From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45CE323E32B for ; Sat, 4 Apr 2026 18:35:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775327723; cv=none; b=F7pydHVE86AhioR6tmHP268iZ663SXJlm5W11VC6LvJwXnGcYxD9lOQkI0PwrGjf/b95guLENC3+esM5Hw94r2r8iN7072BOwfuoTMmDqXj/EdLDxBs1P/0J2hND6GyieO4U6NSzlHid5G3EctfGkBzOHt1V1WG54nb8jHBDmPw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775327723; c=relaxed/simple; bh=S50TsFsiU9M1K6y5e4M9F3kUqHvXqombkzull3nXiJY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=mcTRJ0PtnqFYV1lkCbJ/KZs4Ll2ponDsUwM3x9IZNepwrYaIyJXQnyAUWaWVXzfvWRww2HpX/e6aDx7kgi6+9jYzo1dvMyG/OhHQYSdin5rnZ8s0cwNQ2FrWNaq5PQMBOrSTbM4SCRyQ2XCsUADRixVoXeIH3S7+76vdudQTR8k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SN2brQSF; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SN2brQSF" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2b258576d8cso17712055ad.0 for ; Sat, 04 Apr 2026 11:35:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775327721; x=1775932521; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WVWl5re71pNAD6Btcrt4wzNXwUF8WBs0uZS/3pQYX54=; b=SN2brQSFUMcjEr3mnIClhVsflp+lE+tt5uLMUG38jynUlMQ8TyKnTSnaRRzVylLSYn OxxYjUR5/LTQMN/tyoT9uWRh8tIhAQiJl3Olpf2desldZH1Qb1Qd9au+crVKadM12YLc FK04SS94OqlUf7cFubriGrtA7mQfhThT/OkiBLAUOLAg+G3RNtBKnKS8OY36bYYPPeRt W1GJ3fkkvjvVC3TVl9oWtOyg/rQojweDMarqnNHF6QRmWbn2UYRs/iBIBwz2W/hsZ7pk eONyo63pdYzaT0G9weU9wix7QzeTS1SswNFC9G1umP0SqDgGUxFd9iAhF7mLeuf6KzfG AGrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775327721; x=1775932521; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WVWl5re71pNAD6Btcrt4wzNXwUF8WBs0uZS/3pQYX54=; b=PeOpo6fUGQwvMZ/uLMqt5zolW+mGNy3N9n4zlN93CNqnRvZVKZAvrr2EfFAMYTkLKE T/Jt7GJGHJhAJwtuSY2fKYygiAx1DU/IymimFScFwUVLHjdlW9LqLaW7y+8JeA1lyZ9h eu+YCiqz0YGJ6pMg//ZptlPeUM3e9dflWWOD1PrPT14rfA0fZdGXirWdWUDsddylXHZW l2nTBvaAsw+I1inpUu/spd1EAPQTOK6rlIiBF2RMu78KP7CWuhOlxiinjkYXhLEfbKdH pn+G2H+fDvAQ4e8/guUQm3fBUjJrAjMervg4JJf2ZrPQawYYEtAyKMzwR8X2hP9HyRUP rJgQ== X-Forwarded-Encrypted: i=1; AJvYcCVRH0WXWp9H87E6e1DEUJrD6q3TG2YMNkw7kNuQVa5y2cwYYsJ8574waLJBDcrybskgmsOLD1AcaOS5KoA=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5dA8ObpD4FvOI9ygUV4/WIlbkvYhITswcGeK8dIseqKyxFwqn 5ckt7uadDhCrjk7yiwCLKehAPRHsNu+28XMGtl36hSU+9GEPgHLw4U8V X-Gm-Gg: AeBDievORt7vXwTp5/pOcV98Zwq9x6FIbnUcXYZDiOgd6YyjMMtibvn3iXBioK3nIut lyKPrwb4nJS4cgU48qn2B1vBVZ6uOZfV+Uk5e+Tqw0VfrL2n6eQbzcL7ciqIdwRn0ejzf0k2SwD ubmJR0DFb1o5imO+SDIqOLH95eGB6ErgYnyvX8XG+SvIsOHM82Dimh66V2aOsgocVN4voWfD8/S W3ayE5UkCD0WtWr7sstfNIPWwM4gbyNQtXuPLXX9d+ADCdZiu2to9bG+8kO2ANMI+q3Es+L1/pv B2UahQ4sxQ3V68R+JdlRqOILq0ceb0uwo6ZG+H9E+ABt/Z16n/O/9vZEMqkHzAk3L5rlNtB97ET VIPY/4QfcMNWMHch2eVdGmuN16bDRUlkJO4otupxIklKwD1LZgIXhDl9KBzWOuEYKxRkd9LbFNg qVZUq8v4XgLU+c1rXVcPmRM/j6Ng/3lf0TSrIeVdXxWBk4fYloKUc8FjpqrVI3qS+QhrVJ5tg1p wzu2ktBLM2S8c+qyjVuJYZQ6a0vFXWi/NI= X-Received: by 2002:a17:902:f60f:b0:2b0:917c:bc4 with SMTP id d9443c01a7336-2b2817d94c3mr75628605ad.4.1775327721438; Sat, 04 Apr 2026 11:35:21 -0700 (PDT) Received: from rohaniyaa-Vivobook-ASUSLaptop.www.tendawifi.com ([14.139.108.62]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b274978fd7sm120081765ad.39.2026.04.04.11.35.