CVE-2025-38227

In the Linux kernel, the following vulnerability has been resolved:

media: vidtv: Terminating the subsequent process of initialization failure

syzbot reported a slab-use-after-free Read in vidtvmuxinit. [1]

After PSI initialization fails, the si member is accessed again, resulting in this uaf.

After si initialization fails, the subsequent process needs to be exited.

[1] BUG: KASAN: slab-use-after-free in vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059

CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x116/0x1f0 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0xc3/0x670 mm/kasan/report.c:521 kasanreport+0xd9/0x110 mm/kasan/report.c:634 vidtvmuxpidctxinit drivers/media/test-drivers/vidtv/vidtvmux.c:78 vidtvmuxinit+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:524 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 _fput+0x3ff/0xb70 fs/filetable.c:464 taskworkrun+0x14e/0x250 kernel/taskwork.c:227 exittaskwork include/linux/taskwork.h:40 [inline] doexit+0xad8/0x2d70 kernel/exit.c:938 dogroupexit+0xd3/0x2a0 kernel/exit.c:1087 _dosysexitgroup kernel/exit.c:1098 [inline] _sesysexitgroup kernel/exit.c:1096 [inline] _x64sysexitgroup+0x3e/0x50 kernel/exit.c:1096 x64syscall+0x151f/0x1720 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xcd/0x250 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIGRAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK>

Allocated by task 6059: kasansavestack+0x33/0x60 mm/kasan/common.c:47 kasansavetrack+0x14/0x30 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmallocnoprof include/linux/slab.h:901 [inline] kzallocnoprof include/linux/slab.h:1037 [inline] vidtvpsipattableinit drivers/media/test-drivers/vidtv/vidtvpsi.c:970 vidtvchannelsiinit drivers/media/test-drivers/vidtv/vidtvchannel.c:423 vidtvmuxinit drivers/media/test-drivers/vidtv/vidtvmux.c:519 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 vidtvstartfeed drivers/media/test-drivers/vidtv/vidtvbridge.c:239 dmxsectionfeedstartfiltering drivers/media/dvb-core/dvbdemux.c:973 dvbdmxdevfeedstart drivers/media/dvb-core/dmxdev.c:508 [inline] dvbdmxdevfeedrestart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvbdmxdevfilterstop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvbdmxdevfilterfree drivers/media/dvb-core/dmxdev.c:840 [inline] dvbdemuxrelease+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 _fput+0x3ff/0xb70 fs/file_tabl ---truncated---