mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
699bf94114151aae4dceb2d9dbf1a6312839dcae
linux/drivers
History
Sean Young 699bf94114 media: tm6000: double free if usb disconnect while streaming 
The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
to NULL after each free.

stop stream
urb killing
urb buffer free
tm6000: got start feed request tm6000_start_feed
tm6000: got start stream request tm6000_start_stream
tm6000: pipe reset
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: got start feed request tm6000_start_feed
tm6000: IR URB failure: status: -71, length 0
xhci_hcd 0000:00:14.0: ERROR unknown event type 37
xhci_hcd 0000:00:14.0: ERROR unknown event type 37
tm6000:  error tm6000_urb_received
usb 1-2: USB disconnect, device number 5
tm6000: disconnecting tm6000 #0
==================================================================
BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
Read of size 8 at addr ffff888241044060 by task kworker/2:0/22

CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G        W         5.3.0-rc4+ #1
Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
Workqueue: usb_hub_wq hub_event
Call Trace:
 dump_stack+0x9a/0xf0
 print_address_description.cold+0xae/0x34f
 __kasan_report.cold+0x75/0x93
 ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
 ? dvb_fini+0x75/0x140 [tm6000_dvb]
 kasan_report+0xe/0x12
 dvb_fini+0x75/0x140 [tm6000_dvb]
 tm6000_close_extension+0x51/0x80 [tm6000]
 tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
 usb_unbind_interface+0xe4/0x390
 device_release_driver_internal+0x121/0x250
 bus_remove_device+0x197/0x260
 device_del+0x268/0x550
 ? __device_links_no_driver+0xd0/0xd0
 ? usb_remove_ep_devs+0x30/0x3b
 usb_disable_device+0x122/0x400
 usb_disconnect+0x153/0x430
 hub_event+0x800/0x1e40
 ? trace_hardirqs_on_thunk+0x1a/0x20
 ? hub_port_debounce+0x1f0/0x1f0
 ? retint_kernel+0x10/0x10
 ? lock_is_held_type+0xf1/0x130
 ? hub_port_debounce+0x1f0/0x1f0
 ? process_one_work+0x4ae/0xa00
 process_one_work+0x4ba/0xa00
 ? pwq_dec_nr_in_flight+0x160/0x160
 ? do_raw_spin_lock+0x10a/0x1d0
 worker_thread+0x7a/0x5c0
 ? process_one_work+0xa00/0xa00
 kthread+0x1d5/0x200
 ? kthread_create_worker_on_cpu+0xd0/0xd0
 ret_from_fork+0x3a/0x50

Allocated by task 2682:
 save_stack+0x1b/0x80
 __kasan_kmalloc.constprop.0+0xc2/0xd0
 usb_alloc_urb+0x28/0x60
 tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
 dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
 dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
 dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
 dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
 dvb_usercopy+0x97/0x1f0 [dvb_core]
 dvb_demux_ioctl+0x11/0x20 [dvb_core]
 do_vfs_ioctl+0x5d8/0x9d0
 ksys_ioctl+0x5e/0x90
 __x64_sys_ioctl+0x3d/0x50
 do_syscall_64+0x74/0xe0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 22:
 save_stack+0x1b/0x80
 __kasan_slab_free+0x12c/0x170
 kfree+0xfd/0x3a0
 xhci_giveback_urb_in_irq+0xfe/0x230
 xhci_td_cleanup+0x276/0x340
 xhci_irq+0x1129/0x3720
 __handle_irq_event_percpu+0x6e/0x420
 handle_irq_event_percpu+0x6f/0x100
 handle_irq_event+0x55/0x84
 handle_edge_irq+0x108/0x3b0
 handle_irq+0x2e/0x40
 do_IRQ+0x83/0x1a0

Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-08-14 05:07:39 -03:00
..
accessibility
acpi
drivers/acpi/scan.c: document why we don't need the device_hotplug_lock
2019-08-03 07:02:01 -07:00
amba
Merge tag 'driver-core-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2019-07-12 12:24:03 -07:00
android
binder: prevent transactions to context manager from its own process.
