[BUG] KASAN: slab-use-after-free in pvr2_v4l2_dev_init
From: Shuangpeng
Date: Tue Jun 02 2026 - 23:19:37 EST
Hi Kernel Maintainers,
I hit the following KASAN report while testing current upstream kernel:
KASAN: slab-use-after-free in pvr2_v4l2_dev_init
on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/1bb11709aa99114979c00138773e23f3
I’m happy to test debug patches or provide additional information.
Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
[ 594.064526][ T2009] ==================================================================
[ 594.066061][ T2009] BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
[ 594.067466][ T2009] Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009
[ 594.068813][ T2009]
[ 594.069190][ T2009] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 594.069195][ T2009] Call Trace:
[ 594.069199][ T2009] <TASK>
[ 594.069204][ T2009] dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[ 594.069211][ T2009] print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[ 594.069231][ T2009] kasan_report (mm/kasan/report.c:595)
[ 594.069243][ T2009] pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
[ 594.069263][ T2009] pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
[ 594.069270][ T2009] pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
[ 594.069275][ T2009] pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158)
[ 594.069333][ T2009] kthread (kernel/kthread.c:436)
[ 594.069351][ T2009] ret_from_fork (arch/x86/kernel/process.c:158)
[ 594.069375][ T2009] ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[ 594.069383][ T2009] </TASK>
[ 594.069385][ T2009]
[ 594.087179][ T2009] Freed by task 2009 on cpu 1 at 594.064509s:
[ 594.087705][ T2009] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[ 594.088130][ T2009] kasan_save_free_info (mm/kasan/generic.c:584)
[ 594.088566][ T2009] __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[ 594.088980][ T2009] kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[ 594.089324][ T2009] v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
[ 594.089762][ T2009] device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
[ 594.090164][ T2009] kobject_put (lib/kobject.c:689 lib/kobject.c:720 ./include/linux/kref.h:65 lib/kobject.c:737)
[ 594.090544][ T2009] __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
[ 594.091031][ T2009] pvr2_v4l2_dev_init (./include/media/v4l2-dev.h:390 drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
[ 594.091460][ T2009] pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
[ 594.091943][ T2009] pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
[ 594.092348][ T2009] pvr2_context_thread_func (drivers/media/usb/pvrusb2/pvrusb2-context.c:117 drivers/media/usb/pvrusb2/pvrusb2-context.c:158)
[ 594.092825][ T2009] kthread (kernel/kthread.c:436)
[ 594.093188][ T2009] ret_from_fork (arch/x86/kernel/process.c:158)
[ 594.093587][ T2009] ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[ 594.094004][ T2009]
[ 594.094213][ T2009] The buggy address belongs to the object at ffff88810a2aa000
[ 594.094213][ T2009] which belongs to the cache kmalloc-2k of size 2048
[ 594.095415][ T2009] The buggy address is located 1204 bytes inside of
[ 594.095415][ T2009] freed 2048-byte region [ffff88810a2aa000, ffff88810a2aa800)
Best,
Shuangpeng