================================================================== BUG: KASAN: slab-use-after-free in v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 Read of size 8 at addr ffff8881158c0730 by task v4l_id/3015 CPU: 0 UID: 0 PID: 3015 Comm: v4l_id Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 v4l2_fh_init+0x27d/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25 v4l2_fh_open+0x83/0xc0 drivers/media/v4l2-core/v4l2-fh.c:63 em28xx_v4l2_open+0x250/0x7e0 drivers/media/usb/em28xx/em28xx-video.c:2155 v4l2_open+0x222/0x490 drivers/media/v4l2-core/v4l2-dev.c:427 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6cb/0x1390 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcad322d9a4 Code: 24 20 48 8d 44 24 30 48 89 44 24 28 64 8b 04 25 18 00 00 00 85 c0 75 2c 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 60 48 8b 15 55 a4 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffd995c1cd0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffd995c1ee8 RCX: 00007fcad322d9a4 RDX: 0000000000000000 RSI: 00007ffd995c3f25 RDI: 00000000ffffff9c RBP: 00007ffd995c3f25 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd995c1f00 R14: 0000564e88fcc670 R15: 00007fcad367ca80 Allocated by task 24: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] em28xx_v4l2_init+0x114/0x4050 drivers/media/usb/em28xx/em28xx-video.c:2534 em28xx_init_extension+0x137/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x37/0x50 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2343 [inline] slab_free mm/slub.c:4580 [inline] kfree+0x130/0x480 mm/slub.c:4728 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline] kref_put include/linux/kref.h:65 [inline] em28xx_v4l2_init+0x22a4/0x4050 drivers/media/usb/em28xx/em28xx-video.c:2903 em28xx_init_extension+0x137/0x200 drivers/media/usb/em28xx/em28xx-core.c:1117 request_module_async+0x61/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3457 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff8881158c0000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 1840 bytes inside of freed 8192-byte region [ffff8881158c0000, ffff8881158c2000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1158c0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff888100042280 ffffea00044b6400 0000000000000006 raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 head: 0200000000000040 ffff888100042280 ffffea00044b6400 0000000000000006 head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 head: 0200000000000003 ffffea0004563001 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2533, tgid 2533 (acpid), ts 12614311492, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xd5c/0x2630 mm/page_alloc.c:3457 __alloc_pages_noprof+0x221/0x22a0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0xeb/0x400 mm/mempolicy.c:2265 alloc_slab_page mm/slub.c:2413 [inline] allocate_slab mm/slub.c:2579 [inline] new_slab+0x2ba/0x3f0 mm/slub.c:2632 ___slab_alloc+0xd45/0x1760 mm/slub.c:3819 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3909 __slab_alloc_node mm/slub.c:3962 [inline] slab_alloc_node mm/slub.c:4123 [inline] __kmalloc_cache_noprof+0x27a/0x2c0 mm/slub.c:4291 kmalloc_noprof include/linux/slab.h:878 [inline] audit_log_d_path+0xce/0x1e0 kernel/audit.c:2148 dump_common_audit_data security/lsm_audit.c:237 [inline] common_lsm_audit+0x3d3/0x2210 security/lsm_audit.c:458 slow_avc_audit+0x17d/0x210 security/selinux/avc.c:773 avc_audit security/selinux/include/avc.h:127 [inline] avc_has_perm+0x18d/0x1c0 security/selinux/avc.c:1191 inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1676 file_path_has_perm security/selinux/hooks.c:1720 [inline] selinux_file_open+0x314/0x430 security/selinux/hooks.c:3995 security_file_open+0x34/0x70 security/security.c:3107 do_dentry_open+0x585/0x1390 fs/open.c:945 page_owner free stack trace missing Memory state around the buggy address: ffff8881158c0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881158c0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881158c0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881158c0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881158c0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================