Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini
From: Gustavo A. R. Silva
Date: Wed Nov 08 2017 - 11:22:08 EST
Quoting Andrey Konovalov <andreyknvl@xxxxxxxxxx>:
On Wed, Nov 8, 2017 at 5:03 PM, Gustavo A. R. Silva
<garsilva@xxxxxxxxxxxxxx> wrote:
Quoting Andrey Konovalov <andreyknvl@xxxxxxxxxx>:
On Tue, Nov 7, 2017 at 10:18 PM, Gustavo A. R. Silva
<garsilva@xxxxxxxxxxxxxx> wrote:
Hi Andrey,
Could you please try this patch?
Thank you
Gustavo A. R. Silva
Hi Gustavo,
Still see the crash with your patch.
Thanks!
Thank you, Andrey. I will look into this further.
Since I'm able to reproduce this, I can apply a patch with debug
printk's or something similar and run the reproducer. Send me a patch
if you think it might help.
Awesome.
I'm pretty sure this bug is related to other issues like this one:
https://groups.google.com/forum/#!topic/syzkaller/FnJq_QkwCLQ
em28xx is an old driver and it might require some refactoring in order
to fix such issues.
I appreciate your help.
Thank you
--
Gustavo A. R. Silva
---
drivers/media/usb/em28xx/em28xx-dvb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c
b/drivers/media/usb/em28xx/em28xx-dvb.c
index 4a7db62..fc3fb92 100644
--- a/drivers/media/usb/em28xx/em28xx-dvb.c
+++ b/drivers/media/usb/em28xx/em28xx-dvb.c
@@ -2073,6 +2073,9 @@ static int em28xx_dvb_fini(struct em28xx *dev)
struct em28xx_dvb *dvb;
struct i2c_client *client;
+ if (!dev)
+ return 0;
+
if (dev->is_audio_only) {
/* Shouldn't initialize IR for this interface */
return 0;
--
2.7.4