| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c1666572-7a9b-4f25-a61a-08c96fad7a58@arnaud-lcm.com>
Date: Tue, 29 Jul 2025 18:14:44 +0100
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: Mauro Carvalho Chehab <mchehab@...nel.org>
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+0192952caa411a3be209@...kaller.appspotmail.com,
skhan@...uxfoundation.org
Subject: Re: [PATCH 2/2] media: dvb-usbv2: ensure safe USB transfers on
disconnect in i2c_xfer
Hi Mauro, I am bumping this as you may didn't had the chance to have a look.
Cheers,
Arnaud
On 21/04/2025 17:31, Arnaud Lecomte wrote:
> Previously, there was a potential race condition where a USB transfer could
> access inconsistent data if a disconnect occurred mid-transfer.
> When this scenario happens (i.e when there is an USB disconnect during
> the transfer), we would encounter an error related to the corruption of
> st:
> [ 66.967387][T10787] slab kmalloc-8k start ffff88804f5b4000 pointer offset 80 size 8192
> [ 66.968252][T10787] list_del corruption. prev->next should be ffffc9000d18f7e0, but was ffff88804f5b4050. (prev=ffff88804f5b4050)
> [ 66.969443][T10787] ------------[ cut here ]------------
> [ 66.969973][T10787] kernel BUG at lib/list_debug.c:64!
> [ 66.970491][T10787] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> [ 66.971104][T10787] CPU: 0 UID: 0 PID: 10787 Comm: repro Not tainted 6.15.0-rc3-00004-gcd75cc176092-dirty #28 PREEMPT(full)
> [ 66.972204][T10787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 66.973236][T10787] RIP: 0010:__list_del_entry_valid_or_report+0x15c/0x190
> [ 66.973896][T10787] Code: ca da fb fc 42 80 3c 2b 00 74 08 4c 89 e7 e8 fb 29 1f fd 49 8b 14 24 48 c7 c7 a0 09 a2 8c 4c 89 fe 4c 89 e1 e8 55 43 18 fc 90 <0f> 0b 4c 89 f7 e8 9a da fb fc 42 80 3c 2b 00 74 08 4c 89 e7 e8 cb
>
> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
> ---
> drivers/media/usb/dvb-usb-v2/az6007.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
> index e8ee18010346..f6b8e29d19de 100644
> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
> @@ -752,8 +752,13 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> int length;
> u8 req, addr;
>
> - if (mutex_lock_interruptible(&st->mutex) < 0)
> + if (!usb_trylock_device(d->udev))
> + return -EBUSY;
> +
> + if (mutex_lock_interruptible(&st->mutex) < 0) {
> + usb_unlock_device(d->udev);
> return -EAGAIN;
> + }
>
> for (i = 0; i < num; i++) {
> addr = msgs[i].addr << 1;
> @@ -821,6 +826,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
> }
> err:
> mutex_unlock(&st->mutex);
> + usb_unlock_device(d->udev);
> if (ret < 0) {
> pr_info("%s ERROR: %i\n", __func__, ret);
> return ret;
>
Powered by blists - more mailing lists