Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp95996rdb; Fri, 16 Feb 2024 23:43:16 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXHex29EbOT27EB/9yBwmIewYx3g3Ip0f/h7RPZ2tvrnvJzpRdo86JEu1v3gscamsVGQTHav5TqGDMX8kaLYcnMON0emfxx70bn6tZe7w== X-Google-Smtp-Source: AGHT+IFXRjs2acYULYXmbmsaZ8dzJQ8P/lC81+8ohMqFoYCUc+10Dbh9CdE5BUFV/3LTczOVx59b X-Received: by 2002:a17:90a:12cb:b0:296:67b:1894 with SMTP id b11-20020a17090a12cb00b00296067b1894mr9356873pjg.0.1708155795895; Fri, 16 Feb 2024 23:43:15 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708155795; cv=pass; d=google.com; s=arc-20160816; b=MsJ9FKYLqlPnY8+LAh5zOq/PhfZ+Ieuv8yaeHWzJL/KnlY3RsSLv10Ix7wEDWEAceU mRDWMutYkg0L3iUM6LOKnxrCbbXWvJ339cl+XR0gFY97C3/G+qsg1YOYPqearlS9LM+5 hLrbdCh5djYRiLeM6sj2CQAmv3Uojpt2ffXitq4Yax5kTmZL53Cztzkfl3LCdICuL/0m fAb6ZiMf025YCi57vC6JynkUAslDQYa5sjKQql8i9udhjpY1COOV7U111ocnHRDtnowN BAB79QdYw6dRRaA16LDUyPDF/JLS58JjaVn1EluGzI5Ub8t4mE2rzySN+hEMu76uc8LO fDcw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:feedback-id:dkim-signature:dkim-signature; bh=yzscl6eUgxQrEdqt6+ABAiAuOZEKasOQBugBShA9lzg=; fh=nh1ev9o1IObzb4pQ//2bQqNmJ4pVOvETgIg2q0D1xHA=; b=Ck4oM2UNMXypq+Nbytb9ZOqkiAWdEbarf+mSX/Pg8mawloSj+IfGfE+bgmSqMdM8ac YgOEx7PGtldl53nntWnHguqoRlZ15v7H8V8GIo/j+RbwoqVQ17bhlKMx33e8R0EcZaFn KgH642OiDujefJoDmD9JXPgQKJj3cCxLj22pQOAc8wcoyaJhCiK1+nkEzMPD2ApCv1/O o8X9i+eXz2kXT7Dg8Y3TDCJqo7EW0Neh5VNo2/rMkgK4OeN5O/WeJNTexNFeTO6W2LF6 UkEFnr7hRJKA1/1UuWL/BbhSsiCOikHAYrdLRWNL4W8PhHVpOkYpXDWliJg1Slkn6Jq0 jM6Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=cmfYTQpd; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=C+pTWRTA; arc=pass (i=1 spf=pass spfdomain=kroah.com dkim=pass dkdomain=kroah.com dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=kroah.com); spf=pass (google.com: domain of linux-kernel+bounces-69726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69726-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kroah.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id gv22-20020a17090b11d600b0029929e66a2fsi1216523pjb.147.2024.02.16.23.43.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Feb 2024 23:43:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-69726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@kroah.com header.s=fm1 header.b=cmfYTQpd; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=C+pTWRTA; arc=pass (i=1 spf=pass spfdomain=kroah.com dkim=pass dkdomain=kroah.com dkim=pass dkdomain=messagingengine.com dmarc=pass fromdomain=kroah.com); spf=pass (google.com: domain of linux-kernel+bounces-69726-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-69726-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kroah.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id CB2DBB21B23 for ; Sat, 17 Feb 2024 07:43:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF2632030A; Sat, 17 Feb 2024 07:41:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kroah.com header.i=@kroah.com header.b="cmfYTQpd"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="C+pTWRTA" Received: from fhigh6-smtp.messagingengine.com (fhigh6-smtp.messagingengine.com [103.168.172.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 690F31EB3B; Sat, 17 Feb 2024 07:41:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=103.168.172.157 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708155698; cv=none; b=lA+BkAfhhE/fTiFpqDgJKJ+18ANcxvV83UU6byCoRIXkN+Gv+ROzYgafEeChMRvrtvGxnEowqHE2Egv+lP2bmBuMY/4sk65avH4YeoFsEqf57peVRGxAePNclTcJ98UR+3eRyEaWEmOD9eBSjhMbVNV/NHU2GevBmRldmlVASEY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708155698; c=relaxed/simple; bh=nrCCv6T5C8KQMncw5eFYVShocADNiOxVr7vH8DHZlBY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jB3D4gfbUji++bUcmLkh3UUqFml1qK1CeH9y9k980Yow7EhUeLM1Gd1ngY5ykCmr/JmbEBkDosvAQhKWnGN0avnxoqTHvAephKSFTp/q1yTldi3ohVWNtAmPXlM2WyCa1TE1M0KemAovwgN8GtsO3pEjn3OeDcSkS+Ah7hGlx8U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=kroah.com; spf=pass smtp.mailfrom=kroah.com; dkim=pass (2048-bit key) header.d=kroah.com header.i=@kroah.com header.b=cmfYTQpd; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=C+pTWRTA; arc=none smtp.client-ip=103.168.172.157 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=kroah.