Re: [syzbot] [media?] KASAN: use-after-free Read in em28xx_close_extension (2)

From: Hillf Danton
Date: Fri Sep 20 2024 - 07:28:48 EST


On Thu, 19 Sep 2024 08:00:19 -0700
> syzbot found the following issue on:
>
> HEAD commit: 68d4209158f4 sub: cdns3: Use predefined PCI vendor ID cons..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11166200580000

#syz test

--- x/drivers/media/usb/em28xx/em28xx-core.c
+++ y/drivers/media/usb/em28xx/em28xx-core.c
@@ -1134,7 +1134,7 @@ void em28xx_close_extension(struct em28x
ops->fini(dev);
}
}
- list_del(&dev->devlist);
+ list_del_init(&dev->devlist);
mutex_unlock(&em28xx_devlist_mutex);
}

--- x/drivers/media/usb/em28xx/em28xx-cards.c
+++ y/drivers/media/usb/em28xx/em28xx-cards.c
@@ -3910,6 +3910,7 @@ static int em28xx_usb_probe(struct usb_i
retval = -ENOMEM;
goto err;
}
+ INIT_LIST_HEAD(&dev->devlist);

/* compute alternate max packet sizes */
dev->alt_max_pkt_size_isoc = kcalloc(intf->num_altsetting,
@@ -4156,6 +4157,8 @@ static int em28xx_usb_probe(struct usb_i
return 0;

err_free:
+ if (!list_empty(&dev->devlist))
+ em28xx_close_extension(dev);
kfree(dev->alt_max_pkt_size_isoc);
kfree(dev);

--