Received: by 10.223.164.202 with SMTP id h10csp877011wrb;
        Thu, 9 Nov 2017 16:22:38 -0800 (PST)
X-Google-Smtp-Source: ABhQp+SE7L86+8lFABy0A/hvuyNxaObXFLFWGAcCLW3FVAt0hTlrGKEqTR1jS+dsLCEoi1NR7SH6
X-Received: by 10.98.144.129 with SMTP id q1mr2313535pfk.38.1510273357969;
        Thu, 09 Nov 2017 16:22:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510273357; cv=none;
        d=google.com; s=arc-20160816;
        b=TDmJqdzDioWi79oWVYGonzLEsSJx05x0f22K1y8K5NQY+USgUAKqifTq7YwVJODTGa
         3wChdQok0Th4+alyAMstlfmN3oRkgM2o57ejrujPa4ofeobceXwdHYd9LWE8jcJftLlc
         4KLbPhtUrm/pDRvYW/lwE35aEWErlQhEvVLj47yjNNvvSLrnYlcmy+r2LLp+ui4CmgwG
         UBUMsmfPbI8+sTsgvKsGcu9JAaNxc0K//h3bG/ancTNYvf/Fx6sQSVfXGXIla8Ju/zxR
         calCg7NcJ506FfpolyiRtsqBofeorzqGLDaUwHR8CcOFl+kBHlprEqIUZlU536+8f9KJ
         uSbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=K2c53F+bGI4nOWB7sdhZ30mLXt98Lnl1vo7z9itMxa8=;
        b=qd6o/yW0NnST0I/Ac+YC7lnnIsGTNNw1AXogKxdxQ6rmVIcCve6JWpQ0OkSvjBD4bl
         zKw9hcZ9NTBXs+CgsMYM47SDQjdoKsBaHEeEG759EZi1Zk/6MFqYWBFYo/LItXCD7/EW
         mz9eyCryjkB3CE4bzjBsMrFAnYxEZR/6Dy0uO/HtzHNkA2WhgbvSsWpweMdAs3/6n9I0
         vGFxc4pkM6HvvTKVah3wy0I3+S6CGi3/Uf6jq7TiT1FHAlr6wYrrD6Dwyuv/uWVCmU0l
         UQYDLDEjYJ4KG1F5rgvWCEnFovB6Sl7doLcTf1XnC2sXsE90gn1I0HmgpN/el9vvD6WE
         Hopw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w9si7109740plp.220.2017.11.09.16.22.25;
        Thu, 09 Nov 2017 16:22:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755382AbdKJAVj (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 83 others); Thu, 9 Nov 2017 19:21:39 -0500
Received: from gateway22.websitewelcome.com ([192.185.47.79]:21563 "EHLO
        gateway22.websitewelcome.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1754502AbdKJAVi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 19:21:38 -0500
Received: from cm16.websitewelcome.com (cm16.websitewelcome.com [100.42.49.19])
        by gateway22.websitewelcome.com (Postfix) with ESMTP id CE302B3BE
        for <linux-kernel@vger.kernel.org>; Thu,  9 Nov 2017 18:21:37 -0600 (CST)
Received: from gator4166.hostgator.com ([108.167.133.22])
        by cmsmtp with SMTP
        id Cx4jeASxKRtUXCx4jeL7TS; Thu, 09 Nov 2017 18:21:37 -0600
Received: from [189.175.7.72] (port=33450 helo=embeddedor)
        by gator4166.hostgator.com with esmtpa (Exim 4.87)
        (envelope-from <garsilva@embeddedor.com>)
        id 1eCx4j-001lWc-4t; Thu, 09 Nov 2017 18:21:37 -0600
Date:   Thu, 9 Nov 2017 18:21:34 -0600
From:   "Gustavo A. R. Silva" <garsilva@embeddedor.com>
To:     Andrey Konovalov <andreyknvl@google.com>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Hans Verkuil <hans.verkuil@cisco.com>,
        Sean Young <sean@mess.org>, linux-media@vger.kernel.org,
        Andi Shyti <andi.shyti@samsung.com>,
        LKML <linux-kernel@vger.kernel.org>
Cc:     Dmitry Vyukov <dvyukov@google.com>,
        Kostya Serebryany <kcc@google.com>,
        syzkaller <syzkaller@googlegroups.com>,
        "Gustavo A. R. Silva" <garsilva@embeddedor.com>
Subject: [PATCH] au0828: fix use-after-free at USB probing
Message-ID: <20171110002134.GA32019@embeddedor.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAAeHK+wZXZMxqQn9QbAd3xWt00_bKir4-La2QKtzk8nFb0FQmw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator4166.hostgator.com
X-AntiAbuse: Original Domain - vger.kernel.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - embeddedor.com
X-BWhitelist: no
X-Source-IP: 189.175.7.72
X-Source-L: No
X-Exim-ID: 1eCx4j-001lWc-4t
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (embeddedor) [189.175.7.72]:33450
X-Source-Auth: garsilva@embeddedor.com
X-Email-Count: 7
X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20=
X-Local-Domain: yes
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Andrey,

Could you please try this patch?

Thank you


The device is typically freed on failure after trying to set
USB interface0 to as5 in function au0828_analog_register.

Fix use-after-free by returning the error value inmediately
after failure, instead of jumping to au0828_usb_disconnect
where _dev_ is also freed.

Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/media/usb/au0828/au0828-core.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
index cd363a2..b4abd90 100644
--- a/drivers/media/usb/au0828/au0828-core.c
+++ b/drivers/media/usb/au0828/au0828-core.c
@@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface *interface,
 			__func__);
 		mutex_unlock(&dev->lock);
 		kfree(dev);
-		goto done;
+		return retval;
 	}
 
 	/* Digital TV */
@@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
 
 	retval = au0828_media_device_register(dev, usbdev);
 
-done:
 	if (retval < 0)
 		au0828_usb_disconnect(interface);
 
-- 
2.7.4


From 1586870883165741900@xxx Fri Dec 15 17:13:24 +0000 2017
X-GM-THRID: 1586573128782006936
X-Gmail-Labels: Inbox,Category Forums