2019-07-24 11:02:28 +02:00
ata
libata: add SG safety checks in SFF pio transfers
2019-08-07 12:23:57 -06:00
atm
atm: iphase: Fix Spectre v1 vulnerability
2019-08-02 17:30:36 -07:00
auxdisplay
Merge tag 'docs-5.3' of git://git.lwn.net/linux
2019-07-09 12:34:26 -07:00
base
Merge tag 'driver-core-5.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2019-08-10 12:20:02 -07:00
bcma
block
loop: set PF_MEMALLOC_NOIO for the worker thread
2019-08-08 10:12:21 -06:00
bluetooth
Bluetooth: hci_uart: check for missing tty operations
2019-07-31 13:17:33 -07:00
bus
Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2019-07-19 17:13:56 -07:00
cdrom
char
tpm: tpm_ibm_vtpm: Fix unallocated banks
2019-08-05 00:55:00 +03:00
clk
clk: renesas: cpg-mssr: Fix reset control race condition
2019-07-22 15:04:54 -07:00
clocksource
RISC-V: Remove per cpu clocksource
2019-08-06 14:37:58 -07:00
connector
connector: remove redundant input callback from cn_dev
2019-07-21 13:31:14 -07:00
counter
Merge tag 'staging-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
2019-07-11 15:36:02 -07:00
cpufreq
cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
2019-07-23 09:49:10 +02:00
cpuidle
Merge branch 'pm-cpufreq'
2019-07-18 09:49:30 +02:00
crypto
Merge tag 'Wimplicit-fallthrough-5.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux
2019-08-10 10:10:33 -07:00
dax
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
dca
devfreq
dio
dma
Merge tag 'dmaengine-5.3-rc1' of git://git.infradead.org/users/vkoul/slave-dma
2019-07-17 09:55:43 -07:00
dma-buf
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
edac
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
2019-06-27 10:24:47 -07:00
eisa
extcon
firewire
firewire: mark expected switch fall-throughs
2019-07-25 20:09:37 -05:00
firmware
Merge branch 'for-linus-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/ibft
2019-07-26 09:43:43 -07:00
fpga
fpga-manager: altera-ps-spi: Fix build error
2019-07-24 11:29:41 +02:00
fsi
gnss
gpio
gpiolib: Preserve desc->flags when setting state
2019-07-29 00:57:39 +02:00
gpu
Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2019-08-10 15:44:09 -07:00
hid
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
2019-08-06 11:47:23 -07:00
hsi
hv
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
hwmon
hwmon: (lm75) Fixup tmp75b clr_mask
2019-08-07 14:50:49 -07:00
hwspinlock
hwspinlock: add the 'in_atomic' API
2019-06-29 21:08:14 -07:00
hwtracing
coresight: Fix DEBUG_LOCKS_WARN_ON for uninitialized attribute
2019-08-01 20:51:34 +02:00
i2c
i2c: s3c2410: Mark expected switch fall-through
2019-08-01 22:24:16 +02:00
i3c
Merge tag 'i3c/for-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux
2019-07-09 09:04:31 -07:00
ide
Merge tag 'docs-5.3' of git://git.lwn.net/linux
2019-07-09 12:34:26 -07:00
idle
iio
Merge tag 'iio-fixes-for-5.3a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
2019-07-28 11:07:26 +02:00
infiniband
RDMA/hns: Fix error return code in hns_roce_v1_rsv_lp_qp()
2019-08-01 12:53:53 -04:00
input
Merge tag 'v5.3-rc4' into patchwork
2019-08-12 13:22:54 -03:00
interconnect
iommu
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2019-07-29 11:34:12 -07:00
ipack
Merge tag 'tty-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
2019-07-11 15:38:21 -07:00
irqchip
Merge tag 'irqchip-fixes-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent
2019-08-01 20:21:00 +02:00
isdn
isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
2019-07-31 08:54:06 -07:00
leds
Merge tag 'leds-for-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
2019-07-09 08:59:39 -07:00
lightnvm
macintosh
drivers/macintosh/smu.c: Mark expected switch fall-through
2019-07-31 21:44:45 +10:00
mailbox
Merge tag 'mailbox-v5.3' of git://git.linaro.org/landing-teams/working/fujitsu/integration
2019-07-14 16:36:51 -07:00
mcb
md
Merge tag 'for-linus-20190809' of git://git.kernel.dk/linux-block
2019-08-09 09:28:18 -07:00
media
media: tm6000: double free if usb disconnect while streaming
2019-08-14 05:07:39 -03:00
memory
Merge tag 'kbuild-v5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2019-07-20 09:34:55 -07:00
memstick
Merge tag 'mmc-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
2019-07-11 18:11:21 -07:00
message
Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
2019-07-11 15:14:01 -07:00
mfd
mfd: omap-usb-host: Mark expected switch fall-throughs
2019-08-09 19:46:52 -05:00
misc
Merge tag 'char-misc-5.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
2019-08-10 12:24:20 -07:00
mmc
mmc: cavium: Add the missing dma unmap when the dma has finished.
