Forwarded: [PATCH] media: em28xx: fix use-after-free in v4l2_open() during init error path

[syzbot <syzbot+1a7507a194fff09e5c44@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] media: em28xx: fix use-after-free in v4l2_open() during init error path
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


em28xx_v4l2_init() calls video_register_device() which makes the video
device immediately visible to userspace. At this point, v4l2_open() can
be called concurrently and access vdev->dev_debug which is embedded
inside the em28xx_v4l2 structure.

If a subsequent initialization step fails after video_register_device()
succeeds, the error cleanup path calls kref_put(&v4l2->ref) which drops
the reference count to zero and frees the em28xx_v4l2 structure via
em28xx_free_v4l2(). This results in a use-after-free when v4l2_open()
reads vdev->dev_debug from the already freed structure.

Fix this by adding kref_get(&v4l2->ref) at the end of successful
initialization, matching the kref_put() already present in
em28xx_v4l2_fini(). This ensures the v4l2 structure is not freed while
it is still accessible through the registered video device.

The following race triggers the bug:
  em28xx_v4l2_init()
    video_register_device()     <- device visible to userspace
    later step fails
    goto unregister_dev
    kref_put(&v4l2->ref)        <- ref hits 0, struct freed!

  v4l2_open()                   <- runs concurrently
    reads vdev->dev_debug       <- use-after-free!

Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions")
Reported-by: syzbot+1a7507a194fff09e5c44@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=1a7507a194fff09e5c44
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 drivers/media/usb/em28xx/em28xx-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index 5f13f63fbdee..fe2a7771275d 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2876,7 +2876,7 @@ static int em28xx_v4l2_init(struct em28xx *dev)
 		 "V4L2 extension successfully initialized\n");
 
 	kref_get(&dev->ref);
-
+	kref_get(&v4l2->ref);
 	mutex_unlock(&dev->lock);
 	return 0;
 
-- 
2.43.0