Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-13 23:51:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
6fffbc7ae1
linux/drivers/media/radio
History
Shigeru Yoshida 7d21e0b1b4 media: si470x: Fix use-after-free in si470x_int_in_callback() 
syzbot reported use-after-free in si470x_int_in_callback() [1].  This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.

The cause of this issue is that si470x_int_in_callback() is called for
freed urb.

si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start().  If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:

si470x_usb_driver_probe()
  ...
  si470x_start_usb()
    ...
    usb_submit_urb()
    retval = si470x_start()
    return retval
  if (retval < 0)
    free struct si470x_device object, but don't kill urb

This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted.  If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.

Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2022-12-07 17:58:47 +01:00
..
si470x media: si470x: Fix use-after-free in si470x_int_in_callback() 2022-12-07 17:58:47 +01:00
si4713 media fixes for v6.1-rc2 2022-10-22 15:30:15 -07:00
wl128x media: Kconfig: cleanup VIDEO_DEV dependencies 2022-03-18 05:58:35 +01:00
dsbr100.c
Kconfig media: make RADIO_ADAPTERS tristate 2022-05-13 11:02:19 +02:00
lm7000.h
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
radio-aimslab.c
radio-aztech.c
radio-cadet.c
radio-gemtek.c media: don't do a 31 bit shift on a signed int 2019-08-26 14:11:10 -03:00
radio-isa.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
radio-isa.h isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
radio-keene.c
radio-ma901.c
radio-maxiradio.c media: v4l: ioctl: Set bus_info in v4l_querycap() 2022-04-24 08:07:08 +01:00
radio-miropcm20.c
radio-mr800.c
radio-raremono.c
radio-rtrack2.c
radio-sf16fmi.c media: media/radio: make array probe_ports static const 2022-01-23 21:18:43 +01:00
radio-sf16fmr2.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
radio-shark2.c
radio-shark.c
radio-si476x.c media: radio-si476x: Remove the unneeded result variable 2022-09-24 08:52:21 +02:00
radio-tea5764.c media: radio/radio-tea5764: Convert to i2c's .probe_new() 2022-11-21 11:04:41 +01:00
radio-tea5777.c
radio-tea5777.h
radio-terratec.c radio-terratec: Remove variable p 2022-10-24 19:03:54 +02:00
radio-timb.c
radio-trust.c media: remove include stdarg.h from some drivers 2019-08-26 14:01:44 -03:00
radio-typhoon.c
radio-wl1273.c media: radio-wl1273: Avoid card name truncation 2021-09-30 10:07:59 +02:00
radio-zoltrix.c
saa7706h.c media: radio/saa7706h: Convert to i2c's .probe_new() 2022-11-21 11:04:42 +01:00
tea575x.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tef6862.c media: radio/tef6862: Convert to i2c's .probe_new() 2022-11-21 11:04:42 +01:00