From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Cai Huoqing <caihuoqing@baidu.com>
Cc: lkp@intel.com, kbuild-all@lists.01.org,
linux-kernel@vger.kernel.org, Hans Verkuil <hverkuil@xs4all.nl>
Subject: [hverkuil-media:for-v5.16c 7/24] drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
Date: Fri, 3 Sep 2021 11:10:55 +0300 [thread overview]
Message-ID: <202109020425.tObTnysX-lkp@intel.com> (raw)
tree: git://linuxtv.org/hverkuil/media_tree.git for-v5.16c
head: 1ff8a1958e10f52762323ab98ad84bd417c4bd24
commit: 84f96613da19427380d40262262745e27ffc7c75 [7/24] media: smsusb: Use usb_get_dev() for the reference count of udev
config: arm64-randconfig-m031-20210831 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: dereferencing freed memory 'dev'
vim +/dev +354 drivers/media/usb/siano/smsusb.c
0c071f374f66f0 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-21 336 static void smsusb_term_device(struct usb_interface *intf)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 337 {
8350e1551c27ee drivers/media/dvb/siano/smsusb.c Joe Perches 2010-11-30 338 struct smsusb_device_t *dev = usb_get_intfdata(intf);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 339
822374165d6b11 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 @340 if (dev) {
^^^
Check for NULL here. (Unnecessary, "dev" can't be NULL at this point).
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 341 dev->state = SMSUSB_DISCONNECTED;
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 342
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 343 smsusb_stop_streaming(dev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 344
fa830e8a014a20 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 345 /* unregister from smscore */
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 346 if (dev->coredev)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 347 smscore_unregister_device(dev->coredev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 348
0dd5f20cb35b59 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2015-02-22 349 pr_debug("device 0x%p destroyed\n", dev);
08921ac9e9d185 drivers/media/dvb/siano/smsusb.c Jesper Juhl 2011-04-21 350 kfree(dev);
^^^
"dev" is freed.
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 351 }
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 352
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 353 usb_set_intfdata(intf, NULL);
84f96613da1942 drivers/media/usb/siano/smsusb.c Cai Huoqing 2021-08-02 @354 usb_put_dev(dev->udev);
^^^
Use after free.
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 355 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: [hverkuil-media:for-v5.16c 7/24] drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
Date: Thu, 02 Sep 2021 04:07:38 +0800 [thread overview]
Message-ID: <202109020425.tObTnysX-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3487 bytes --]
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Cai Huoqing <caihuoqing@baidu.com>
CC: Hans Verkuil <hverkuil@xs4all.nl>
tree: git://linuxtv.org/hverkuil/media_tree.git for-v5.16c
head: 1ff8a1958e10f52762323ab98ad84bd417c4bd24
commit: 84f96613da19427380d40262262745e27ffc7c75 [7/24] media: smsusb: Use usb_get_dev() for the reference count of udev
:::::: branch date: 9 hours ago
:::::: commit date: 9 hours ago
config: arm64-randconfig-m031-20210831 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: dereferencing freed memory 'dev'
vim +/dev +354 drivers/media/usb/siano/smsusb.c
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 335
0c071f374f66f0 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-21 336 static void smsusb_term_device(struct usb_interface *intf)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 337 {
8350e1551c27ee drivers/media/dvb/siano/smsusb.c Joe Perches 2010-11-30 338 struct smsusb_device_t *dev = usb_get_intfdata(intf);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 339
822374165d6b11 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 @340 if (dev) {
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 341 dev->state = SMSUSB_DISCONNECTED;
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 342
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 343 smsusb_stop_streaming(dev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 344
fa830e8a014a20 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 345 /* unregister from smscore */
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 346 if (dev->coredev)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 347 smscore_unregister_device(dev->coredev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 348
0dd5f20cb35b59 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2015-02-22 349 pr_debug("device 0x%p destroyed\n", dev);
08921ac9e9d185 drivers/media/dvb/siano/smsusb.c Jesper Juhl 2011-04-21 350 kfree(dev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 351 }
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 352
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 353 usb_set_intfdata(intf, NULL);
84f96613da1942 drivers/media/usb/siano/smsusb.c Cai Huoqing 2021-08-02 @354 usb_put_dev(dev->udev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 355 }
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 356
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 43677 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild-all@lists.01.org
Subject: [hverkuil-media:for-v5.16c 7/24] drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
Date: Fri, 03 Sep 2021 11:10:55 +0300 [thread overview]
Message-ID: <202109020425.tObTnysX-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3517 bytes --]
tree: git://linuxtv.org/hverkuil/media_tree.git for-v5.16c
head: 1ff8a1958e10f52762323ab98ad84bd417c4bd24
commit: 84f96613da19427380d40262262745e27ffc7c75 [7/24] media: smsusb: Use usb_get_dev() for the reference count of udev
config: arm64-randconfig-m031-20210831 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 11.2.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340)
drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: dereferencing freed memory 'dev'
vim +/dev +354 drivers/media/usb/siano/smsusb.c
0c071f374f66f0 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-21 336 static void smsusb_term_device(struct usb_interface *intf)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 337 {
8350e1551c27ee drivers/media/dvb/siano/smsusb.c Joe Perches 2010-11-30 338 struct smsusb_device_t *dev = usb_get_intfdata(intf);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 339
822374165d6b11 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 @340 if (dev) {
^^^
Check for NULL here. (Unnecessary, "dev" can't be NULL at this point).
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 341 dev->state = SMSUSB_DISCONNECTED;
05f0ffbc487517 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2013-03-06 342
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 343 smsusb_stop_streaming(dev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 344
fa830e8a014a20 drivers/media/dvb/siano/smsusb.c Michael Krufky 2008-06-15 345 /* unregister from smscore */
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 346 if (dev->coredev)
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 347 smscore_unregister_device(dev->coredev);
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 348
0dd5f20cb35b59 drivers/media/usb/siano/smsusb.c Mauro Carvalho Chehab 2015-02-22 349 pr_debug("device 0x%p destroyed\n", dev);
08921ac9e9d185 drivers/media/dvb/siano/smsusb.c Jesper Juhl 2011-04-21 350 kfree(dev);
^^^
"dev" is freed.
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 351 }
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 352
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 353 usb_set_intfdata(intf, NULL);
84f96613da1942 drivers/media/usb/siano/smsusb.c Cai Huoqing 2021-08-02 @354 usb_put_dev(dev->udev);
^^^
Use after free.
2e5c1ec8865abd drivers/media/mdtv/smsusb.c Michael Krufky 2008-05-19 355 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
next reply other threads:[~2021-09-03 8:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-01 20:07 kernel test robot [this message]
2021-09-03 8:10 ` [hverkuil-media:for-v5.16c 7/24] drivers/media/usb/siano/smsusb.c:354 smsusb_term_device() error: we previously assumed 'dev' could be null (see line 340) Dan Carpenter
2021-09-03 8:10 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109020425.tObTnysX-lkp@intel.com \
--to=dan.carpenter@oracle.com \
--cc=caihuoqing@baidu.com \
--cc=hverkuil@xs4all.nl \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.