* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
[not found] <CAAeHK+xNemb9-+pqifrXd5qsnEvbS8h+cgAgy0FhzL1A7FRfJA@mail.gmail.com>
@ 2017-11-07 21:18 ` Gustavo A. R. Silva
2017-11-08 15:57 ` Andrey Konovalov
0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-07 21:18 UTC (permalink / raw)
To: Andrey Konovalov, Mauro Carvalho Chehab, LKML
Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller, Gustavo A. R. Silva
Hi Andrey,
Could you please try this patch?
Thank you
Gustavo A. R. Silva
---
drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
index 4a7db62..fc3fb92 100644
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
struct em28xx_dvb *dvb;
struct i2c_client *client;
+ if (!dev)
+ return 0;
+
if (dev->is_audio_only) {
/* Shouldn't initialize IR for this interface */
return 0;
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
2017-11-07 21:18 ` usb/media/em28xx: use-after-free in em28xx_dvb_fini Gustavo A. R. Silva
@ 2017-11-08 15:57 ` Andrey Konovalov
2017-11-08 16:03 ` Gustavo A. R. Silva
0 siblings, 1 reply; 5+ messages in thread
From: Andrey Konovalov @ 2017-11-08 15:57 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany,
syzkaller
On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you
>
> Gustavo A. R. Silva
Hi Gustavo,
Still see the crash with your patch.
Thanks!
>
> ---
> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
> index 4a7db62..fc3fb92 100644
> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
> struct em28xx_dvb *dvb;
> struct i2c_client *client;
>
> + if (!dev)
> + return 0;
> +
> if (dev->is_audio_only) {
> /* Shouldn't initialize IR for this interface */
> return 0;
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
2017-11-08 15:57 ` Andrey Konovalov
@ 2017-11-08 16:03 ` Gustavo A. R. Silva
2017-11-08 16:04 ` Andrey Konovalov
0 siblings, 1 reply; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-08 16:03 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany,
syzkaller
Quoting Andrey Konovalov <andreyknvl@google.com>:
> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>> Hi Andrey,
>>
>> Could you please try this patch?
>>
>> Thank you
>>
>> Gustavo A. R. Silva
>
> Hi Gustavo,
>
> Still see the crash with your patch.
>
> Thanks!
>
Thank you, Andrey. I will look into this further.
--
Gustavo A. R. Silva
>>
>> ---
>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>> index 4a7db62..fc3fb92 100644
>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>> struct em28xx_dvb *dvb;
>> struct i2c_client *client;
>>
>> + if (!dev)
>> + return 0;
>> +
>> if (dev->is_audio_only) {
>> /* Shouldn't initialize IR for this interface */
>> return 0;
>> --
>> 2.7.4
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
2017-11-08 16:03 ` Gustavo A. R. Silva
@ 2017-11-08 16:04 ` Andrey Konovalov
2017-11-08 16:22 ` Gustavo A. R. Silva
0 siblings, 1 reply; 5+ messages in thread
From: Andrey Konovalov @ 2017-11-08 16:04 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany,
syzkaller
On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva
<garsilva@embeddedor.com> wrote:
>
> Quoting Andrey Konovalov <andreyknvl@google.com>:
>
>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
>> <garsilva@embeddedor.com> wrote:
>>>
>>> Hi Andrey,
>>>
>>> Could you please try this patch?
>>>
>>> Thank you
>>>
>>> Gustavo A. R. Silva
>>
>>
>> Hi Gustavo,
>>
>> Still see the crash with your patch.
>>
>> Thanks!
>>
>
> Thank you, Andrey. I will look into this further.
Since I'm able to reproduce this, I can apply a patch with debug
printk's or something similar and run the reproducer. Send me a patch
if you think it might help.
>
> --
> Gustavo A. R. Silva
>
>
>>>
>>> ---
>>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
>>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>>> index 4a7db62..fc3fb92 100644
>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>>> struct em28xx_dvb *dvb;
>>> struct i2c_client *client;
>>>
>>> + if (!dev)
>>> + return 0;
>>> +
>>> if (dev->is_audio_only) {
>>> /* Shouldn't initialize IR for this interface */
>>> return 0;
>>> --
>>> 2.7.4
>>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
2017-11-08 16:04 ` Andrey Konovalov
@ 2017-11-08 16:22 ` Gustavo A. R. Silva
0 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2017-11-08 16:22 UTC (permalink / raw)
To: Andrey Konovalov
Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany,
syzkaller
Quoting Andrey Konovalov <andreyknvl@google.com>:
> On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva
> <garsilva@embeddedor.com> wrote:
>>
>> Quoting Andrey Konovalov <andreyknvl@google.com>:
>>
>>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
>>> <garsilva@embeddedor.com> wrote:
>>>>
>>>> Hi Andrey,
>>>>
>>>> Could you please try this patch?
>>>>
>>>> Thank you
>>>>
>>>> Gustavo A. R. Silva
>>>
>>>
>>> Hi Gustavo,
>>>
>>> Still see the crash with your patch.
>>>
>>> Thanks!
>>>
>>
>> Thank you, Andrey. I will look into this further.
>
> Since I'm able to reproduce this, I can apply a patch with debug
> printk's or something similar and run the reproducer. Send me a patch
> if you think it might help.
>
Awesome.
I'm pretty sure this bug is related to other issues like this one:
https://groups.google.com/forum/#!topic/syzkaller/FnJq_QkwCLQ
em28xx is an old driver and it might require some refactoring in order
to fix such issues.
I appreciate your help.
Thank you
--
Gustavo A. R. Silva
>>
>>
>>>>
>>>> ---
>>>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> b/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> index 4a7db62..fc3fb92 100644
>>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c
>>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
>>>> struct em28xx_dvb *dvb;
>>>> struct i2c_client *client;
>>>>
>>>> + if (!dev)
>>>> + return 0;
>>>> +
>>>> if (dev->is_audio_only) {
>>>> /* Shouldn't initialize IR for this interface */
>>>> return 0;
>>>> --
>>>> 2.7.4
>>>>
>>
>>
>>
>>
>>
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-11-08 16:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAAeHK+xNemb9-+pqifrXd5qsnEvbS8h+cgAgy0FhzL1A7FRfJA@mail.gmail.com>
2017-11-07 21:18 ` usb/media/em28xx: use-after-free in em28xx_dvb_fini Gustavo A. R. Silva
2017-11-08 15:57 ` Andrey Konovalov
2017-11-08 16:03 ` Gustavo A. R. Silva
2017-11-08 16:04 ` Andrey Konovalov
2017-11-08 16:22 ` Gustavo A. R. Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox