[PATCH] media: usb: em28xx: fix the race condition between init extension and open

From: Edward Adam Davis

Date: Thu Mar 19 2026 - 12:56:38 EST

The em28xx video device utilizes the same em28xx->lock during both the
extension initialization process and the open system call. This design
creates a race condition: if the extension initialization fails, the
video device undergoes a unregister a video4linux device process;
should an open call be initiated during this unregister, it is highly
likely to enter the open routine within the em28xx driver. At this
juncture, however, em28xx->lock remains held by the kwork responsible
for the extension initialization. Consequently, the open routine is
forced to wait for the unregister process to complete before it can
acquire em28xx->lock, once the lock is finally acquired, the subsequent
code execution proceeds to access the video device instance, an instance
that has, by that time, already been deregistered, thereby triggering
the uaf described in [1].

To mitigate this issue and prevent the UAF resulting from lock contention
over em28xx->lock between the open call and the extension initialization
routine, the lock acquisition method within the em28xx open call has been
modified to use trylock.

[1]
BUG: KASAN: slab-use-after-free in v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
Call Trace:
v4l2_open+0x395/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:444
chrdev_open+0x4cd/0x5e0 fs/char_dev.c:411
do_dentry_open+0x785/0x14e0 fs/open.c:949
vfs_open+0x3b/0x340 fs/open.c:1081

Allocated by task 809:
em28xx_v4l2_init+0x10b/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2538
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117

Freed by task 809:
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2118 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1683/0x2e70 drivers/media/usb/em28xx/em28xx-video.c:2907
em28xx_init_extension+0x120/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1117

Reported-by: syzbot+1a7507a194fff09e5c44@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=1a7507a194fff09e5c44
Tested-by: syzbot+1a7507a194fff09e5c44@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
---
drivers/media/usb/em28xx/em28xx-video.c | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index b0c184f237a7..563b4267588e 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2147,7 +2147,7 @@ static int em28xx_v4l2_open(struct file *filp)
video_device_node_name(vdev), v4l2_type_names[fh_type],
v4l2->users);

- if (mutex_lock_interruptible(&dev->lock))
+ if (!mutex_trylock(&dev->lock))
return -ERESTARTSYS;

ret = v4l2_fh_open(filp);
--
2.43.0