls rtl2832_deselect() after the transfer completes,
rescheduling i2c_gate_work via schedule_delayed_work(). If this
transfer is still in flight when rtl2832_remove() runs,
rtl2832_deselect() can reschedule i2c_gate_work after it has been
cancelled, causing a use-after-free when kfree(dev) is called.
Fix this by calling i2c_mux_del_adapters() before
cancel_delayed_work_sync(). Once the mux adapter is unregistered, no
new I2C transfers can go through it, so rtl2832_deselect() can no
longer reschedule i2c_gate_work. The subsequent
cancel_delayed_work_sync() is then guaranteed to be final.
Fixes: cddcc40b1b15 ("[media] rtl2832: convert to use an explicit i2c mux core")
Cc: stable@vger.kernel.org
Reported-by: syzbot+019ced393ab913002b75@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=019ced393ab913002b75
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
v3:
- Fix missing PATCH v2 prefix in subject line
v2:
- Fix Signed-off-by email address (lowercase k)
- Add Cc: stable@vger.kernel.org for stable backport
---
drivers/media/dvb-frontends/rtl2832.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
index d8e1546aea5e..9898f729304a 100644
--- a/drivers/media/dvb-frontends/rtl2832.c
+++ b/drivers/media/dvb-frontends/rtl2832.c
@@ -1115,10 +1115,10 @@ static void rtl2832_remove(struct i2c_client *client)
dev_dbg(&client->dev, "\n");
- cancel_delayed_work_sync(&dev->i2c_gate_work);
-
i2c_mux_del_adapters(dev->muxc);
+ cancel_delayed_work_sync(&dev->i2c_gate_work);
+
regmap_exit(dev->regmap);
kfree(dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v3] media: rtl2832: fix use-after-free in rtl2832_remove()
2026-04-22 14:47 [PATCH v3] media: rtl2832: fix use-after-free in rtl2832_remove() Deepanshu Kartikey
@ 2026-04-23 5:02 ` Deepanshu Kartikey
0 siblings, 0 replies; 2+ messages in thread
From: Deepanshu Kartikey @ 2026-04-23 5:02 UTC (permalink / raw)
To: mchehab
Cc: kees, peda, wsa, crope, linux-media, linux-kernel, stable,
syzbot+019ced393ab913002b75
On Wed, Apr 22, 2026 at 8:17 PM Deepanshu Kartikey
<kartikey406@gmail.com> wrote:
>
> cancel_delayed_work_sync() is called before i2c_mux_del_adapters()
> in rtl2832_remove(). While the cancel waits for any running instance
> of i2c_gate_work to finish, it does not prevent the timer from being
> rescheduled by a concurrent thread.
>
> During probe, the r820t_attach() call attempts I2C transfers through
> the mux adapter. These transfers go through i2c_mux_master_xfer(),
> which calls rtl2832_deselect() after the transfer completes,
> rescheduling i2c_gate_work via schedule_delayed_work(). If this
> transfer is still in flight when rtl2832_remove() runs,
> rtl2832_deselect() can reschedule i2c_gate_work after it has been
> cancelled, causing a use-after-free when kfree(dev) is called.
>
> Fix this by calling i2c_mux_del_adapters() before
> cancel_delayed_work_sync(). Once the mux adapter is unregistered, no
> new I2C transfers can go through it, so rtl2832_deselect() can no
> longer reschedule i2c_gate_work. The subsequent
> cancel_delayed_work_sync() is then guaranteed to be final.
>
> Fixes: cddcc40b1b15 ("[media] rtl2832: convert to use an explicit i2c mux core")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+019ced393ab913002b75@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=019ced393ab913002b75
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> v3:
> - Fix missing PATCH v2 prefix in subject line
> v2:
> - Fix Signed-off-by email address (lowercase k)
> - Add Cc: stable@vger.kernel.org for stable backport
> ---
> drivers/media/dvb-frontends/rtl2832.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
> index d8e1546aea5e..9898f729304a 100644
> --- a/drivers/media/dvb-frontends/rtl2832.c
> +++ b/drivers/media/dvb-frontends/rtl2832.c
> @@ -1115,10 +1115,10 @@ static void rtl2832_remove(struct i2c_client *client)
>
> dev_dbg(&client->dev, "\n");
>
> - cancel_delayed_work_sync(&dev->i2c_gate_work);
> -
> i2c_mux_del_adapters(dev->muxc);
>
> + cancel_delayed_work_sync(&dev->i2c_gate_work);
> +
> regmap_exit(dev->regmap);
>
> kfree(dev);
> --
> 2.43.0
>
The CI report shows all tests passing (checkpatch, build,
media-patchstyle, ABI).
The only failure is "Job static" which has no log output, suggesting a
CI infrastructure issue rather than a problem with the patch.
Could a maintainer please take a look?
Thanks
Deepanshu
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-23 5:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 14:47 [PATCH v3] media: rtl2832: fix use-after-free in rtl2832_remove() Deepanshu Kartikey
2026-04-23 5:02 ` Deepanshu Kartikey
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox