Re: [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: hverkuil+cisco@kernel.org
To: Edward Adam Davis <eadavis@qq.com>
Cc: laurent.pinchart@ideasonboard.com, linux-kernel@vger.kernel.org,
	linux-media@vger.kernel.org, mchehab@kernel.org,
	sakari.ailus@linux.intel.com,
	syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity
Date: Fri, 20 Mar 2026 13:07:59 +0100	[thread overview]
Message-ID: <3d4d9bc2-1867-417f-aa16-7a1df2aaf4f4@kernel.org> (raw)
In-Reply-To: <tencent_4A4977EF66743D0537DE960A36E84B4C7509@qq.com>

On 20/03/2026 12:45, Edward Adam Davis wrote:
> On Mon, 16 Mar 2026 15:03:23 +0100, Hans Verkuil wrote:
>> On 11/01/2026 06:29, Edward Adam Davis wrote:
>>> When creating a media graph, a failure occurred due to the lack of
>>> a corresponding decoder. During the subsequent media device release
>>> process, the video and VBI devices were not properly unregistered,
>>> leading to a use-after-free vulnerability reported by syzbot [1].
>>>
>>> The fix involves adding the necessary unregister operations.
>>>
>>> [1]
>>> BUG: KASAN: slab-use-after-free in media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
>>> Read of size 8 at addr ffff88807c114210 by task kworker/1:9/6093
>>> Call Trace:
>>>  media_device_unregister+0x141/0x430 drivers/media/mc/mc-device.c:804
>>>  em28xx_unregister_media_device drivers/media/usb/em28xx/em28xx-cards.c:3511 [inline]
>>>  em28xx_release_resources+0xac/0x240 drivers/media/usb/em28xx/em28xx-cards.c:3532
>>>  em28xx_usb_disconnect+0x19f/0x2f0 drivers/media/usb/em28xx/em28xx-cards.c:4201
>>>  usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
>>>
>>> Allocated by task 5932:
>>>  em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
>>>  em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
>>>
>>> Freed by task 5932:
>>>  em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
>>>  kref_put include/linux/kref.h:65 [inline]
>>>  em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
>>>
>>> Reported-by: syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
>>> Tested-by: syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com
>>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>>> ---
>>>  drivers/media/usb/em28xx/em28xx-video.c | 5 ++++-
>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
>>> index 2dfa3242a7ab..45b68ebf2e9c 100644
>>> --- a/drivers/media/usb/em28xx/em28xx-video.c
>>> +++ b/drivers/media/usb/em28xx/em28xx-video.c
>>> @@ -882,9 +882,12 @@ static void em28xx_v4l2_media_release(struct em28xx *dev)
>>>
>>>  	for (i = 0; i < MAX_EM28XX_INPUT; i++) {
>>>  		if (!INPUT(i)->type)
>>> -			return;
>>> +			break;
>>>  		media_device_unregister_entity(&dev->input_ent[i]);
>>>  	}
>>> +	media_device_unregister_entity(&dev->v4l2->vdev.entity);
>>> +	if (em28xx_vbi_supported(dev))
>>> +		media_device_unregister_entity(&dev->v4l2->vbi_dev.entity);
>>
>> This is definitely wrong: these are registered and unregistered in v4l2-dev.c,
>> so it makes no sense to unregister them here.
> You are only half right. Under normal circumstances, these devices
> would indeed be unregistered via media_device_unregister() in v4l2-dev.c.
> However, did you notice that if em28xx_v4l2_init() fails to create
> the media graph, it will release the corresponding v4l2, including
> its members vdev and vbi_dev, before media_device_unregister() is called?
> 
> Furthermore, both vdev and vbi_dev are instances of struct video_device.
> Since they are inserted into the media framework as entities, they are,
> in essence, the corresponding video_device instances themselves (as the
> first member of struct video_device is, in fact, the entity instance).
> 
> Therefore, the UAF vulnerability described in [1] is ultimately triggered
> when media_device_unregister() attempts to remove the entity from the
> mdev instance at a em28xx usb disconnect.
> 
> Why is the execution of media_device_unregister() delayed in this context?
> There is a high probability that the open syscall acquires em28xx->lock
> *before* the unregistration path for media devices can proceed. This
> scenario is identical to the one described in patch [2]; consequently,
> this issue can also be resolved by applying the fix provided in [2].

To properly fix em28xx it has to be redesigned: all clean up would have to
be done in the v4l2_device release callback, similar to how au0282 does that.

There is no point in working around issues, without going for that approach.

The em28xx driver predates that callback, and nobody ever took the time and
substantial effort to convert it.

We regularly get patches for em28xx, but they are basically addressing symptoms
rather than the cause.

If someone wants to take on this task, then that would be great and I'm willing
to help with advice etc., but you also need to have at least some em28xx devices
to test with.

Regards,

	Hans

> 
> [2] https://lore.kernel.org/all/tencent_5DCCB375C3694964A3A5A44677775777E605@qq.com
> 
> BR,
> Edward
>

next prev parent reply	other threads:[~2026-03-20 12:08 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-02  7:49 [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources syzbot
2026-01-09  4:22 ` syzbot
2026-01-09  7:55   ` [PATCH] em28xx: test xiaopeitux
2026-01-09  9:42     ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources syzbot
2026-01-10  3:22   ` Hillf Danton
2026-01-10  3:50     ` syzbot
2026-01-10  8:50   ` Hillf Danton
2026-01-10 10:13     ` syzbot
2026-01-11  0:23   ` Hillf Danton
2026-01-11  1:51     ` syzbot
2026-01-11  4:46   ` Edward Adam Davis
2026-01-11  5:14     ` syzbot
2026-01-11  5:29   ` [PATCH 1/2] media: em28xx-video: add the unregister of video/VBI entity Edward Adam Davis
2026-01-11 15:31     ` Laurent Pinchart
2026-03-16 14:03     ` Hans Verkuil
2026-03-20 11:45       ` Edward Adam Davis
2026-03-20 12:07         ` hverkuil+cisco [this message]
2026-03-20  6:15   ` [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources Edward Adam Davis
2026-03-20 10:59     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3d4d9bc2-1867-417f-aa16-7a1df2aaf4f4@kernel.org \
    --to=hverkuil+cisco@kernel.org \
    --cc=eadavis@qq.com \
    --cc=laurent.pinchart@ideasonboard.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=sakari.ailus@linux.intel.com \
    --cc=syzbot+16062f26c6480975e5ed@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox