From nobody Sat Feb 7 05:01:21 2026 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E14322D3739 for ; Sat, 10 Jan 2026 14:58:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768057123; cv=none; b=p97HpMqn8NPT9PUiAW0mPy/O1vNNJP/tTIAf8JZ22SE3j9ZyMRvk8Jmhnra9x7ktb/3eBFcBF4R7E+hnyBIukr6S/MtKv3rEsQUlxZ0skp/pUXZhBXjljLLdaR4PkAObSHXm8qvlIkqGJsJngp8VQM748lY3g5Dz8iWwd9AZaII= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768057123; c=relaxed/simple; bh=Rq7taqbcYAudhnjWfE+Iy0uiElntprTwPQhe1JH2x6M=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ZmJ70XL9BFD5rwrWvb9KGVTyZwkigE/FRMKFmR5O86MYDL1G+e8COj2qt+ZOn5u3t8CxF8vhE0JZjX0TRLLkg1oxqA0ywsEDEg1UruCd1+JK9uxf3zuI7hzTpSygTNb8+9m5PCKXryDyb94u9kka2UPlg2vOP5XnSFXY5TyoeXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Iyx8sXgF; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Iyx8sXgF" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-81f42a49437so145000b3a.0 for ; Sat, 10 Jan 2026 06:58:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768057121; x=1768661921; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=vSd8AuPpUuiKUe+YAMcslcyKGUwMD/nV4tJRG30j/GI=; b=Iyx8sXgFNclmI5Gwr/+LPcZZjAW60bfE+ZE/+n1s/vdQMzO1eiQJ9MALmgrUC5vr8T zA9flVpEiHIF1thUIeTp/oo8Eo8A4LJUO5ZFYE5/NFt/L44sstMisQceMMZRgROYPOZp KxeutltUWUnQxHdRclD609zsgJPNTTL+uNq2wr0ic5tvFwyaWl6BfyXRY7eHn5X4H9o6 kPgCSinIj4jq/nv11OrDq8a0WP/2CTIkGl6IgI1YM00PGN4TCOJ1hIA4/8qFOy1y3BHQ BfEgTfakpn0ICzD5rEAhQDStuo86oIAFI7gx8qkX+vxC78e+QIZ+QRyQssb5lfqMVxA6 /3UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768057121; x=1768661921; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vSd8AuPpUuiKUe+YAMcslcyKGUwMD/nV4tJRG30j/GI=; b=IF04AehKGlDVmZwk2gd1nym/ZLNEfOUv5g+eu691jfpgvH+xcp3ZbRMISrwllskei+ 6o/K9ptz4d69JxUVCZR77k4LWXUgufUJGHtRVuR/sDSi9CJrLQt24x3iuVmh9vyPATuv qPNyaV6NrvTqEyAIPSBvVArp9DYElIp+r/+JhdjAqnE8beq9oBG+jUO26flBJkghslhc yvHxPu6/ODvqbvDLOrXRSfSYWtbnPYKi+7JRscJ+q2QPUw+Ts6HENYVcRHEF1Qdqujob dvatnHQctYWSD21AJlNugMhlGTTYfq9mpv5Dmp8YgaVWZK9yUVWhG9SP5gR5PzDazbaD rJqQ== X-Forwarded-Encrypted: i=1; AJvYcCUKYE/dTeCZtRQxCOT5X4TC9H4JgP5ueLKPW+d8PjLVSK8+5tdjMe8Eokych0ZWdVjcpLpglRHvhfduIvo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz/qUaH5OyNOzb9Inmkns+kmHLYF4G0y3INxRq6ijOngTU7FBoP GJIfAuusr9V601dO5oTSEWaJtqPNZmDc1zHLWsxXtX07FYuhWWAFtWLe X-Gm-Gg: AY/fxX4LuV8qm2zJVr3J5wi1hr0owoNiD9waMyDaolpLaDdjzUBndyE7vXM3buOnlHG y3uH/STNopz/xVfvnrGxtO7Vw7RxSoybkLdcnHuvv4EWkVCZ5crQfyuGaEf6N8dqR59bLeyxkD+ U70erpKx1c3RIMaRe/wlFVpw7yxgz3NZoOLScb1wnwwP31Xyk030qBaaqMYaeL9iSopO028+mHx fQdwoq8yCHUnE/8HBupmUV37/0TVq6AHqP2Y2IYrfSixitKZtvK/GKVuA56jNAF3LZnjUIB8VRN r4wPDmP7FF03cC6BbcNIAUrnrSshsnc4VqGfCLbMQG6/Z3vHHSr/D3vyS4sVK1lBifeJVJvo55B wdDwFacSXiAVvWKItte26YmB5F1NptoJFrN7yU8BLH0gGKQMqL11Sb7mb0FD9u7uwYK+cWKcvnB jLYawjJQcqUGlDXLzAf4Ar20m7eQ8dEmbsvE54WQ== X-Google-Smtp-Source: AGHT+IEN0gmkw3iX4YOGGXw6fws4EadygKI1RaDNV5HQdJC6wXkGTXhvL337jPo9VnmAKfL7O6sxuQ== X-Received: by 2002:a05:6a00:1c8a:b0:81f:477d:58da with SMTP id d2e1a72fcca58-81f477d5ab9mr567254b3a.60.1768057121194; Sat, 10 Jan 2026 06:58:41 -0800 (PST) Received: from name2965-Precision-7820-Tower.. ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819bafe991dsm13086157b3a.16.2026.01.10.06.58.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Jan 2026 06:58:40 -0800 (PST) From: Jeongjun Park To: mchehab@kernel.org, hans.verkuil@cisco.com Cc: crope@iki.fi, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+6ffd76b5405c006a46b7@syzkaller.appspotmail.com, syzbot+f1b20958f93d2d250727@syzkaller.appspotmail.com, Jeongjun Park Subject: [PATCH v3] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Date: Sat, 10 Jan 2026 23:58:29 +0900 Message-Id: <20260110145829.1274298-1-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd =3D sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and=20 double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly. Cc: Reported-by: syzbot+6ffd76b5405c006a46b7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D6ffd76b5405c006a46b7 Reported-by: syzbot+f1b20958f93d2d250727@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df1b20958f93d2d250727 Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter") Signed-off-by: Jeongjun Park --- v3: Fix potential memory leak bug - Link to v2: https://lore.kernel.org/all/20250904054232.3848637-1-aha31051= 0@gmail.com/ v2: Fix incorrect patch description style and CC stable mailing list - Link to v1: https://lore.kernel.org/all/20250822142729.1156816-1-aha31051= 0@gmail.com/ --- drivers/media/usb/hackrf/hackrf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/h= ackrf.c index 0b50de8775a3..c3c4247194d1 100644 --- a/drivers/media/usb/hackrf/hackrf.c +++ b/drivers/media/usb/hackrf/hackrf.c @@ -1485,7 +1485,7 @@ static int hackrf_probe(struct usb_interface *intf, if (ret) { dev_err(dev->dev, "Failed to register as video device (%d)\n", ret); - goto err_v4l2_device_unregister; + goto err_v4l2_device_put; } dev_info(dev->dev, "Registered as %s\n", video_device_node_name(&dev->rx_vdev)); @@ -1513,8 +1513,9 @@ static int hackrf_probe(struct usb_interface *intf, return 0; err_video_unregister_device_rx: video_unregister_device(&dev->rx_vdev); -err_v4l2_device_unregister: - v4l2_device_unregister(&dev->v4l2_dev); +err_v4l2_device_put: + v4l2_device_put(&dev->v4l2_dev); + return ret; err_v4l2_ctrl_handler_free_tx: v4l2_ctrl_handler_free(&dev->tx_ctrl_handler); err_v4l2_ctrl_handler_free_rx: --