Re: [syzbot] [pvrusb2?] [usb?] KASAN: slab-use-after-free Read in pvr2_context_set_notify (3)
From: Hillf Danton
Date: Sun Apr 14 2024 - 07:10:14 EST
On Sat, 13 Apr 2024 21:26:30 -0700
> syzbot found the following issue on:
>
> HEAD commit: a788e53c05ae usb: usb-acpi: Fix oops due to freeing uninit..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120ca915180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
--- x/drivers/media/usb/pvrusb2/pvrusb2-context.c
+++ y/drivers/media/usb/pvrusb2/pvrusb2-context.c
@@ -26,6 +26,8 @@ static int pvr2_context_cleanup_flag;
static int pvr2_context_cleaned_flag;
static struct task_struct *pvr2_context_thread_ptr;
+static DEFINE_MUTEX(pvr2_disconn_mutex);
+static int pvr2_context_cleaning;
static void pvr2_context_set_notify(struct pvr2_context *mp, int fl)
{
@@ -152,6 +154,9 @@ static int pvr2_context_thread_func(void
pvr2_trace(PVR2_TRACE_CTXT,"pvr2_context thread start");
+ mutex_lock(&pvr2_disconn_mutex);
+ pvr2_context_cleaning = 1;
+ mutex_unlock(&pvr2_disconn_mutex);
do {
while ((mp = pvr2_context_notify_first) != NULL) {
pvr2_context_set_notify(mp, 0);
@@ -163,6 +168,9 @@ static int pvr2_context_thread_func(void
pvr2_context_shutok()));
} while (!pvr2_context_shutok());
+ mutex_lock(&pvr2_disconn_mutex);
+ pvr2_context_cleaning = 0;
+ mutex_unlock(&pvr2_disconn_mutex);
pvr2_context_cleaned_flag = !0;
wake_up(&pvr2_context_cleanup_data);
@@ -266,13 +274,17 @@ static void pvr2_context_exit(struct pvr
void pvr2_context_disconnect(struct pvr2_context *mp)
{
+ mutex_lock(&pvr2_disconn_mutex);
+ if (pvr2_context_cleaning)
+ goto out;
pvr2_hdw_disconnect(mp->hdw);
if (!pvr2_context_shutok())
pvr2_context_notify(mp);
mp->disconnect_flag = !0;
+out:
+ mutex_unlock(&pvr2_disconn_mutex);
}
-
void pvr2_channel_init(struct pvr2_channel *cp,struct pvr2_context *mp)
{
pvr2_context_enter(mp);
--