lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <921523bd-da2e-4ca6-b207-59668985657b@arnaud-lcm.com>
Date: Mon, 4 Aug 2025 16:46:20 +0100
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: mchehab+huawei@...nel.org
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzbot+0192952caa411a3be209@...kaller.appspotmail.com,
 skhan@...uxfoundation.org
Subject: Re: [PATCH 2/2] media: dvb-usbv2: ensure safe USB transfers on
 disconnect in i2c_xfer

I am forwarding this as I believe this is your correct new mail address.
Please let me know if this is incorrect, apologies in advance for any 
inconvenience.
Arnaud

On 29/07/2025 18:14, Arnaud Lecomte wrote:
> Hi Mauro, I am bumping this as you may didn't had the chance to have a 
> look.
> Cheers,
> Arnaud
>
> On 21/04/2025 17:31, Arnaud Lecomte wrote:
>> Previously, there was a potential race condition where a USB transfer 
>> could
>> access inconsistent data if a disconnect occurred mid-transfer.
>> When this scenario happens (i.e when there is an USB disconnect during
>> the transfer), we would encounter an error related to the corruption of
>> st:
>> [   66.967387][T10787]  slab kmalloc-8k start ffff88804f5b4000 
>> pointer offset 80 size 8192
>> [   66.968252][T10787] list_del corruption. prev->next should be 
>> ffffc9000d18f7e0, but was ffff88804f5b4050. (prev=ffff88804f5b4050)
>> [   66.969443][T10787] ------------[ cut here ]------------
>> [   66.969973][T10787] kernel BUG at lib/list_debug.c:64!
>> [   66.970491][T10787] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>> [   66.971104][T10787] CPU: 0 UID: 0 PID: 10787 Comm: repro Not 
>> tainted 6.15.0-rc3-00004-gcd75cc176092-dirty #28 PREEMPT(full)
>> [   66.972204][T10787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + 
>> PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>> [   66.973236][T10787] RIP: 
>> 0010:__list_del_entry_valid_or_report+0x15c/0x190
>> [   66.973896][T10787] Code: ca da fb fc 42 80 3c 2b 00 74 08 4c 89 
>> e7 e8 fb 29 1f fd 49 8b 14 24 48 c7 c7 a0 09 a2 8c 4c 89 fe 4c 89 e1 
>> e8 55 43 18 fc 90 <0f> 0b 4c 89 f7 e8 9a da fb fc 42 80 3c 2b 00 74 
>> 08 4c 89 e7 e8 cb
>>
>> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
>> ---
>>   drivers/media/usb/dvb-usb-v2/az6007.c | 8 +++++++-
>>   1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c 
>> b/drivers/media/usb/dvb-usb-v2/az6007.c
>> index e8ee18010346..f6b8e29d19de 100644
>> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
>> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
>> @@ -752,8 +752,13 @@ static int az6007_i2c_xfer(struct i2c_adapter 
>> *adap, struct i2c_msg msgs[],
>>       int length;
>>       u8 req, addr;
>>   -    if (mutex_lock_interruptible(&st->mutex) < 0)
>> +    if (!usb_trylock_device(d->udev))
>> +        return -EBUSY;
>> +
>> +    if (mutex_lock_interruptible(&st->mutex) < 0) {
>> +        usb_unlock_device(d->udev);
>>           return -EAGAIN;
>> +    }
>>         for (i = 0; i < num; i++) {
>>           addr = msgs[i].addr << 1;
>> @@ -821,6 +826,7 @@ static int az6007_i2c_xfer(struct i2c_adapter 
>> *adap, struct i2c_msg msgs[],
>>       }
>>   err:
>>       mutex_unlock(&st->mutex);
>> +    usb_unlock_device(d->udev);
>>       if (ret < 0) {
>>           pr_info("%s ERROR: %i\n", __func__, ret);
>>           return ret;
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