================================================================== BUG: KASAN: use-after-free in v4l2_open+0x39a/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444 Read of size 4 at addr ffff888060bf09d0 by task v4l_id/9102 CPU: 0 UID: 0 PID: 9102 Comm: v4l_id Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 v4l2_open+0x39a/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444 chrdev_open+0x4dc/0x600 fs/char_dev.c:411 do_dentry_open+0x849/0x1420 fs/open.c:947 vfs_open+0x3b/0x350 fs/open.c:1052 do_open fs/namei.c:4700 [inline] path_openat+0x2e60/0x3850 fs/namei.c:4859 do_file_open+0x23e/0x4a0 fs/namei.c:4888 do_sys_openat2+0x115/0x200 fs/open.c:1368 do_sys_open fs/open.c:1374 [inline] __do_sys_openat fs/open.c:1390 [inline] __se_sys_openat fs/open.c:1385 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1385 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf0f4bf407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: 002b:00007ffe65926cb0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fcf0f3d1880 RCX: 00007fcf0f4bf407 RDX: 0000000000000000 RSI: 00007ffe65927f1c RDI: ffffffffffffff9c RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffe65926f00 R14: 00007fcf0fc55000 R15: 00005607171534d8 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888060bf0000 pfn:0x60bf0 flags: 0x80000000000000(node=0|zone=1) raw: 0080000000000000 ffffea000182f308 ffff8880b8642fc0 0000000000000000 raw: ffff888060bf0000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_ZERO|__GFP_COMP), pid 5836, tgid 5836 (kworker/0:6), ts 609799744406, free_ts 612641043407 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1859 prep_new_page mm/page_alloc.c:1867 [inline] get_page_from_freelist+0x2639/0x26b0 mm/page_alloc.c:3946 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5304 alloc_pages_mpol+0xce/0x280 mm/mempolicy.c:2490 ___kmalloc_large_node+0x4c/0x120 mm/slub.c:5302 __kmalloc_large_noprof+0x1a/0x90 mm/slub.c:5323 _kmalloc_noprof include/linux/slab.h:966 [inline] _kzalloc_noprof include/linux/slab.h:1290 [inline] em28xx_v4l2_init+0xda/0x3270 drivers/media/usb/em28xx/em28xx-video.c:2709 em28xx_init_extension+0x120/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1248 process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326 process_scheduled_works kernel/workqueue.c:3409 [inline] worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1406 [inline] __free_frozen_pages+0x10de/0x11c0 mm/page_alloc.c:2950 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2289 [inline] kref_put include/linux/kref.h:65 [inline] em28xx_v4l2_init+0x1884/0x3270 drivers/media/usb/em28xx/em28xx-video.c:3080 em28xx_init_extension+0x120/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1248 process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326 process_scheduled_works kernel/workqueue.c:3409 [inline] worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888060bf0880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888060bf0900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888060bf0980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888060bf0a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888060bf0a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================