[BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init

[BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init

[Shuangpeng]

Hi Kernel Maintainers,

I hit the following KASAN report while testing current upstream kernel:

KASAN: slab-use-after-free in pvr2_v4l2_dev_init

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/1bb11709aa99114979c00138773e23f3

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>


[  594.064526][ T2009] ==================================================================
[  594.066061][ T2009] BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
[  594.067466][ T2009] Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009
[  594.068813][ T2009]
[  594.069190][ T2009] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  594.069195][ T2009] Call Trace:
[  594.069199][ T2009]  <TASK>
[  594.069204][ T2009]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  594.069211][ T2009]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  594.069231][ T2009]  kasan_report (mm/kasan/report.c:595)
[  594.069243][ T2009]  pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
[  594.069263][ T2009]  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
[  594.069270][ T2009]  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
[  594.069275][ T2009]  pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158)
[  594.069333][ T2009]  kthread (kernel/kthread.c:436)
[  594.069351][ T2009]  ret_from_fork (arch/x86/kernel/process.c:158)
[  594.069375][ T2009]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  594.069383][ T2009]  </TASK>
[  594.069385][ T2009]
[  594.087179][ T2009] Freed by task 2009 on cpu 1 at 594.064509s:
[  594.087705][ T2009]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  594.088130][ T2009]  kasan_save_free_info (mm/kasan/generic.c:584)
[  594.088566][ T2009]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  594.088980][ T2009]  kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  594.089324][ T2009]  v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
[  594.089762][ T2009]  device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
[  594.090164][ T2009]  kobject_put (lib/kobject.c:689 lib/kobject.c:720 ./include/linux/kref.h:65 lib/kobject.c:737)
[  594.090544][ T2009]  __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
[  594.091031][ T2009]  pvr2_v4l2_dev_init (./include/media/v4l2-dev.h:390 drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
[  594.091460][ T2009]  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
[  594.091943][ T2009]  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
[  594.092348][ T2009]  pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158)
[  594.092825][ T2009]  kthread (kernel/kthread.c:436)
[  594.093188][ T2009]  ret_from_fork (arch/x86/kernel/process.c:158)
[  594.093587][ T2009]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  594.094004][ T2009]
[  594.094213][ T2009] The buggy address belongs to the object at ffff88810a2aa000
[  594.094213][ T2009]  which belongs to the cache kmalloc-2k of size 2048
[  594.095415][ T2009] The buggy address is located 1204 bytes inside of
[  594.095415][ T2009]  freed 2048-byte region [ffff88810a2aa000, ffff88810a2aa800)


Best,
Shuangpeng

[PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init

[xiaopeitux]

From: Pei Xiao <xiaopei01@kylinos.cn>

The driver attempts to register the same video_device twice if the first
registration with a specific minor number fails. However, when the first
video_register_device() call fails, the underlying device structure is
released via put_device(), which frees the video_device object. The second
call then uses the already freed pointer, causing a KASAN
slab-use-after-free error.

Moreover, the second call always uses -1 (automatic minor allocation),
which is redundant because mindevnum already can be -1 when no fixed
minor is requested. Keeping both calls does not provide any benefit but
introduces a use-after-free vulnerability.

Fix this by removing the second registration attempt and using only
the first call with mindevnum. This preserves the ability to request
a specific minor number (when mindevnum >= 0) while falling back to
automatic allocation (when mindevnum == -1) without double-registering
the same device.

Logs:
BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init
(drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009

Call Trace:
 dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
 kasan_report (mm/kasan/report.c:595)
 pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
 pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
 pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
 ...

Freed by task 2009 on cpu 1 at 594.064509s:
 kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
 kasan_save_free_info (mm/kasan/generic.c:584)
 __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
 kfree
 v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
 device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
 kobject_put
 __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
 pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
 pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
 pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
 ...

Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb")
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/
stable@vger.kernel.org
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
---
 drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
index 101b2e9fbaab..f9df813ca09b 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
@@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
 		mindevnum = nr_ptr[unit_number];
 	}
 	pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase);
-	if ((video_register_device(&dip->devbase,
-				   dip->v4l_type, mindevnum) < 0) &&
-	    (video_register_device(&dip->devbase,
-				   dip->v4l_type, -1) < 0)) {
+	if (video_register_device(&dip->devbase,
+				   dip->v4l_type, mindevnum) < 0)
 		pr_err(KBUILD_MODNAME
 			": Failed to register pvrusb2 v4l device\n");
-	}
 
 	pr_info("pvrusb2: registered device %s [%s]\n",
 	       video_device_node_name(&dip->devbase),
-- 
2.25.1

Re: [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete fix: Use-After-Free on video_register_device error path.
- [Medium] Memory leak when video_register_device fails early.
--

commit e9309ec9cc3bd0c7e640b415aa2e2d4a14232789
Author: Pei Xiao <xiaopei01@kylinos.cn>

media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init

This commit removes a redundant second video_register_device() call to
prevent a slab-use-after-free when the first registration attempt fails.

