Re: [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources

Next message: Marco Elver: "Re: [PATCH v5 10/36] locking/mutex: Support Clang's context analysis"
Previous message: syzbot: "Re: [syzbot] [mm?] [cgroups?] kernel BUG in swap_cgroup_record (2)"
In reply to: syzbot: "Re: [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources"
Next in thread: syzbot: "Re: [syzbot] [media?] KASAN: slab-use-after-free Read in em28xx_release_resources"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Fri Jan 09 2026 - 22:22:59 EST

> Date: Thu, 08 Jan 2026 20:22:24 -0800
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 79b95d74470d Merge tag 'hid-for-linus-2026010801' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=112b219a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a94030c847137a18
> dashboard link: https://syzkaller.appspot.com/bug?extid=16062f26c6480975e5ed
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152b219a580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e6e922580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-video.c
+++ y/drivers/media/usb/em28xx/em28xx-video.c
@@ -2898,6 +2898,7 @@ unregister_dev:
v4l2_device_unregister(&v4l2->v4l2_dev);
err:
dev->v4l2 = NULL;
+ em28xx_v4l2_media_release(dev);
kref_put(&v4l2->ref, em28xx_free_v4l2);
mutex_unlock(&dev->lock);
return ret;
--