Received: by 10.223.164.202 with SMTP id h10csp1707176wrb; Wed, 8 Nov 2017 08:24:25 -0800 (PST) X-Google-Smtp-Source: ABhQp+SrJGiCY13NKx9rXg/iTbKfBi/VZXaNxUuD9Met0l0vu4y5a61U9NKSDI9mYKGgTCtVXDSJ X-Received: by 10.84.198.131 with SMTP id p3mr924027pld.245.1510158265670; Wed, 08 Nov 2017 08:24:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510158265; cv=none; d=google.com; s=arc-20160816; b=bgSh0BUNgBUjiugFmpUViZmP1JRqpzJU6ZqGwjCvJ7N9tfFskuBBE8tmN4HHC31AIk Rj2DUuwSclSFy0tdPCaBbUa63EoPebvhbCU0bE8YgA8YZubefq2/mlPx54gmGUIfwwhc ikHvOgEsks4aqwre80MQlL2TPCnD1wuNeonP7kvh7SpIdZ2vFQ9s298lm2eOfmfgFNA/ As5o2DHcTWSMRZORu+wexWNuCZMuz00nT9FujZL2pwsETQIXgpgp77+Z72MsslPBO7lD vFrV2uK79QLMnfSX7Jmg2gIuxBYq5eWKzMtq6dTT4+JjSKdOqiivlF25ohrZpnFoojVi YE8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :user-agent:in-reply-to:references:subject:cc:to:from:message-id :date:arc-authentication-results; bh=7AlMe75uEkI0rt19v5OS660Eltiih03ev+mWF1XKjDE=; b=v+izZ7J/PSss2hh2Hlw+evbg8RT1EGXini5/DNCJ2A+7XngKWb9ZXtBa+J9QKfbkeP oyABUmaMmoNaRKAxQ4NEmfKSedBz8HiotNOlN1/hw3Sy0ctTSLmQ/vu+Gdejjne2yQCL buffHXaz+yBYe9pMgDA74gqONTdzoXw3Yl5Vf2lBwgFicLeK+Axzwp0jxfvQ9A4t86Sj gwGwIQ0U1esPfqsfvdOZ+rqaztRmgPtKu59yIEQtzUByRUhsWGazEi5foh/VVJX7K2Xe ZWxa/kyWWoZCSXI+ILbFPAKUmtb1cy93tvursXoHZWNZTcerG9t8RT4wU5gJz8/buC95 p3DA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l68si4647466pfi.148.2017.11.08.08.24.14; Wed, 08 Nov 2017 08:24:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752759AbdKHQWF (ORCPT + 83 others); Wed, 8 Nov 2017 11:22:05 -0500 Received: from gateway31.websitewelcome.com ([192.185.144.219]:28937 "EHLO gateway31.websitewelcome.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752256AbdKHQWE (ORCPT ); Wed, 8 Nov 2017 11:22:04 -0500 Received: from cm15.websitewelcome.com (cm15.websitewelcome.com [100.42.49.9]) by gateway31.websitewelcome.com (Postfix) with ESMTP id 98D4630030B for ; Wed, 8 Nov 2017 10:22:03 -0600 (CST) Received: from gator4166.hostgator.com ([108.167.133.22]) by cmsmtp with SMTP id CT75eVZAq5b6TCT75ejQ5i; Wed, 08 Nov 2017 10:22:03 -0600 Received: from gator4166.hostgator.com ([108.167.133.22]:13365) by gator4166.hostgator.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1eCT74-00236y-5X; Wed, 08 Nov 2017 10:22:02 -0600 Received: from 189.175.248.21 ([189.175.248.21]) by gator4166.hostgator.com (Horde Framework) with HTTPS; Wed, 08 Nov 2017 10:22:01 -0600 Date: Wed, 08 Nov 2017 10:22:01 -0600 Message-ID: <20171108102201.Horde.Dw2XZ5R--z8myMPckc2RKFC@gator4166.hostgator.com> From: "Gustavo A. R. Silva" To: Andrey Konovalov Cc: Mauro Carvalho Chehab , LKML , Dmitry Vyukov , Kostya Serebryany , syzkaller Subject: Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini References: <20171107211850.GA17663@embeddedor.com> <20171108100301.Horde.pDKmT_QqqGyUbLr9ES3Gy9m@gator4166.hostgator.com> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator4166.hostgator.com X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - embeddedor.com X-BWhitelist: no X-Source-IP: 108.167.133.22 X-Source-L: Yes X-Exim-ID: 1eCT74-00236y-5X X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: gator4166.hostgator.com [108.167.133.22]:13365 X-Source-Auth: garsilva@embeddedor.com X-Email-Count: 10 X-Source-Cap: Z3V6aWRpbmU7Z3V6aWRpbmU7Z2F0b3I0MTY2Lmhvc3RnYXRvci5jb20= X-Local-Domain: yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Andrey Konovalov : > On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva > wrote: >> >> Quoting Andrey Konovalov : >> >>> On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva >>> wrote: >>>> >>>> Hi Andrey, >>>> >>>> Could you please try this patch? >>>> >>>> Thank you >>>> >>>> Gustavo A. R. Silva >>> >>> >>> Hi Gustavo, >>> >>> Still see the crash with your patch. >>> >>> Thanks! >>> >> >> Thank you, Andrey. I will look into this further. > > Since I'm able to reproduce this, I can apply a patch with debug > printk's or something similar and run the reproducer. Send me a patch > if you think it might help. > Awesome. I'm pretty sure this bug is related to other issues like this one: https://groups.google.com/forum/#!topic/syzkaller/FnJq_QkwCLQ em28xx is an old driver and it might require some refactoring in order to fix such issues. I appreciate your help. Thank you -- Gustavo A. R. Silva >> >> >>>> >>>> --- >>>> drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++ >>>> 1 file changed, 3 insertions(+) >>>> >>>> diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c >>>> b/drivers/media/usb/em28xx/em28xx-dvb.c >>>> index 4a7db62..fc3fb92 100644 >>>> --- a/drivers/media/usb/em28xx/em28xx-dvb.c >>>> +++ b/drivers/media/usb/em28xx/em28xx-dvb.c >>>> @@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev) >>>> struct em28xx_dvb *dvb; >>>> struct i2c_client *client; >>>> >>>> + if (!dev) >>>> + return 0; >>>> + >>>> if (dev->is_audio_only) { >>>> /* Shouldn't initialize IR for this interface */ >>>> return 0; >>>> -- >>>> 2.7.4 >>>> >> >> >> >> >> >> From 1583514591272893465@xxx Wed Nov 08 16:06:35 +0000 2017 X-GM-THRID: 1583464386862260131 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread