| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250824080918.5312-1-hdanton@sina.com>
Date: Sun, 24 Aug 2025 16:09:16 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+a658d41cf8564471775e@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [media?] [usb?] KASAN: slab-use-after-free Read in v4l2_release (2)
> Date: Sat, 23 Aug 2025 23:17:26 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 8d245acc1e88 Merge tag 'char-misc-6.17-rc3' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15f37062580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=292f3bc9f654adeb
> dashboard link: https://syzkaller.appspot.com/bug?extid=a658d41cf8564471775e
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c267bc580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a8c862580000
#syz test
--- x/drivers/media/usb/hackrf/hackrf.c
+++ y/drivers/media/usb/hackrf/hackrf.c
@@ -1345,7 +1345,7 @@ static int hackrf_probe(struct usb_inter
const struct usb_device_id *id)
{
struct hackrf_dev *dev;
- int ret;
+ int ret, registered = 0;
u8 u8tmp, buf[BUF_SIZE];
dev = kzalloc(sizeof(*dev), GFP_KERNEL);
@@ -1487,6 +1487,7 @@ static int hackrf_probe(struct usb_inter
"Failed to register as video device (%d)\n", ret);
goto err_v4l2_device_unregister;
}
+ registered++;
dev_info(dev->dev, "Registered as %s\n",
video_device_node_name(&dev->rx_vdev));
@@ -1520,7 +1521,8 @@ err_v4l2_ctrl_handler_free_tx:
err_v4l2_ctrl_handler_free_rx:
v4l2_ctrl_handler_free(&dev->rx_ctrl_handler);
err_kfree:
- kfree(dev);
+ if (!registered)
+ kfree(dev);
err:
dev_dbg(&intf->dev, "failed=%d\n", ret);
return ret;
--
Powered by blists - more mailing lists