In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in loadfirmwarecb() syzkaller reported use-after-free in loadfirmwarecb() [1]. The reason is because the module allocated a struct tuner in tunerprobe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 workerthread tunerprobe <= alloc dvbfrontend [2] ... requestfirmwarenowait <= create a worker ... tunerremove <= free dvbfrontend ... requestfirmwareworkfunc <= the firmware is ready loadfirmwarecb <= but now the dvbfrontend has been freed To fix the issue, check the dvdfrontend in loadfirmwarecb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in loadfirmwarecb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: loadfirmwarecb+0x1310/0x17a0 requestfirmwareworkfunc+0x128/0x220 processonework+0x770/0x1824 workerthread+0x488/0xea0 kthread+0x300/0x430 retfromfork+0x10/0x20 Allocated by task 6504: kzalloc tunerprobe+0xb0/0x1430 i2cdeviceprobe+0x92c/0xaf0 reallyprobe+0x678/0xcd0 driverprobedevice+0x280/0x370 _deviceattachdriver+0x220/0x330 busforeachdrv+0x134/0x1c0 _deviceattach+0x1f4/0x410 deviceinitialprobe+0x20/0x30 busprobedevice+0x184/0x200 deviceadd+0x924/0x12c0 deviceregister+0x24/0x30 i2cnewdevice+0x4e0/0xc44 v4l2i2cnewsubdevboard+0xbc/0x290 v4l2i2cnewsubdev+0xc8/0x104 em28xxv4l2init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tunerremove+0x144/0x1c0 i2cdeviceremove+0xc8/0x290 _devicereleasedriver+0x314/0x5fc devicereleasedriver+0x30/0x44 busremovedevice+0x244/0x490 devicedel+0x350/0x900 deviceunregister+0x28/0xd0 i2cunregisterdevice+0x174/0x1d0 v4l2deviceunregister+0x224/0x380 em28xxv4l2init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside.