All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Skripkin <paskripkin@gmail.com>
To: mchehab@kernel.org
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	Pavel Skripkin <paskripkin@gmail.com>,
	syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
Subject: [PATCH] media: em28xx: fix corrupted list
Date: Tue,  6 Jul 2021 17:50:25 +0300	[thread overview]
Message-ID: <20210706145025.25776-1-paskripkin@gmail.com> (raw)

Syzbot reported corrupted list in em28xx driver. The problem was in
non-reinitialized lists on disconnect. Since all 2 lists are global
variables and driver can be connected and disconnected many times we
should call INIT_LIST_HEAD() in .disconnect method to prevent corrupted
list entries.

Fixes: 1a23f81b7dc3 ("V4L/DVB (9979): em28xx: move usb probe code to a proper place")
Reported-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/media/usb/em28xx/em28xx-cards.c | 2 ++
 drivers/media/usb/em28xx/em28xx-core.c  | 6 ++++++
 drivers/media/usb/em28xx/em28xx.h       | 1 +
 3 files changed, 9 insertions(+)

diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
index ba9292e2a587..8b1ff79c37a0 100644
--- a/drivers/media/usb/em28xx/em28xx-cards.c
+++ b/drivers/media/usb/em28xx/em28xx-cards.c
@@ -4148,6 +4148,8 @@ static void em28xx_usb_disconnect(struct usb_interface *intf)
 		dev->dev_next = NULL;
 	}
 	kref_put(&dev->ref, em28xx_free_device);
+
+	em28xx_reset_lists();
 }
 
 static int em28xx_usb_suspend(struct usb_interface *intf,
diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c
index 584fa400cd7d..03970ed00dba 100644
--- a/drivers/media/usb/em28xx/em28xx-core.c
+++ b/drivers/media/usb/em28xx/em28xx-core.c
@@ -1131,6 +1131,12 @@ void em28xx_init_extension(struct em28xx *dev)
 	mutex_unlock(&em28xx_devlist_mutex);
 }
 
+void em28xx_reset_lists(void)
+{
+	INIT_LIST_HEAD(&em28xx_devlist);
+	INIT_LIST_HEAD(&em28xx_extension_devlist);
+}
+
 void em28xx_close_extension(struct em28xx *dev)
 {
 	const struct em28xx_ops *ops = NULL;
diff --git a/drivers/media/usb/em28xx/em28xx.h b/drivers/media/usb/em28xx/em28xx.h
index ab167cd1f400..73caaaa398d3 100644
--- a/drivers/media/usb/em28xx/em28xx.h
+++ b/drivers/media/usb/em28xx/em28xx.h
@@ -835,6 +835,7 @@ void em28xx_stop_urbs(struct em28xx *dev);
 int em28xx_set_mode(struct em28xx *dev, enum em28xx_mode set_mode);
 int em28xx_gpio_set(struct em28xx *dev, const struct em28xx_reg_seq *gpio);
 int em28xx_register_extension(struct em28xx_ops *dev);
+void em28xx_reset_lists(void);
 void em28xx_unregister_extension(struct em28xx_ops *dev);
 void em28xx_init_extension(struct em28xx *dev);
 void em28xx_close_extension(struct em28xx *dev);
-- 
2.32.0


             reply	other threads:[~2021-07-06 14:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-06 14:50 Pavel Skripkin [this message]
2021-07-20 12:13 ` [PATCH] media: em28xx: fix corrupted list Hans Verkuil
2021-07-21 12:21   ` Pavel Skripkin
2021-07-21 12:25     ` Hans Verkuil
2021-07-21 19:43       ` [PATCH v2] media: em28xx: add missing em28xx_close_extension Pavel Skripkin
2021-07-29  9:45         ` Hans Verkuil
2021-07-29 12:45           ` Pavel Skripkin
2021-07-29 13:40             ` Hans Verkuil
2021-07-29 20:23               ` [PATCH v3] " Pavel Skripkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210706145025.25776-1-paskripkin@gmail.com \
    --to=paskripkin@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.