1. Patchew
  2. linux
  3. View series

[PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init

xiaopeitux@foxmail.com posted 1 patch 4 days, 6 hours ago 
drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
[PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init
Posted by xiaopeitux@foxmail.com 4 days, 6 hours ago 
From: Pei Xiao <xiaopei01@kylinos.cn>

The driver attempts to register the same video_device twice if the first
registration with a specific minor number fails. However, when the first
video_register_device() call fails, the underlying device structure is
released via put_device(), which frees the video_device object. The second
call then uses the already freed pointer, causing a KASAN
slab-use-after-free error.

Moreover, the second call always uses -1 (automatic minor allocation),
which is redundant because mindevnum already can be -1 when no fixed
minor is requested. Keeping both calls does not provide any benefit but
introduces a use-after-free vulnerability.

Fix this by removing the second registration attempt and using only
the first call with mindevnum. This preserves the ability to request
a specific minor number (when mindevnum >= 0) while falling back to
automatic allocation (when mindevnum == -1) without double-registering
the same device.

Logs:
BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init
(drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009

Call Trace:
 dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
 print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
 kasan_report (mm/kasan/report.c:595)
 pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
 pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
 pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
 ...

Freed by task 2009 on cpu 1 at 594.064509s:
 kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
 kasan_save_free_info (mm/kasan/generic.c:584)
 __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
 kfree
 v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
 device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
 kobject_put
 __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
 pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
 pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
 pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
 ...

Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb")
Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/
stable@vger.kernel.org
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
---
 drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
index 101b2e9fbaab..f9df813ca09b 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
@@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
 		mindevnum = nr_ptr[unit_number];
 	}
 	pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase);
-	if ((video_register_device(&dip->devbase,
-				   dip->v4l_type, mindevnum) < 0) &&
-	    (video_register_device(&dip->devbase,
-				   dip->v4l_type, -1) < 0)) {
+	if (video_register_device(&dip->devbase,
+				   dip->v4l_type, mindevnum) < 0)
 		pr_err(KBUILD_MODNAME
 			": Failed to register pvrusb2 v4l device\n");
-	}
 
 	pr_info("pvrusb2: registered device %s [%s]\n",
 	       video_device_node_name(&dip->devbase),
-- 
2.25.1
Re: [PATCH] media: usb: pvrusb2: fix slab-use-after-free in pvr2_v4l2_dev_init
Posted by Mike Isely 4 days, 5 hours ago 
Acked-By: Mike Isely <isely@pobox.com>

On Thu, 4 Jun 2026, xiaopeitux@foxmail.com wrote:

> From: Pei Xiao <xiaopei01@kylinos.cn>
> 
> The driver attempts to register the same video_device twice if the first
> registration with a specific minor number fails. However, when the first
> video_register_device() call fails, the underlying device structure is
> released via put_device(), which frees the video_device object. The second
> call then uses the already freed pointer, causing a KASAN
> slab-use-after-free error.
> 
> Moreover, the second call always uses -1 (automatic minor allocation),
> which is redundant because mindevnum already can be -1 when no fixed
> minor is requested. Keeping both calls does not provide any benefit but
> introduces a use-after-free vulnerability.
> 
> Fix this by removing the second registration attempt and using only
> the first call with mindevnum. This preserves the ability to request
> a specific minor number (when mindevnum >= 0) while falling back to
> automatic allocation (when mindevnum == -1) without double-registering
> the same device.
> 
> Logs:
> BUG: KASAN: slab-use-after-free in pvr2_v4l2_dev_init
> (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
> Read of size 4 at addr ffff88810a2aa4b4 by task pvrusb2-context/2009
> 
> Call Trace:
>  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
>  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
>  kasan_report (mm/kasan/report.c:595)
>  pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1221)
>  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
>  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
>  ...
> 
> Freed by task 2009 on cpu 1 at 594.064509s:
>  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
>  kasan_save_free_info (mm/kasan/generic.c:584)
>  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
>  kfree
>  v4l2_device_release (drivers/media/v4l2-core/v4l2-dev.c:225)
>  device_release (drivers/gpu/drm/vkms/vkms_configfs.c:690)
>  kobject_put
>  __video_register_device (drivers/media/v4l2-core/v4l2-dev.c:1080)
>  pvr2_v4l2_dev_init (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1218)
>  pvr2_v4l2_create (drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1249)
>  pvr_setup_attach (drivers/media/usb/pvrusb2/pvrusb2-main.c:40)
>  ...
> 
> Fixes: 0c0d06cac63e ("[media] rename most media/video usb drivers to media/usb")
> Reported-by: Shuangpeng Bai <shuangpeng.kernel@gmail.com>
> Closes: https://lore.kernel.org/lkml/6C2D160B-37DD-40F0-B8A2-089B8CAACB58@gmail.com/
> stable@vger.kernel.org
> Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
> ---
>  drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> index 101b2e9fbaab..f9df813ca09b 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> @@ -1215,13 +1215,10 @@ static void pvr2_v4l2_dev_init(struct pvr2_v4l2_dev *dip,
>  		mindevnum = nr_ptr[unit_number];
>  	}
>  	pvr2_hdw_set_v4l2_dev(hdw, &dip->devbase);
> -	if ((video_register_device(&dip->devbase,
> -				   dip->v4l_type, mindevnum) < 0) &&
> -	    (video_register_device(&dip->devbase,
> -				   dip->v4l_type, -1) < 0)) {
> +	if (video_register_device(&dip->devbase,
> +				   dip->v4l_type, mindevnum) < 0)
>  		pr_err(KBUILD_MODNAME
>  			": Failed to register pvrusb2 v4l device\n");
> -	}
>  
>  	pr_info("pvrusb2: registered device %s [%s]\n",
>  	       video_device_node_name(&dip->devbase),
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.