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kroah.com Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 5101311400BE; Sat, 17 Feb 2024 02:41:35 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Sat, 17 Feb 2024 02:41:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kroah.com; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1708155695; x=1708242095; bh=yzscl6eUgx QrEdqt6+ABAiAuOZEKasOQBugBShA9lzg=; b=cmfYTQpd6YNtQYlajIp2FpY5yg 3AaWFGYRcCFjxZ/K76/pQNQJa+UOl+XXWDVNQzCIQiN189ijaYibMNKRMMcM/O4N dSKM8xsbgXD01NUVyoNxjvFd1KULM9iERF7nOoaAB3pbWcHJuAwKg4t+pIRrlw81 NItTJguy3vggSKvAREKpIXthvTPvoeSeSIJ0eL+QEl36MrM0vgJtiocODN/AxEwF +bO/X2ia1moPp+rRBYymlhzVX0aZZqPnIrxSegniD+Oq+xh/r8oycLfL49bQGB5P l/QXhR9LWe+8izDGj4raIt98WI5j7FlXzDvNgESkUYKOGaVk3AWx0tCNxuDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1708155695; x=1708242095; bh=yzscl6eUgxQrEdqt6+ABAiAuOZEK asOQBugBShA9lzg=; b=C+pTWRTA+ZQA9VWAmohX9ztshfInZ//vdyvFb79tpGaB BLVIqhvcz2N4sZpzvAHXiqpc7hA7Ho5+qIEE6K0mKdwSFKv+9EtQkTWaFtiJNGIO l8R4zGgjlqlFukR6xrI1QYSW8xSAyLIjJSk/B5M8Juo/jwKXrBPxD1kmuo0psLUE pNnCUOdy/yub3a2w0T/Z3/7WWkPWwq9SKw1n7qNd486jPbXYgl2TBMzEZuwBj8ni 96b2c8C2HoEEHvb+NoeZGVSGlQp6H02n4aG1aycxLUMCoj7vuaoCIehqfu/qSYte EsKkK/Fc42mju38h69DlxUmGA/Sd5IAPxfpDt1bLLA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdefgdduudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepifhrvghg ucfmjfcuoehgrhgvgheskhhrohgrhhdrtghomheqnecuggftrfgrthhtvghrnhepheegvd evvdeljeeugfdtudduhfekledtiefhveejkeejuefhtdeufefhgfehkeetnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepghhrvghgsehkrhhorg hhrdgtohhm X-ME-Proxy: Feedback-ID: i787e41f1:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 17 Feb 2024 02:41:34 -0500 (EST) Date: Sat, 17 Feb 2024 08:41:33 +0100 From: Greg KH To: Edward Adam Davis Cc: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com, isely@pobox.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, mchehab@kernel.org, pvrusb2-owner@isely.net, pvrusb2@isely.net, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH usb] media/pvrusb2: fix uaf in pvr2_context_set_notify Message-ID: <2024021716-accent-islamist-6a87@gregkh> References: <00000000000028b68806103b4266@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Fri, Feb 16, 2024 at 03:30:47PM +0800, Edward Adam Davis wrote: > [Syzbot reported] > BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 > Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 > > CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 > Workqueue: usb_hub_wq hub_event > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0xc4/0x620 mm/kasan/report.c:488 > kasan_report+0xda/0x110 mm/kasan/report.c:601 > pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 > pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] > pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 > > Freed by task 906: > kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 > kasan_save_track+0x14/0x30 mm/kasan/common.c:68 > kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 > poison_slab_object mm/kasan/common.c:241 [inline] > __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 > kasan_slab_free include/linux/kasan.h:184 [inline] > slab_free_hook mm/slub.c:2121 [inline] > slab_free mm/slub.c:4299 [inline] > kfree+0x105/0x340 mm/slub.c:4409 > pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] > pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 > > [Analyze] > Task A set disconnect_flag = !0, which resulted in Task B's condition being met > and releasing mp, leading to this issue. > > [Fix] > Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() > to avoid this issue. > > Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis What commit id does this fix? And should it be cc: stable as well? thanks, greg k-h