Link: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/

> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> index 101b2e9fbaab7..f9df813ca09b7 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
>  		mindevnum = nr_ptr[unit_number];
>  	}
>  	pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase);
> -	if ((video_register_device(&dip->devbase,
> -				   dip->v4l_type, mindevnum) < 0) &&
> -	    (video_register_device(&dip->devbase,
> -				   dip->v4l_type, -1) < 0)) {
> +	if (video_register_device(&dip->devbase,
> +				   dip->v4l_type, mindevnum) < 0)
>  		pr_err(KBUILD_MODNAME
>  			": Failed to register pvrusb2 v4l device\n");

[Severity: High]
This is a pre-existing issue, but does execution fall through here if
video_register_device() fails?

If video_register_device() fails during device_register(), the V4L2 core
drops the device reference via put_device(). This triggers the driver's
pvr2_video_device_release() callback, freeing the dip structure.

Since there is no early return on error, execution continues and immediately
dereferences the freed dip object in the following pr_info() call and in
pvr2_hdw_v4l_store_minor_number().

Additionally, since pvr2_v4l2_dev_init() returns void, the caller
pvr2_v4l2_create() assumes success and retains the dangling pointer:

drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:pvr2_v4l2_create() {
    ...
    vp->dev_video = kzalloc_obj(*vp->dev_video);
    if (!vp->dev_video) goto fail;
    pvr2_v4l2_dev_init(vp->dev_video, vp, VFL_TYPE_VIDEO);
    ...
}

This leads to a secondary use-after-free when pvr2_v4l2_dev_destroy() accesses
vp->dev_video during device teardown.

Could we add an early return after logging the error?

[Severity: Medium]
This is also a pre-existing issue, but what happens if
video_register_device() fails early before device_register() is called?

In an early failure case (such as if cdev_alloc fails), the V4L2 core returns
an error without calling put_device(), meaning the dip structure is not freed
by the core.

Because pvr2_v4l2_dev_init() lacks error handling and falls through, it does
not explicitly free dip, and vp->dev_video retains the valid but unregistered
pointer.

During teardown, pvr2_v4l2_dev_destroy() passes this pointer to
video_unregister_device(), which checks if the device is registered:

drivers/media/v4l2-core/v4l2-dev.c:video_unregister_device() {
    ...
    /* Check if vdev was ever registered at all */
    if (!vdev || !video_is_registered(vdev))
        return;
    ...
}

Since the flag was never set, video_unregister_device() returns immediately
without unregistering or dropping the reference. Thus,
pvr2_video_device_release() is never invoked, permanently leaking the dip
memory allocation.

Would explicitly freeing the dip structure on early failure resolve this memory
leak?

>  
>  	pr_info("pvrusb2: registered device %s [%s]\n",
>  	       video_device_node_name(&dip->devbase),
>  	       pvr2_config_get_name(dip->config));
>  
>  	pvr2_hdw_v4l_store_minor_number(hdw,
>  					dip->minor_type,dip->devbase.minor);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/tencent_B85DFB2210B877A85021C1BC064E70E61C09@qq.com?part=1

Re: [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init

[Mike Isely]

Acked-By: Mike Isely <isely@pobox.com>

On Thu, 4 Jun 2026, xiaopeitux@foxmail.com wrote:

> From: Pei Xiao <xiaopei01@kylinos.cn>
> 
> The driver attempts to register the same video_device twice if the first
> registration with a specific minor number fails. However, when the first
> video_register_device() call fails, the underlying device structure is
> released via put_device(), which frees the video_device object. The second
> call then uses the already freed pointer, causing a KASAN
> slab-use-after-free error.
> 
> Moreover, the second call always uses -1 (automatic minor allocation),
> which is redundant because mindevnum already can be -1 when no fixed
> minor is requested. Keeping both calls does not provide any benefit but
> introduces a use-after-free vulnerability.
> 
> Fix this by removing the second registration attempt and using only
> the first call with mindevnum. This preserves the ability to request
> a specific minor number (when mindevnum >= 0) while falling back to
> automatic allocation (when mindevnum == -1) without double-registering
> the same device.
> 
> Logs:
> BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init
> (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
> Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009
> 
> Call Trace:
>  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
>  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
>  kasan_report (mm/kasan/report.c:595)
>  pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
>  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
>  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
>  ...
> 
> Freed by task 2009 on cpu 1 at 594.064509s:
>  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
>  kasan_save_free_info (mm/kasan/generic.c:584)
>  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
>  kfree
>  v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
>  device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
>  kobject_put
>  __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
>  pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
>  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
>  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
>  ...
> 
> Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb")
> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
> Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/
> stable@vger.kernel.org
> Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
> ---
>  drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> index 101b2e9fbaab..f9df813ca09b 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
>  		mindevnum = nr_ptr[unit_number];
>  	}
>  	pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase);
> -	if ((video_register_device(&dip->devbase,
> -				   dip->v4l_type, mindevnum) < 0) &&
> -	    (video_register_device(&dip->devbase,
> -				   dip->v4l_type, -1) < 0)) {
> +	if (video_register_device(&dip->devbase,
> +				   dip->v4l_type, mindevnum) < 0)
>  		pr_err(KBUILD_MODNAME
>  			": Failed to register pvrusb2 v4l device\n");
> -	}
>  
>  	pr_info("pvrusb2: registered device %s [%s]\n",
>  	       video_device_node_name(&dip->devbase),
>