From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Sean Young" <sean@mess.org>,
"Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>
Subject: [PATCH 3.16 15/72] media: tm6000: double free if usb disconnect while streaming
Date: Sun, 08 Dec 2019 13:52:59 +0000 [thread overview]
Message-ID: <lsq.1575813165.156682136@decadent.org.uk> (raw)
In-Reply-To: <lsq.1575813164.154362148@decadent.org.uk>
3.16.79-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
commit 699bf94114151aae4dceb2d9dbf1a6312839dcae upstream.
The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
to NULL after each free.
stop stream
urb killing
urb buffer free
tm6000: got start feed request tm6000_start_feed
tm6000: got start stream request tm6000_start_stream
tm6000: pipe reset
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: IR URB failure: status: -71, length 0
xhci_hcd 0000:00:14.0: ERROR unknown event type 37
xhci_hcd 0000:00:14.0: ERROR unknown event type 37
tm6000: error tm6000_urb_received
usb 1-2: USB disconnect, device number 5
tm6000: disconnecting tm6000 #0
==================================================================
BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1
Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack+0x9a/0xf0
print_address_description.cold+0xae/0x34f
__kasan_report.cold+0x75/0x93
? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
? dvb_fini+0x75/0x140 [tm6000_dvb]
kasan_report+0xe/0x12
dvb_fini+0x75/0x140 [tm6000_dvb]
tm6000_close_extension+0x51/0x80 [tm6000]
tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
usb_unbind_interface+0xe4/0x390
device_release_driver_internal+0x121/0x250
bus_remove_device+0x197/0x260
device_del+0x268/0x550
? __device_links_no_driver+0xd0/0xd0
? usb_remove_ep_devs+0x30/0x3b
usb_disable_device+0x122/0x400
usb_disconnect+0x153/0x430
hub_event+0x800/0x1e40
? trace_hardirqs_on_thunk+0x1a/0x20
? hub_port_debounce+0x1f0/0x1f0
? retint_kernel+0x10/0x10
? lock_is_held_type+0xf1/0x130
? hub_port_debounce+0x1f0/0x1f0
? process_one_work+0x4ae/0xa00
process_one_work+0x4ba/0xa00
? pwq_dec_nr_in_flight+0x160/0x160
? do_raw_spin_lock+0x10a/0x1d0
worker_thread+0x7a/0x5c0
? process_one_work+0xa00/0xa00
kthread+0x1d5/0x200
? kthread_create_worker_on_cpu+0xd0/0xd0
ret_from_fork+0x3a/0x50
Allocated by task 2682:
save_stack+0x1b/0x80
__kasan_kmalloc.constprop.0+0xc2/0xd0
usb_alloc_urb+0x28/0x60
tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
dvb_usercopy+0x97/0x1f0 [dvb_core]
dvb_demux_ioctl+0x11/0x20 [dvb_core]
do_vfs_ioctl+0x5d8/0x9d0
ksys_ioctl+0x5e/0x90
__x64_sys_ioctl+0x3d/0x50
do_syscall_64+0x74/0xe0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 22:
save_stack+0x1b/0x80
__kasan_slab_free+0x12c/0x170
kfree+0xfd/0x3a0
xhci_giveback_urb_in_irq+0xfe/0x230
xhci_td_cleanup+0x276/0x340
xhci_irq+0x1129/0x3720
__handle_irq_event_percpu+0x6e/0x420
handle_irq_event_percpu+0x6f/0x100
handle_irq_event+0x55/0x84
handle_edge_irq+0x108/0x3b0
handle_irq+0x2e/0x40
do_IRQ+0x83/0x1a0
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/tm6000/tm6000-dvb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/tm6000/tm6000-dvb.c
+++ b/drivers/media/usb/tm6000/tm6000-dvb.c
@@ -111,6 +111,7 @@ static void tm6000_urb_received(struct u
printk(KERN_ERR "tm6000: error %s\n", __func__);
kfree(urb->transfer_buffer);
usb_free_urb(urb);
+ dev->dvb->bulk_urb = NULL;
}
}
}
@@ -143,6 +144,7 @@ static int tm6000_start_stream(struct tm
dvb->bulk_urb->transfer_buffer = kzalloc(size, GFP_KERNEL);
if (dvb->bulk_urb->transfer_buffer == NULL) {
usb_free_urb(dvb->bulk_urb);
+ dvb->bulk_urb = NULL;
printk(KERN_ERR "tm6000: couldn't allocate transfer buffer!\n");
return -ENOMEM;
}
@@ -170,6 +172,7 @@ static int tm6000_start_stream(struct tm
kfree(dvb->bulk_urb->transfer_buffer);
usb_free_urb(dvb->bulk_urb);
+ dvb->bulk_urb = NULL;
return ret;
}
next prev parent reply other threads:[~2019-12-08 13:58 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-08 13:52 [PATCH 3.16 00/72] 3.16.79-rc1 review Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 01/72] ASoC: Define a set of DAPM pre/post-up events Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 02/72] ASoC: sgtl5000: fix VAG power up timing Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 03/72] ASoC: sgtl5000: Improve VAG power and mute control Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 04/72] leds: leds-lp5562 allow firmware files up to the maximum length Ben Hutchings
2019-12-14 8:37 ` Pavel Machek
2019-12-14 18:44 ` Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 05/72] media: dib0700: fix link error for dibx000_i2c_set_speed Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 06/72] fbdev: ssd1307fb: return proper error code if write command fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 07/72] video: ssd1307fb: Start page range at page_offset Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 08/72] libertas_tf: Use correct channel range in lbtf_geo_init Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 09/72] x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 10/72] video: of: display_timing: Add of_node_put() in of_get_display_timing() Ben Hutchings
2019-12-09 21:19 ` Doug Anderson
2019-12-10 13:27 ` Thierry Reding
2019-12-10 15:52 ` Ben Hutchings
2019-12-10 15:31 ` Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 11/72] ALSA: aoa: onyx: always initialize register read value Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 12/72] efi: cper: print AER info of PCIe fatal error Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 13/72] ext4: set error return correctly when ext4_htree_store_dirent fails Ben Hutchings
2019-12-08 13:52 ` [PATCH 3.16 14/72] ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up Ben Hutchings
2019-12-08 13:52 ` Ben Hutchings [this message]
2019-12-08 13:53 ` [PATCH 3.16 16/72] powerpc/rtas: use device model APIs and serialization during LPM Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 17/72] can: mcp251x: mcp251x_hw_reset(): allow more time after a reset Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 18/72] HID: hidraw: Fix invalid read in hidraw_ioctl Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 19/72] ext4: fix warning inside ext4_convert_unwritten_extents_endio Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 20/72] media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 21/72] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 22/72] /dev/mem: Bail out upon SIGKILL Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 23/72] USB: usbcore: Fix slab-out-of-bounds bug during device reset Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 24/72] Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 25/72] smack: use GFP_NOFS while holding inode_smack::smk_lock Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 26/72] HID: prodikeys: Fix general protection fault during probe Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 27/72] parisc: Disable HP HSC-PCI Cards to prevent kernel crash Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 28/72] Btrfs: fix use-after-free when using the tree modification log Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 29/72] btrfs: Relinquish CPUs in btrfs_compare_trees Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 30/72] KVM: mmio: cleanup kvm_set_mmio_spte_mask Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 31/72] KVM: x86: Manually calculate reserved bits when loading PDPTRS Ben Hutchings
2019-12-09 15:49 ` Sean Christopherson
2019-12-10 16:16 ` Ben Hutchings
2019-12-10 16:27 ` Sean Christopherson
2019-12-08 13:53 ` [PATCH 3.16 32/72] cfg80211: Purge frame registrations on iftype change Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 33/72] configfs: fix a deadlock in configfs_symlink() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 34/72] powerpc/pseries: correctly track irq state in default idle Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 35/72] hypfs: Fix error number left in struct pointer member Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 36/72] hwrng: core - don't wait on add_early_randomness() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 37/72] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 38/72] sch_netem: fix a divide by zero in tabledist() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 39/72] net/phy: fix DP83865 10 Mbps HDX loopback disable function Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 40/72] s390/topology: avoid firing events before kobjs are created Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 41/72] s390/cio: avoid calling strlen on null pointer Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 42/72] s390/cio: exclude subchannels with no parent from pseudo check Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 43/72] thermal: Fix use-after-free when unregistering thermal zone device Ben Hutchings
2019-12-08 16:22 ` Ido Schimmel
2019-12-08 18:09 ` Ben Hutchings
2019-12-09 1:40 ` Zhang Rui
2019-12-08 13:53 ` [PATCH 3.16 44/72] CIFS: fix max ea value size Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 45/72] fuse: fix missing unlock_page in fuse_writepage() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 46/72] CIFS: Fix oplock handling for SMB 2.1+ protocols Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 47/72] i2c: riic: Clear NACK in tend isr Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 48/72] ANDROID: binder: remove waitqueue when thread exits Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 49/72] media: b2c2-flexcop-usb: add sanity checking Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 50/72] cfg80211: add and use strongly typed element iteration macros Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 51/72] nl80211: validate beacon head Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 52/72] wimax: i2400: fix memory leak Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 53/72] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 54/72] can: gs_usb: gs_can_open(): prevent memory leak Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 55/72] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 56/72] mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 57/72] crypto: user - Fix crypto_alg_match race Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 58/72] crypto: user - fix memory leak in crypto_report Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 59/72] scsi: bfa: release allocated memory in case of error Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 60/72] appletalk: Fix potential NULL pointer dereference in unregister_snap_client Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 61/72] appletalk: Set error code if register_snap_client failed Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 62/72] KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 63/72] USB: adutux: remove redundant variable minor Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 64/72] USB: adutux: fix use-after-free on disconnect Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 65/72] Input: ff-memless - kill timer in destroy() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 66/72] HID: hiddev: do cleanup in failure of opening a device Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 67/72] HID: hiddev: avoid opening a disconnected device Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 68/72] usb: iowarrior: fix deadlock on disconnect Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 69/72] USB: iowarrior: fix use-after-free " Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 70/72] HID: Fix assumption that devices have inputs Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 71/72] media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() Ben Hutchings
2019-12-08 13:53 ` [PATCH 3.16 72/72] can: peak_usb: fix slab info leak Ben Hutchings
2019-12-08 14:49 ` [PATCH 3.16 00/72] 3.16.79-rc1 review Guenter Roeck
2019-12-08 15:09 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1575813165.156682136@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=sean@mess.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).