Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1689145imw; Sat, 16 Jul 2022 12:24:41 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sRrF6rPC7Gdi1CVCfn+8RwLZoMynMmLti0LM0yZLEJednDu1UCLrlvwbqo784IwZO38GjU X-Received: by 2002:a05:6402:278c:b0:43a:91cb:c43a with SMTP id b12-20020a056402278c00b0043a91cbc43amr27469538ede.188.1657999481520; Sat, 16 Jul 2022 12:24:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657999481; cv=none; d=google.com; s=arc-20160816; b=G98vOdxWO8IRUPtum7+f6Eb8fHQeJmCp0/lRR1njAY3Nqjm7EA/E3phmkgfqFBOuHp c2uVyfI+W5ORg4pTNUF5yS+Pkiw/gH0YDy2rvcXeceL6NUanMQ4DDZaiu5MAxqELELrO aMQxxna6KOlJw+YlWtTigRQupbAjwN52doIDqtZE0hMyhAVC0xrrZFWOTKHKEq2K+d7Z q2VB8181etfj9SV5jkrJ8syzV91O9ZQbQcF46Y+UVrATmVw7R5rPJBECNly/2A6KOhwz vukDH1iY+dJyghOuRGxqzsyi4LEYEKY1cgWFs1jgCxiDUC+VaPTTRAtgn84iSg7Bnpia 5c5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=+vY9Nyy0TwISdW8zYpRWKHHMN2zvj6lxaP9oRlRW5VE=; b=sjOVVgD0sban2X8Fq+f0GXqazJeBO3Z3f1fAi+bEnUni10sCcvlGzKTZqDrNgIfGjD wWBUkj6kFQRE2mslYOzyOaU3DDq4/jBzhg7kmnxJFYfRKUoN8OxAOPCw3C8oS9fhdaFO b3QNhPV7+txIHOuL7BJJSvKaC2I0hp/Ocaf5q1NBMXFZ9LPAmOJsGR6DotthP0a3g09N zn9VdCVknKNpuSxs4aQwjgdsZGXhCj41cnNTMtPPQ1psiq/hnV/ODaIaGo0z8JRczYjz nselCFaK9cvWgn/otSlHDsVJFMVFa0xK+T4cuO38oq4j/Ua+5p4Ybum8jJa/XOPbeKOt KlrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=zLf3kVg4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sa36-20020a1709076d2400b0072c534aff20si10249322ejc.93.2022.07.16.12.24.17; Sat, 16 Jul 2022 12:24:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=zLf3kVg4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232341AbiGPTDb (ORCPT + 99 others); Sat, 16 Jul 2022 15:03:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229648AbiGPTD3 (ORCPT ); Sat, 16 Jul 2022 15:03:29 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1239C1CFEE; Sat, 16 Jul 2022 12:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Content-ID:Content-Description; bh=+vY9Nyy0TwISdW8zYpRWKHHMN2zvj6lxaP9oRlRW5VE=; b=zLf3kVg4Z7/CBgKIAeG5Bbpc3w eeS0m/ZHAAACyF5gXE6Vn2OTGI1yfEHMfx6NRip6xxotNix8Sv68aGdCfOSufd6L0r8zHUiVHn3Wv SJ5McTRMMcwyKqyCnH7flmgYyBjwgfctcFDZ8mo26iAcX15E1zjFYOy9TMRoJ6Lsyusup6BOUF4Vt fWKxBao9tOw3om6CTNZZV56E2ZbyBE4Znd8q0j9pGiWwyWsdTq029+69SdOfy8bHpJOYgTBKlcwZE +rPRDnXlijkMZg91D8R8Ss/wImPbPBQqTkE5nuQNZP0uWP4vNJTzh2XfH9Z6TAQu8YDWKI2sgvMba yyHXR+5Q==; Received: from [2601:1c0:6280:3f0::a6b3] by bombadil.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oCn4Y-000ANg-Mj; Sat, 16 Jul 2022 19:03:26 +0000 Message-ID: <5fc2c89d-5aaf-3b81-64cc-7e69b16266c9@infradead.org> Date: Sat, 16 Jul 2022 12:03:25 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [BUG] media: cx88-alsa: Found a bug at the probe time Content-Language: en-US To: Zheyu Ma , Mauro Carvalho Chehab Cc: linux-media , Linux Kernel Mailing List References: From: Randy Dunlap In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi-- On 7/14/22 18:54, Zheyu Ma wrote: > Hello, > > I found a bug in the driver cx88-alsa. > > When the driver fails in the function snd_cx88_create() at the probe > time, it will cause a UAF bug as follows: It's not a UAF. It's a WARN() macro with an IRQ management problem, as shown in the next 2 lines below: > > [ 24.343899] Trying to free already-free IRQ 0 > [ 24.344815] WARNING: CPU: 7 PID: 389 at kernel/irq/manage.c:1895 > free_irq+0x3a4/0x7c0 > [ 24.348448] RIP: 0010:free_irq+0x3a4/0x7c0 > [ 24.356716] Call Trace: > [ 24.357124] snd_cx88_dev_free+0x71/0x100 [cx88_alsa] > [ 24.358008] release_card_device+0x7d/0x190 > [ 24.358699] device_release+0x97/0x1c0 > [ 24.359022] kobject_put+0x144/0x1c0 > [ 24.359329] snd_card_free+0xec/0x150 > [ 24.360078] cx88_audio_initdev+0x8f4/0xce0 [cx88_alsa] > > Since I'm not familiar with the driver, could you please give me some > hints to fix it? > > regards, > > Zheyu Ma -- ~Randy