drivers/media/mc/mc-devnode.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)
syzbot report a slab-use-after-free in media_devnode_unregister.
The following calltrace shows the entire process of UAF generation:
hub_event()->
port_event()->
hub_port_connect_change()->
hub_port_connect()->
usb_disconnect()->
usb_disable_device()->
device_del()->
bus_remove_device()->
device_release_driver_internal()->
__device_release_driver()->
device_remove()->
usb_unbind_interface()->
em28xx_usb_disconnect()->
em28xx_release_resources()->
em28xx_unregister_media_device()->
media_device_unregister()->
media_devnode_unregister()->
put_device()->
media_devnode_release()->
kfree(devnode)
clear_bit(devnode->minor, media_devnode_nums)
[1] kfree(devnode), after this code is executed, devnode is released.
[2] clear_bit(devnode->minor, media_devnode_nums), this accesses the
freed devnode, trigger uaf
We clear the device's minor num before freeing devnode to avoid a UAF.
Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: update comments for rootcause
drivers/media/mc/mc-devnode.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/media/mc/mc-devnode.c b/drivers/media/mc/mc-devnode.c
index 0d01cbae98f2..6daa7aa99442 100644
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -276,13 +276,10 @@ void media_devnode_unregister(struct media_devnode *devnode)
/* Delete the cdev on this minor as well */
cdev_device_del(&devnode->cdev, &devnode->dev);
devnode->media_dev = NULL;
+ clear_bit(devnode->minor, media_devnode_nums);
mutex_unlock(&media_devnode_lock);
put_device(&devnode->dev);
-
- mutex_lock(&media_devnode_lock);
- clear_bit(devnode->minor, media_devnode_nums);
- mutex_unlock(&media_devnode_lock);
}
/*
--
2.43.0Hi Edward,
On Wed, Sep 10, 2025 at 06:31:45PM +0800, Edward Adam Davis wrote:
> syzbot report a slab-use-after-free in media_devnode_unregister.
>
> The following calltrace shows the entire process of UAF generation:
>
> hub_event()->
> port_event()->
> hub_port_connect_change()->
> hub_port_connect()->
> usb_disconnect()->
> usb_disable_device()->
> device_del()->
> bus_remove_device()->
> device_release_driver_internal()->
> __device_release_driver()->
> device_remove()->
> usb_unbind_interface()->
> em28xx_usb_disconnect()->
> em28xx_release_resources()->
> em28xx_unregister_media_device()->
> media_device_unregister()->
> media_devnode_unregister()->
> put_device()->
> media_devnode_release()->
> kfree(devnode)
> clear_bit(devnode->minor, media_devnode_nums)
>
> [1] kfree(devnode), after this code is executed, devnode is released.
> [2] clear_bit(devnode->minor, media_devnode_nums), this accesses the
> freed devnode, trigger uaf
>
> We clear the device's minor num before freeing devnode to avoid a UAF.
>
> Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time")
> Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f
> Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Thanks for the update. However, v1 was already merged. I'll mark this as
"not applicable".
--
Kind regards,
Sakari Ailus
© 2016 - 2025 Red Hat, Inc.