linux

History

Sean Young 699bf94114 media: tm6000: double free if usb disconnect while streaming The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set to NULL after each free. stop stream urb killing urb buffer free tm6000: got start feed request tm6000_start_feed tm6000: got start stream request tm6000_start_stream tm6000: pipe reset tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: IR URB failure: status: -71, length 0 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 tm6000: error tm6000_urb_received usb 1-2: USB disconnect, device number 5 tm6000: disconnecting tm6000 #0 ================================================================== BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb] Read of size 8 at addr ffff888241044060 by task kworker/2:0/22 CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1 Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack+0x9a/0xf0 print_address_description.cold+0xae/0x34f __kasan_report.cold+0x75/0x93 ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa] ? dvb_fini+0x75/0x140 [tm6000_dvb] kasan_report+0xe/0x12 dvb_fini+0x75/0x140 [tm6000_dvb] tm6000_close_extension+0x51/0x80 [tm6000] tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000] usb_unbind_interface+0xe4/0x390 device_release_driver_internal+0x121/0x250 bus_remove_device+0x197/0x260 device_del+0x268/0x550 ? __device_links_no_driver+0xd0/0xd0 ? usb_remove_ep_devs+0x30/0x3b usb_disable_device+0x122/0x400 usb_disconnect+0x153/0x430 hub_event+0x800/0x1e40 ? trace_hardirqs_on_thunk+0x1a/0x20 ? hub_port_debounce+0x1f0/0x1f0 ? retint_kernel+0x10/0x10 ? lock_is_held_type+0xf1/0x130 ? hub_port_debounce+0x1f0/0x1f0 ? process_one_work+0x4ae/0xa00 process_one_work+0x4ba/0xa00 ? pwq_dec_nr_in_flight+0x160/0x160 ? do_raw_spin_lock+0x10a/0x1d0 worker_thread+0x7a/0x5c0 ? process_one_work+0xa00/0xa00 kthread+0x1d5/0x200 ? kthread_create_worker_on_cpu+0xd0/0xd0 ret_from_fork+0x3a/0x50 Allocated by task 2682: save_stack+0x1b/0x80 __kasan_kmalloc.constprop.0+0xc2/0xd0 usb_alloc_urb+0x28/0x60 tm6000_start_feed+0x10a/0x300 [tm6000_dvb] dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core] dvb_dmxdev_start_feed+0x121/0x180 [dvb_core] dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core] dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core] dvb_usercopy+0x97/0x1f0 [dvb_core] dvb_demux_ioctl+0x11/0x20 [dvb_core] do_vfs_ioctl+0x5d8/0x9d0 ksys_ioctl+0x5e/0x90 __x64_sys_ioctl+0x3d/0x50 do_syscall_64+0x74/0xe0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 22: save_stack+0x1b/0x80 __kasan_slab_free+0x12c/0x170 kfree+0xfd/0x3a0 xhci_giveback_urb_in_irq+0xfe/0x230 xhci_td_cleanup+0x276/0x340 xhci_irq+0x1129/0x3720 __handle_irq_event_percpu+0x6e/0x420 handle_irq_event_percpu+0x6f/0x100 handle_irq_event+0x55/0x84 handle_edge_irq+0x108/0x3b0 handle_irq+0x2e/0x40 do_IRQ+0x83/0x1a0 Cc: stable@vger.kernel.org Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>		2019-08-14 05:07:39 -03:00
..
airspy	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
as102	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 118	2019-05-24 17:39:02 +02:00
au0828	media: drivers/media: don't set pix->priv = 0	2019-07-23 08:48:33 -04:00
b2c2	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
cpia2	media: drivers/media: don't set pix->priv = 0	2019-07-23 08:48:33 -04:00
cx231xx	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
dvb-usb	media: don't drop front-end reference count for ->detach	2019-08-04 06:33:11 -03:00
dvb-usb-v2	media: dvbsky: add support for Mygica T230C v2	2019-07-22 15:33:30 -04:00
em28xx	media: em28xx: modules workqueue not inited for 2nd device	2019-08-14 05:06:44 -03:00
go7007	media: usb: go7007: s2250-board: convert to i2c_new_dummy_device	2019-08-13 11:46:13 -03:00
gspca	media: drivers/media: don't set pix->priv = 0	2019-07-23 08:48:33 -04:00
hackrf	Linux 5.2-rc4	2019-06-11 12:09:28 -04:00
hdpvr	media: hdpvr: Add device num check and handling	2019-07-25 06:23:35 -04:00
msi2500	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
pulse8-cec	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 55	2019-05-24 17:36:42 +02:00
pvrusb2	media: pvrusb2: use kzalloc instead of kmalloc and memset	2019-08-13 11:48:57 -03:00
pwc	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
rainshadow-cec	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 55	2019-05-24 17:36:42 +02:00
s2255	media: drivers/media: don't set pix->priv = 0	2019-07-23 08:48:33 -04:00
siano	USB fixes for 5.2-rc3	2019-05-31 08:16:31 -07:00
stk1160	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
stkwebcam	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
tm6000	media: tm6000: double free if usb disconnect while streaming	2019-08-14 05:07:39 -03:00
ttusb-budget	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152	2019-05-30 11:26:32 -07:00
ttusb-dec	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
usbtv	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
usbvision	media: media/usb: don't set description in ENUM_FMT	2019-07-22 14:01:05 -04:00
uvc	media: drivers/media: don't set pix->priv = 0	2019-07-23 08:48:33 -04:00
zr364xx	media: media/usb: Use kmemdup rather than duplicating its implementation	2019-08-14 05:02:43 -03:00
Kconfig	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00