2019-08-06 18:59:14 +02:00
mtd
Merge tag 'mtd/fixes-for-5.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux
2019-08-04 16:37:08 -07:00
mux
net
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-08-06 17:11:59 -07:00
nfc
NFC: nfcmrvl: fix gpio-handling regression
2019-08-05 10:25:48 -07:00
ntb
NTB/msi: remove incorrect MODULE defines
2019-08-05 15:42:27 -04:00
nubus
nvdimm
Merge tag 'libnvdimm-fixes-5.3-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
2019-07-27 08:25:51 -07:00
nvme
Revert "nvme-pci: don't create a read hctx mapping without read queues"
2019-07-23 17:47:02 +02:00
nvmem
nvmem: Use the same permissions for eeprom as for nvmem
2019-07-30 18:22:20 +02:00
of
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
2019-07-17 11:26:09 -07:00
opp
Merge tag 'pci-v5.3-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
2019-07-15 20:44:49 -07:00
oprofile
vfs: Convert oprofilefs to use the new mount API
2019-07-04 22:01:59 -04:00
parisc
parport
Merge tag 'docs-5.3' of git://git.lwn.net/linux
2019-07-09 12:34:26 -07:00
pci
Revert "PCI: Add missing link delays required by the PCIe spec"
2019-08-07 13:06:42 +02:00
pcmcia
pcmcia: db1xxx_ss: Mark expected switch fall-throughs
2019-08-09 19:53:04 -05:00
perf
drivers/perf: arm_pmu: Fix failure path in PM notifier
2019-07-29 11:43:48 +01:00
phy
Merge tag 'phy-for-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-next
2019-07-01 15:04:59 +02:00
pinctrl
pinctrl: aspeed: Make aspeed_pinmux_ips static
2019-07-29 23:35:31 +02:00
platform
platform/x86: pcengines-apuv2: use KEY_RESTART for front button
2019-07-29 18:24:59 +03:00
pnp
docs: driver-api: add a series of orphaned documents
2019-07-15 11:03:02 -03:00
power
Merge tag 'for-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
2019-07-15 21:06:15 -07:00
powercap
powercap: Invoke powercap_init() and rapl_init() earlier
2019-07-22 11:23:00 +02:00
pps
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
2019-07-16 19:23:24 -07:00
ps3
ptp
pwm
pwm: Fallback to the static lookup-list when acpi_pwm_get fails
2019-08-08 13:17:38 +02:00
rapidio
Merge branch 'akpm' (patches from Andrew)
2019-07-17 08:58:04 -07:00
ras
regulator
regulator: of: Add of_node_put() before return in function
2019-08-01 14:07:46 +01:00
remoteproc
Merge tag 'rproc-v5.3' of git://github.com/andersson/remoteproc
2019-07-17 11:44:41 -07:00
reset
Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
2019-07-19 17:13:56 -07:00
rpmsg
rtc
Merge tag 'rtc-5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
2019-07-17 10:03:50 -07:00
s390
Merge tag 'Wimplicit-fallthrough-5.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux
2019-08-10 10:10:33 -07:00
sbus
scsi
Merge tag 'Wimplicit-fallthrough-5.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux
2019-08-10 10:10:33 -07:00
sfi
sh
siox
slimbus
sn
soc
Merge branch 'pdf_fixes_v1' of https://git.linuxtv.org/mchehab/experimental into mauro
2019-07-22 13:51:20 -06:00
soundwire
Merge tag 'soundwire-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire into char-misc-next
2019-07-05 08:15:08 +02:00
spi
Merge tag 'spi-fix-v5.3-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
2019-08-05 11:49:02 -07:00
spmi
ssb
staging
media: cedrus: Don't set chroma size for scale & rotation
2019-08-13 11:42:26 -03:00
target
scsi: target: cxgbit: add support for IEEE_8021QAZ_APP_SEL_STREAM selector
2019-07-22 17:04:20 -04:00
tc
tee
thermal
int340X/processor_thermal_device: Fix proc_thermal_rapl_remove()
2019-07-23 09:36:07 +02:00
thunderbolt
Merge tag 'driver-core-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2019-07-12 12:24:03 -07:00
tty
kgdboc: disable the console lock when in kgdb
2019-07-30 17:39:39 +02:00
uio
usb
usb: setup authorized_default attributes using usb_bus_notify
2019-08-08 16:07:34 +02:00
uwb
vfio
Merge tag 'vfio-v5.3-rc1' of git://github.com/awilliam/linux-vfio
2019-07-17 11:23:13 -07:00
vhost
vhost: disable metadata prefetch optimization
2019-07-26 07:49:29 -04:00
video
video: fbdev: omapfb_main: Mark expected switch fall-throughs
2019-08-09 19:51:52 -05:00
virt
virtio
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
visorbus
vlynq
vme
w1
docs: driver-api: add a series of orphaned documents
2019-07-15 11:03:02 -03:00
watchdog
watchdog: riowd: Mark expected switch fall-through
2019-08-09 19:51:01 -05:00
xen
Merge tag 'for-linus-5.3a-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
2019-08-02 15:26:48 -07:00
zorro
Kconfig
Makefile