From: Dan Carpenter <dan.carpenter@oracle.com>
To: Hillf Danton <hdanton@sina.com>
Cc: syzbot <syzbot+005037419ebdf14e1d87@syzkaller.appspotmail.com>,
igormtorrente@gmail.com, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in em28xx_close_extension
Date: Wed, 28 Jul 2021 16:39:13 +0300 [thread overview]
Message-ID: <20210728133913.GU25548@kadam> (raw)
In-Reply-To: <20210727141455.GM1931@kadam>
On Tue, Jul 27, 2021 at 05:14:55PM +0300, Dan Carpenter wrote:
> On Tue, Jul 27, 2021 at 06:01:51PM +0800, Hillf Danton wrote:
> > Along the probe path,
> >
> > em28xx_usb_probe
> > dev = kzalloc(sizeof(*dev), GFP_KERNEL);
> > retval = em28xx_init_dev(dev, udev, intf, nr);
> > em28xx_init_extension(dev);
> > em28xx_ir_init(struct em28xx *dev)
> > kref_get(&dev->ref);
> >
> > kref_init(&dev->ref);
>
> Good detective work.
>
> I've created a Smatch check to try find these. It uses the fact that
> Smatch creates a bunch of fake assignments to set all the struct members
> of "dev" to zero. Then it uses the modification hook to find the
> kref_init(). Those are sort of new uses for those hooks so that's quite
> fun.
>
> I'll test it out overnight and see how it works.
My Smatch check didn't find any other bugs, but it only had 3 false
positives so I'll keep running it nightly on new code.
regards,
dan carpenter
next prev parent reply other threads:[~2021-07-28 13:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-14 14:27 [syzbot] KASAN: use-after-free Read in em28xx_close_extension syzbot
[not found] ` <20210727100151.2051-1-hdanton@sina.com>
2021-07-27 14:14 ` Dan Carpenter
2021-07-27 15:13 ` Dongliang Mu
2021-07-27 15:33 ` Dan Carpenter
2021-07-28 13:39 ` Dan Carpenter [this message]
2021-10-01 8:55 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210728133913.GU25548@kadam \
--to=dan.carpenter@oracle.com \
--cc=hdanton@sina.com \
--cc=igormtorrente@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=syzbot+005037419ebdf14e1d87@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.