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Apr 2026 11:35:21 -0700 (PDT) From: Rohaniyaa To: Sean Young , linux-media@vger.kernel.org Cc: Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, Rohan Mithari , syzbot+5d7eece664082e0c5c1a@syzkaller.appspotmail.com Subject: [PATCH] media: rc: igorplugusb: fix memory corruption race condition in probe Date: Sun, 5 Apr 2026 00:05:07 +0530 Message-Id: <20260404183507.773866-1-rohanmithari09@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Rohan Mithari Syzbot reported a race condition causing a WARNING in usb_submit_urb. In igorplugusb_probe(), the driver registers the RC device via rc_register_device() before initializing the internal interface data via usb_set_intfdata(). If the device is abruptly disconnected or accessed by userspace immediately after registration, the disconnect function or active URB submission can trigger a NULL pointer dereference or Use-After-Free. Without KASAN enabled, this race condition silently corrupts the slab allocator, leading to a delayed fatal panic in kmem_cache_alloc(). This patch fixes the race by ensuring the private data (ir) is safely attached to the USB interface and the hardware is fully initialized before exposing the device to the subsystem via rc_register_device(). Reported-by: syzbot+5d7eece664082e0c5c1a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5d7eece664082e0c5c1a Signed-off-by: Rohan Mithari --- drivers/media/rc/igorplugusb.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c index 3e10f6fe89f8..a694ed1e5c1f 100644 --- a/drivers/media/rc/igorplugusb.c +++ b/drivers/media/rc/igorplugusb.c @@ -214,17 +214,14 @@ static int igorplugusb_probe(struct usb_interface *intf, rc->rx_resolution = 85; ir->rc = rc; + usb_set_intfdata(intf, ir); + igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY); ret = rc_register_device(rc); if (ret) { dev_err(&intf->dev, "failed to register rc device: %d", ret); goto fail; - } - - usb_set_intfdata(intf, ir); - - igorplugusb_cmd(ir, SET_INFRABUFFER_EMPTY); - - return 0; +} +return 0; fail: usb_poison_urb(ir->urb); timer_delete(&ir->timer); @@ -233,8 +230,7 @@ static int igorplugusb_probe(struct usb_interface *intf, rc_free_device(ir->rc); kfree(ir->buf_in); kfree(ir->request); - - return ret; +return ret; } static void igorplugusb_disconnect(struct usb_interface *intf) -- 2.34.1