1. Patchew
  2. linux
  3. View series

[PATCH Next] media: mc: Clear minor number before put device

Edward Adam Davis posted 1 patch 5 months ago
There is a newer version of this series
drivers/media/mc/mc-devnode.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
[PATCH Next] media: mc: Clear minor number before put device
Posted by Edward Adam Davis 5 months ago 
The device minor should not be cleared after the device is released.

Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/media/mc/mc-devnode.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/media/mc/mc-devnode.c b/drivers/media/mc/mc-devnode.c
index 0d01cbae98f2..6daa7aa99442 100644
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -276,13 +276,10 @@ void media_devnode_unregister(struct media_devnode *devnode)
 	/* Delete the cdev on this minor as well */
 	cdev_device_del(&devnode->cdev, &devnode->dev);
 	devnode->media_dev = NULL;
+	clear_bit(devnode->minor, media_devnode_nums);
 	mutex_unlock(&media_devnode_lock);
 
 	put_device(&devnode->dev);
-
-	mutex_lock(&media_devnode_lock);
-	clear_bit(devnode->minor, media_devnode_nums);
-	mutex_unlock(&media_devnode_lock);
 }
 
 /*
-- 
2.43.0
Re: [PATCH Next] media: mc: Clear minor number before put device
Posted by Laurent Pinchart 5 months ago 
Hello Edward,

On Wed, Sep 10, 2025 at 09:15:27AM +0800, Edward Adam Davis wrote:
> The device minor should not be cleared after the device is released.

The most important piece of information in a commit message is the
reason for the patch. You need to explain *why* this is needed, not just
state it should be done.

> Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
> Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
> Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  drivers/media/mc/mc-devnode.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/drivers/media/mc/mc-devnode.c b/drivers/media/mc/mc-devnode.c
> index 0d01cbae98f2..6daa7aa99442 100644
> --- a/drivers/media/mc/mc-devnode.c
> +++ b/drivers/media/mc/mc-devnode.c
> @@ -276,13 +276,10 @@ void media_devnode_unregister(struct media_devnode *devnode)
>  	/* Delete the cdev on this minor as well */
>  	cdev_device_del(&devnode->cdev, &devnode->dev);
>  	devnode->media_dev = NULL;
> +	clear_bit(devnode->minor, media_devnode_nums);
>  	mutex_unlock(&media_devnode_lock);
>  
>  	put_device(&devnode->dev);
> -
> -	mutex_lock(&media_devnode_lock);
> -	clear_bit(devnode->minor, media_devnode_nums);
> -	mutex_unlock(&media_devnode_lock);
>  }
>  
>  /*

-- 
Regards,

Laurent Pinchart
[PATCH Next V2] media: mc: Clear minor number before put device
Posted by Edward Adam Davis 5 months ago 
syzbot report a slab-use-after-free in media_devnode_unregister.

The following calltrace shows the entire process of UAF generation:

hub_event()->
  port_event()->
    hub_port_connect_change()->
      hub_port_connect()->
        usb_disconnect()->
	  usb_disable_device()->
	    device_del()->
	      bus_remove_device()->
	        device_release_driver_internal()->
		  __device_release_driver()->
		    device_remove()->
		      usb_unbind_interface()->
		        em28xx_usb_disconnect()->
			  em28xx_release_resources()->
			    em28xx_unregister_media_device()->
			      media_device_unregister()->
			        media_devnode_unregister()->
				  put_device()->
				    media_devnode_release()->
				      kfree(devnode)
				  clear_bit(devnode->minor, media_devnode_nums) 

[1] kfree(devnode), after this code is executed, devnode is released.
[2] clear_bit(devnode->minor, media_devnode_nums), this accesses the
freed devnode, trigger uaf

We clear the device's minor num before freeing devnode to avoid a UAF.

Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: update comments for rootcause

 drivers/media/mc/mc-devnode.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/media/mc/mc-devnode.c b/drivers/media/mc/mc-devnode.c
index 0d01cbae98f2..6daa7aa99442 100644
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -276,13 +276,10 @@ void media_devnode_unregister(struct media_devnode *devnode)
 	/* Delete the cdev on this minor as well */
 	cdev_device_del(&devnode->cdev, &devnode->dev);
 	devnode->media_dev = NULL;
+	clear_bit(devnode->minor, media_devnode_nums);
 	mutex_unlock(&media_devnode_lock);
 
 	put_device(&devnode->dev);
-
-	mutex_lock(&media_devnode_lock);
-	clear_bit(devnode->minor, media_devnode_nums);
-	mutex_unlock(&media_devnode_lock);
 }
 
 /*
-- 
2.43.0
Re: [PATCH Next V2] media: mc: Clear minor number before put device
Posted by Sakari Ailus 4 months, 4 weeks ago 
Hi Edward,

On Wed, Sep 10, 2025 at 06:31:45PM +0800, Edward Adam Davis wrote:
> syzbot report a slab-use-after-free in media_devnode_unregister.
> 
> The following calltrace shows the entire process of UAF generation:
> 
> hub_event()->
>   port_event()->
>     hub_port_connect_change()->
>       hub_port_connect()->
>         usb_disconnect()->
> 	  usb_disable_device()->
> 	    device_del()->
> 	      bus_remove_device()->
> 	        device_release_driver_internal()->
> 		  __device_release_driver()->
> 		    device_remove()->
> 		      usb_unbind_interface()->
> 		        em28xx_usb_disconnect()->
> 			  em28xx_release_resources()->
> 			    em28xx_unregister_media_device()->
> 			      media_device_unregister()->
> 			        media_devnode_unregister()->
> 				  put_device()->
> 				    media_devnode_release()->
> 				      kfree(devnode)
> 				  clear_bit(devnode->minor, media_devnode_nums) 
> 
> [1] kfree(devnode), after this code is executed, devnode is released.
> [2] clear_bit(devnode->minor, media_devnode_nums), this accesses the
> freed devnode, trigger uaf
> 
> We clear the device's minor num before freeing devnode to avoid a UAF.
> 
> Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
> Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
> Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

Thanks for the update. However, v1 was already merged. I'll mark this as
"not applicable".

-- 
Kind regards,

Sakari Ailus

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.