linux-kernel - Re: [PATCH v3] media: hackrf: fix to not free memory after the device is registered in hackrf

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <CAO9qdTGc8A0ge_pfRavAQNpsnjoUXz4-Sm_3dE2oVX7CEpmTUg@mail.gmail.com>
Date: Sun, 11 Jan 2026 00:06:34 +0900
From: Jeongjun Park <aha310510@...il.com>
To: mchehab@...nel.org
Cc: crope@....fi, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org, 
	stable@...r.kernel.org, syzbot+6ffd76b5405c006a46b7@...kaller.appspotmail.com, 
	syzbot+f1b20958f93d2d250727@...kaller.appspotmail.com, 
	Hans Verkuil <hverkuil+cisco@...nel.org>
Subject: Re: [PATCH v3] media: hackrf: fix to not free memory after the device
 is registered in hackrf_probe()

Jeongjun Park <aha310510@...il.com> wrote:
>
> In hackrf driver, the following race condition occurs:
> ```
>                 CPU0                                            CPU1
> hackrf_probe()
>   kzalloc(); // alloc hackrf_dev
>   ....
>   v4l2_device_register();
>   ....
>                                                 fd = sys_open("/path/to/dev"); // open hackrf fd
>                                                 ....
>   v4l2_device_unregister();
>   ....
>   kfree(); // free hackrf_dev
>   ....
>                                                 sys_ioctl(fd, ...);
>                                                   v4l2_ioctl();
>                                                     video_is_registered() // UAF!!
>                                                 ....
>                                                 sys_close(fd);
>                                                   v4l2_release() // UAF!!
>                                                     hackrf_video_release()
>                                                       kfree(); // DFB!!
> ```
>
> When a V4L2 or video device is unregistered, the device node is removed so
> new open() calls are blocked.
>
> However, file descriptors that are already open-and any in-flight I/O-do
> not terminate immediately; they remain valid until the last reference is
> dropped and the driver's release() is invoked.
>
> Therefore, freeing device memory on the error path after hackrf_probe()
> has registered dev it will lead to a race to use-after-free vuln, since
> those already-open handles haven't been released yet.
>
> And since release() free memory too, race to use-after-free and
> double-free vuln occur.
>
> To prevent this, if device is registered from probe(), it should be
> modified to free memory only through release() rather than calling
> kfree() directly.
>
> Cc: <stable@...r.kernel.org>
> Reported-by: syzbot+6ffd76b5405c006a46b7@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=6ffd76b5405c006a46b7
> Reported-by: syzbot+f1b20958f93d2d250727@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f1b20958f93d2d250727
> Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter")
> Signed-off-by: Jeongjun Park <aha310510@...il.com>
> ---

Cc: Hans Verkuil <hverkuil+cisco@...nel.org>