| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <2b7b169ee0fb43b4447c8960cdfabcfe118d2a8b.1506536596.git.arvind.yadav.cs@gmail.com>
Date: Thu, 28 Sep 2017 00:02:42 +0530
From: Arvind Yadav <arvind.yadav.cs@...il.com>
To: andreyknvl@...gle.com, mchehab@...nel.org, kcc@...gle.com,
dvyukov@...gle.com, mchehab@...pensource.com,
javier@....samsung.com, sakari.ailus@...ux.intel.com,
laurent.pinchart@...asonboard.com
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: [RFT v2] [media] siano: FIX use-after-free in worker_thread
Call flush_work() on failure and disconnect. Work initialize and schedule
in smsusb_onresponse(). it should be freed in smsusb_stop_streaming().
Signed-off-by: Arvind Yadav <arvind.yadav.cs@...il.com>
---
This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
worker_thread".
changes in v2 :
call flush_work() in smsusb_stop_streaming().
drivers/media/usb/siano/smsusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 8c1f926..8142ba4 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -192,6 +192,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
for (i = 0; i < MAX_URBS; i++) {
usb_kill_urb(&dev->surbs[i].urb);
+ flush_work(&dev->surbs[i].wq);
+
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
dev->surbs[i].cb = NULL;
--
2.7.4
Powered by blists - more mailing lists