| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6960cd6c.050a0220.1c677c.03c2.GAE@google.com>
Date: Fri, 09 Jan 2026 01:42:04 -0800
From: syzbot <syzbot+16062f26c6480975e5ed@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
xiaopei01@...inos.cn, xiaopeitux@...mail.com
Subject: Re: [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in v4l2_fh_open
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
BUG: KASAN: slab-use-after-free in v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
Read of size 8 at addr ffff88807f400740 by task v4l_id/6673
CPU: 0 UID: 0 PID: 6673 Comm: v4l_id Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
v4l2_fh_init drivers/media/v4l2-core/v4l2-fh.c:25 [inline]
v4l2_fh_open+0xac/0x420 drivers/media/v4l2-core/v4l2-fh.c:64
em28xx_v4l2_open+0x157/0x9a0 drivers/media/usb/em28xx/em28xx-video.c:2153
v4l2_open+0x1bf/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:433
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x7ce/0x1420 fs/open.c:962
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x340e/0x3dd0 fs/namei.c:4787
do_filp_open+0x1fa/0x410 fs/namei.c:4814
do_sys_openat2+0x121/0x200 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6620ca7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffbb799140 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f662137b880 RCX: 00007f6620ca7407
RDX: 0000000000000000 RSI: 00007fffbb79af1b RDI: ffffffffffffff9c
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fffbb799390 R14: 00007f6621480000 R15: 000055bfa77444d8
</TASK>
Allocated by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5776
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
em28xx_v4l2_init+0x108/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2532
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 6594:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kfree+0x1c0/0x660 mm/slub.c:6878
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x168e/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2901
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff88807f400000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1856 bytes inside of
freed 8192-byte region [ffff88807f400000, ffff88807f402000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f400
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa7280 ffffea0001f21000 dead000000000002
head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001fd0001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5588, tgid 5588 (init), ts 51300794908, free_ts 50968755883
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
__kmalloc_cache_noprof+0x41e/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x111f/0x1f70 security/tomoyo/audit.c:264
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x15ce/0x1aa0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x89/0x270 security/security.c:794
search_binary_handler fs/exec.c:1659 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x887/0x1400 fs/exec.c:1753
do_execveat_common+0x510/0x6a0 fs/exec.c:1859
page last free pid 5575 tgid 5575 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x146/0x170 mm/slub.c:3886
__slab_free+0x294/0x320 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__kmalloc_cache_noprof+0x37c/0x700 mm/slub.c:5771
kmalloc_noprof include/linux/slab.h:957 [inline]
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x183/0x1f70 security/tomoyo/audit.c:255
tomoyo_supervisor+0x340/0x1480 security/tomoyo/common.c:2198
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x25a/0x380 security/tomoyo/file.c:587
tomoyo_path_perm+0x392/0x4b0 security/tomoyo/file.c:838
security_inode_getattr+0x12f/0x330 security/security.c:1869
vfs_getattr fs/stat.c:259 [inline]
vfs_fstat fs/stat.c:281 [inline]
__do_sys_newfstat fs/stat.c:555 [inline]
__se_sys_newfstat fs/stat.c:550 [inline]
__x64_sys_newfstat+0xfc/0x200 fs/stat.c:550
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807f400600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f400700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f400780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f400800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 623fb991 Merge tag 'pinctrl-v6.19-2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13b85074580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=142d583a580000
Powered by blists - more mailing lists