* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini [not found] <CAAeHK+xNemb9-+pqifrXd5qsnEvbS8h+cgAgy0FhzL1A7FRfJA@mail.gmail.com> @ 2017-11-07 21:18 ` Gustavo A. R. Silva 2017-11-08 15:57 ` Andrey Konovalov 0 siblings, 1 reply; 5+ messages in thread From: Gustavo A. R. Silva @ 2017-11-07 21:18 UTC (permalink / raw) To: Andrey Konovalov, Mauro Carvalho Chehab, LKML Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller, Gustavo A. R. Silva Hi Andrey, Could you please try this patch? Thank you Gustavo A. R. Silva --- drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c index 4a7db62..fc3fb92 100644 --- a/drivers/media/usb/em28xx/em28xx-dvb.c +++ b/drivers/media/usb/em28xx/em28xx-dvb.c @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) struct em28xx_dvb *dvb; struct i2c_client *client; + if (!dev) + return 0; + if (dev->is_audio_only) { /* Shouldn't initialize IR for this interface */ return 0; -- 2.7.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini 2017-11-07 21:18 ` usb/media/em28xx: use-after-free in em28xx_dvb_fini Gustavo A. R. Silva @ 2017-11-08 15:57 ` Andrey Konovalov 2017-11-08 16:03 ` Gustavo A. R. Silva 0 siblings, 1 reply; 5+ messages in thread From: Andrey Konovalov @ 2017-11-08 15:57 UTC (permalink / raw) To: Gustavo A. R. Silva Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva <garsilva@embeddedor.com> wrote: > Hi Andrey, > > Could you please try this patch? > > Thank you > > Gustavo A. R. Silva Hi Gustavo, Still see the crash with your patch. Thanks! > > --- > drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c > index 4a7db62..fc3fb92 100644 > --- a/drivers/media/usb/em28xx/em28xx-dvb.c > +++ b/drivers/media/usb/em28xx/em28xx-dvb.c > @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) > struct em28xx_dvb *dvb; > struct i2c_client *client; > > + if (!dev) > + return 0; > + > if (dev->is_audio_only) { > /* Shouldn't initialize IR for this interface */ > return 0; > -- > 2.7.4 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini 2017-11-08 15:57 ` Andrey Konovalov @ 2017-11-08 16:03 ` Gustavo A. R. Silva 2017-11-08 16:04 ` Andrey Konovalov 0 siblings, 1 reply; 5+ messages in thread From: Gustavo A. R. Silva @ 2017-11-08 16:03 UTC (permalink / raw) To: Andrey Konovalov Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller Quoting Andrey Konovalov <andreyknvl@google.com>: > On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva > <garsilva@embeddedor.com> wrote: >> Hi Andrey, >> >> Could you please try this patch? >> >> Thank you >> >> Gustavo A. R. Silva > > Hi Gustavo, > > Still see the crash with your patch. > > Thanks! > Thank you, Andrey. I will look into this further. -- Gustavo A. R. Silva >> >> --- >> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c >> b/drivers/media/usb/em28xx/em28xx-dvb.c >> index 4a7db62..fc3fb92 100644 >> --- a/drivers/media/usb/em28xx/em28xx-dvb.c >> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c >> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) >> struct em28xx_dvb *dvb; >> struct i2c_client *client; >> >> + if (!dev) >> + return 0; >> + >> if (dev->is_audio_only) { >> /* Shouldn't initialize IR for this interface */ >> return 0; >> -- >> 2.7.4 >> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini 2017-11-08 16:03 ` Gustavo A. R. Silva @ 2017-11-08 16:04 ` Andrey Konovalov 2017-11-08 16:22 ` Gustavo A. R. Silva 0 siblings, 1 reply; 5+ messages in thread From: Andrey Konovalov @ 2017-11-08 16:04 UTC (permalink / raw) To: Gustavo A. R. Silva Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva <garsilva@embeddedor.com> wrote: > > Quoting Andrey Konovalov <andreyknvl@google.com>: > >> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva >> <garsilva@embeddedor.com> wrote: >>> >>> Hi Andrey, >>> >>> Could you please try this patch? >>> >>> Thank you >>> >>> Gustavo A. R. Silva >> >> >> Hi Gustavo, >> >> Still see the crash with your patch. >> >> Thanks! >> > > Thank you, Andrey. I will look into this further. Since I'm able to reproduce this, I can apply a patch with debug printk's or something similar and run the reproducer. Send me a patch if you think it might help. > > -- > Gustavo A. R. Silva > > >>> >>> --- >>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c >>> b/drivers/media/usb/em28xx/em28xx-dvb.c >>> index 4a7db62..fc3fb92 100644 >>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c >>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c >>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) >>> struct em28xx_dvb *dvb; >>> struct i2c_client *client; >>> >>> + if (!dev) >>> + return 0; >>> + >>> if (dev->is_audio_only) { >>> /* Shouldn't initialize IR for this interface */ >>> return 0; >>> -- >>> 2.7.4 >>> > > > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini 2017-11-08 16:04 ` Andrey Konovalov @ 2017-11-08 16:22 ` Gustavo A. R. Silva 0 siblings, 0 replies; 5+ messages in thread From: Gustavo A. R. Silva @ 2017-11-08 16:22 UTC (permalink / raw) To: Andrey Konovalov Cc: Mauro Carvalho Chehab, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller Quoting Andrey Konovalov <andreyknvl@google.com>: > On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva > <garsilva@embeddedor.com> wrote: >> >> Quoting Andrey Konovalov <andreyknvl@google.com>: >> >>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva >>> <garsilva@embeddedor.com> wrote: >>>> >>>> Hi Andrey, >>>> >>>> Could you please try this patch? >>>> >>>> Thank you >>>> >>>> Gustavo A. R. Silva >>> >>> >>> Hi Gustavo, >>> >>> Still see the crash with your patch. >>> >>> Thanks! >>> >> >> Thank you, Andrey. I will look into this further. > > Since I'm able to reproduce this, I can apply a patch with debug > printk's or something similar and run the reproducer. Send me a patch > if you think it might help. > Awesome. I'm pretty sure this bug is related to other issues like this one: https://groups.google.com/forum/#!topic/syzkaller/FnJq_QkwCLQ em28xx is an old driver and it might require some refactoring in order to fix such issues. I appreciate your help. Thank you -- Gustavo A. R. Silva >> >> >>>> >>>> --- >>>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c >>>> b/drivers/media/usb/em28xx/em28xx-dvb.c >>>> index 4a7db62..fc3fb92 100644 >>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c >>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c >>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) >>>> struct em28xx_dvb *dvb; >>>> struct i2c_client *client; >>>> >>>> + if (!dev) >>>> + return 0; >>>> + >>>> if (dev->is_audio_only) { >>>> /* Shouldn't initialize IR for this interface */ >>>> return 0; >>>> -- >>>> 2.7.4 >>>> >> >> >> >> >> >> ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-11-08 16:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAAeHK+xNemb9-+pqifrXd5qsnEvbS8h+cgAgy0FhzL1A7FRfJA@mail.gmail.com>
2017-11-07 21:18 ` usb/media/em28xx: use-after-free in em28xx_dvb_fini Gustavo A. R. Silva
2017-11-08 15:57 ` Andrey Konovalov
2017-11-08 16:03 ` Gustavo A. R. Silva
2017-11-08 16:04 ` Andrey Konovalov
2017-11-08 16:22 ` Gustavo A. R. Silva
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox