| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240920112809.627-1-hdanton@sina.com> Date: Fri, 20 Sep 2024 19:28:09 +0800 From: Hillf Danton <hdanton@...a.com> To: syzbot <syzbot+a11c46f37ee083a73deb@...kaller.appspotmail.com> Cc: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [media?] KASAN: use-after-free Read in em28xx_close_extension (2) On Thu, 19 Sep 2024 08:00:19 -0700 > syzbot found the following issue on: > > HEAD commit: 68d4209158f4 sub: cdns3: Use predefined PCI vendor ID cons.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11166200580000 #syz test --- x/drivers/media/usb/em28xx/em28xx-core.c +++ y/drivers/media/usb/em28xx/em28xx-core.c @@ -1134,7 +1134,7 @@ void em28xx_close_extension(struct em28x ops->fini(dev); } } - list_del(&dev->devlist); + list_del_init(&dev->devlist); mutex_unlock(&em28xx_devlist_mutex); } --- x/drivers/media/usb/em28xx/em28xx-cards.c +++ y/drivers/media/usb/em28xx/em28xx-cards.c @@ -3910,6 +3910,7 @@ static int em28xx_usb_probe(struct usb_i retval = -ENOMEM; goto err; } + INIT_LIST_HEAD(&dev->devlist); /* compute alternate max packet sizes */ dev->alt_max_pkt_size_isoc = kcalloc(intf->num_altsetting, @@ -4156,6 +4157,8 @@ static int em28xx_usb_probe(struct usb_i return 0; err_free: + if (!list_empty(&dev->devlist)) + em28xx_close_extension(dev); kfree(dev->alt_max_pkt_size_isoc); kfree(dev); --
Powered by blists - more mailing lists