* [PATCH] media: rc: igorplugusb: fix memory corruption race condition in probe
@ 2026-04-04 18:35 Rohaniyaa
2026-05-04 16:43 ` Sean Young
0 siblings, 1 reply; 2+ messages in thread
From: Rohaniyaa @ 2026-04-04 18:35 UTC (permalink / raw)
To: Sean Young, linux-media
Cc: Mauro Carvalho Chehab, linux-kernel, Rohan Mithari,
syzbot+5d7eece664082e0c5c1a
From: Rohan Mithari <rohanmithari09@gmail.com>
Syzbot reported a race condition causing a WARNING in usb_submit_urb.
In igorplugusb_probe(), the driver registers the RC device via
rc_register_device() before initializing the internal interface data
via usb_set_intfdata().
If the device is abruptly disconnected or accessed by userspace
immediately after registration, the disconnect function or active URB
submission can trigger a NULL pointer dereference or Use-After-Free.
Without KASAN enabled, this race condition silently corrupts the slab
allocator, leading to a delayed fatal panic in kmem_cache_alloc().
This patch fixes the race by ensuring the private data (ir) is safely
attached to the USB interface and the hardware is fully initialized
before exposing the device to the subsystem via rc_register_device().
Reported-by: syzbot+5d7eece664082e0c5c1a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5d7eece664082e0c5c1a
Signed-off-by: Rohan Mithari <rohanmithari09@gmail.com>
---
drivers/media/rc/igorplugusb.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index 3e10f6fe89f8..a694ed1e5c1f 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -214,17 +214,14 @@ static int igorplugusb_probe(struct usb_interface *intf,
rc->rx_resolution = 85;
ir->rc = rc;
+ usb_set_intfdata(intf, ir);
+ igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY);
ret = rc_register_device(rc);
if (ret) {
dev_err(&intf->dev, "failed to register rc device: %d", ret);
goto fail;
- }
-
- usb_set_intfdata(intf, ir);
-
- igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY);
-
- return 0;
+}
+return 0;
fail:
usb_poison_urb(ir->urb);
timer_delete(&ir->timer);
@@ -233,8 +230,7 @@ static int igorplugusb_probe(struct usb_interface *intf,
rc_free_device(ir->rc);
kfree(ir->buf_in);
kfree(ir->request);
-
- return ret;
+return ret;
}
static void igorplugusb_disconnect(struct usb_interface *intf)
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: rc: igorplugusb: fix memory corruption race condition in probe
2026-04-04 18:35 [PATCH] media: rc: igorplugusb: fix memory corruption race condition in probe Rohaniyaa
@ 2026-05-04 16:43 ` Sean Young
0 siblings, 0 replies; 2+ messages in thread
From: Sean Young @ 2026-05-04 16:43 UTC (permalink / raw)
To: Rohaniyaa
Cc: linux-media, Mauro Carvalho Chehab, linux-kernel,
syzbot+5d7eece664082e0c5c1a
Hi,
On Sun, Apr 05, 2026 at 12:05:07AM +0530, Rohaniyaa wrote:
> From: Rohan Mithari <rohanmithari09@gmail.com>
>
> Syzbot reported a race condition causing a WARNING in usb_submit_urb.
>
> In igorplugusb_probe(), the driver registers the RC device via
> rc_register_device() before initializing the internal interface data
> via usb_set_intfdata().
>
> If the device is abruptly disconnected or accessed by userspace
> immediately after registration, the disconnect function or active URB
> submission can trigger a NULL pointer dereference or Use-After-Free.
> Without KASAN enabled, this race condition silently corrupts the slab
> allocator, leading to a delayed fatal panic in kmem_cache_alloc().
>
> This patch fixes the race by ensuring the private data (ir) is safely
> attached to the USB interface and the hardware is fully initialized
> before exposing the device to the subsystem via rc_register_device().
>
> Reported-by: syzbot+5d7eece664082e0c5c1a@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=5d7eece664082e0c5c1a
>
> Signed-off-by: Rohan Mithari <rohanmithari09@gmail.com>
> ---
> drivers/media/rc/igorplugusb.c | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
> index 3e10f6fe89f8..a694ed1e5c1f 100644
> --- a/drivers/media/rc/igorplugusb.c
> +++ b/drivers/media/rc/igorplugusb.c
> @@ -214,17 +214,14 @@ static int igorplugusb_probe(struct usb_interface *intf,
> rc->rx_resolution = 85;
>
> ir->rc = rc;
> + usb_set_intfdata(intf, ir);
> + igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY);
> ret = rc_register_device(rc);
> if (ret) {
> dev_err(&intf->dev, "failed to register rc device: %d", ret);
> goto fail;
> - }
> -
> - usb_set_intfdata(intf, ir);
> -
> - igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY);
> -
I don't understand how that fixes anything.
> - return 0;
> +}
> +return 0;
That's messy.
> fail:
> usb_poison_urb(ir->urb);
> timer_delete(&ir->timer);
> @@ -233,8 +230,7 @@ static int igorplugusb_probe(struct usb_interface *intf,
> rc_free_device(ir->rc);
> kfree(ir->buf_in);
> kfree(ir->request);
> -
> - return ret;
> +return ret;
Again, do not do that - that's messy.
Thanks,
Sean
> }
>
> static void igorplugusb_disconnect(struct usb_interface *intf)
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-04 16:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-04 18:35 [PATCH] media: rc: igorplugusb: fix memory corruption race condition in probe Rohaniyaa
2026-05-04 16:43 ` Sean Young
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox