initializing a worker.
>> hdpvr_register_videodev() is calling by hdpvr_probe at last.
>> So No need to flash any work here.
>> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>>
>> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
>> Reported-by: Andrey K
On Thu, Nov 23, 2017 at 8:25 AM, Matthias Schwarzott <z...@gentoo.org> wrote:
> Am 21.11.2017 um 14:51 schrieb Andrey Konovalov:
>> Hi!
>>
> Hi Andrey,
>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e1d1e
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1).
em28xx 1-1:9.0: Disconnecting
tc90522 1-0015: Toshiba TC90522 attached.
qm1d1c0042 2-0061: Sharp QM1D1C0042 attached.
dvbdev: DVB: registering new adapter
On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva
<garsi...@embeddedor.com> wrote:
>
> Quoting Andrey Konovalov <andreyk...@google.com>:
>
>> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
>> <garsi...@embeddedor.com> wrote:
>>>
>&g
On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you
Hi Gustavo,
With your patch I get a different crash. Not sure if it's another bug
or the same one manifesting differently.
au0828:
40ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======
> ---
> This bug report by Andrey Konovalov "net/media/em28xx: use-after-free in
> v4l2_fh_init"
>
> drivers/media/usb/em28xx/em28xx-video.c |
RA) {
I see what you're trying to do though and I'd say a better patch would
be to reset the UVC_TERM_INPUT flag or fail when this flag is set. But
it's up to maintainers.
Thanks!
>
>
> On Monday, November 6, 2017 at 8:27:23 AM UTC-5, Andrey Konovalov wrote:
>>
>> Hi!
>>
On Tue, Nov 7, 2017 at 11:31 AM, Mauro Carvalho Chehab
<mche...@s-opensource.com> wrote:
> Em Mon, 23 Oct 2017 20:58:09 +0200
> Matthias Schwarzott <z...@gentoo.org> escreveu:
>
>> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> > Hi!
>> >
>
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type ==
UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) ==
UVC_ITT_CAMERA) passes, so
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
usb 1-1: USB disconnect, device number 11
tm6000: disconnecting tm6000 #0
xc2028 0-0061: destroying instance
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that there's no check of the received buffer length in
technisat_usb2_get_ir().
==
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
The report is a little confusing, as the top stack frame is not
actually present. As far as my debugging showed, the NULL pointer
that's being executed
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
em28xx 1-1:0.0: analog set to bulk mode.
em28xx 1-1:0.0: Registering V4L2 extension
usb 1-1: USB disconnect, device number 39
em28xx 1-1:0.0: Disconnecting
On Fri, Nov 3, 2017 at 3:44 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> em28xx 1-1:2.0: New device a @ 480 M
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
em28xx 1-1:2.0: New device a @ 480 Mbps (eb1a:2801, interface 0, class 0)
em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:2.0: chip ID is
24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210
---[ end trace b75b357739e7e116 ]---
Signed-off-by: Andr
On Thu, Nov 2, 2017 at 2:52 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
> the the endpoint type is actually blunk. Add a check.
>
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> -
ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
---[ end trace 6919030503719da6 ]---
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
drive
utdated tree, which doesn't contain the commit that seems
to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e).
Thanks!
>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
> ---
> This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free
> in _
On Mon, Oct 23, 2017 at 8:58 PM, Matthias Schwarzott <z...@gentoo.org> wrote:
> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
usb 1-1: New USB device found, idVendor=2040, idProduct=c602
usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
usb 1-1: Product: a
usb 1-1:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)'
in warm state.
dvb-usb: bulk message failed: -22 (2/1102416563)
dvb-usb: will use the
On Mon, Oct 9, 2017 at 8:14 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> It seems that the return value of usb_ifnum_to_if() can be NULL and
> needs to be checked.
Hi Arvind,
Your patch fixes the issue.
Thanks!
Tested-by: Andrey Konovalov <andreyk...@google.com&g
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that the return value of usb_ifnum_to_if() can be NULL and
needs to be checked.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that imon_ir_raw doesn't have the .key_table initializer,
which causes out-of-bounds access when iterating over the key table.
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).
uvcvideo: Found UVC 0.00 device a (2833:0201)
uvcvideo 1-1:3.92: Entity type for entity Output 2 was not initialized!
[ cut here ]
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).
usb 1-1: config 48 interface 0 altsetting 0 endpoint 0x4 has invalid
maxpacket 1956, setting to 64
usb 1-1: New USB device found, idVendor=0573,
On Wed, Sep 27, 2017 at 8:38 PM, arvind <arvind.yadav...@gmail.com> wrote:
>
>
> On Wednesday 27 September 2017 05:47 PM, Andrey Konovalov wrote:
>
> On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com>
> wrote:
>
> On Wed, Se
6b86b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==
Thanks!
> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
> worker_thread".
> changes in v2 :
> call f
On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav
> <arvind.yadav...@gmail.com> wrote:
>> If CONFIG_MEDIA_CONTROLLER_DVB is enable, We are not releasing
>> media device and memory on any
b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
88006a2b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======
> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
>
d by NULL-ptr deref or user memory access
> general protection fault: [#1] PREEMPT SMP KASAN
>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Malcolm Priestley <tvbox...@gmail.com>
Tested-by: Andrey Konovalov <andreyk...@googl
On Tue, Sep 26, 2017 at 2:50 PM, Laurent Pinchart
<laurent.pinch...@ideasonboard.com> wrote:
> Hi Andrey,
>
> On Tuesday, 26 September 2017 15:41:45 EEST Andrey Konovalov wrote:
>> On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart wrote:
>> > On Monday, 25 Septe
On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart
<laurent.pinch...@ideasonboard.com> wrote:
> Hi Andrey,
>
> On Monday, 25 September 2017 15:40:13 EEST Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkal
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
It seems that there's no check on the actual number of endpoints.
usb 1-1: New USB device strings: Mfr=212, Product=0, SerialNumber=6
usb 1-1: Manufacturer:
On Mon, Sep 25, 2017 at 3:30 PM, Malcolm Priestley <tvbox...@gmail.com> wrote:
>
>
> On 25/09/17 13:39, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e19b205be43d11b
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
list_add double add: new=880069084010, prev=880069084010,
next=880067d22298.
[ cut here ]
WARNING: CPU: 1 PID: 1846 at
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 63 interface 0
On Fri, Sep 22, 2017 at 3:09 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> Hi Andrey,
>
>
> On Friday 22 September 2017 05:16 PM, Andrey Konovalov wrote:
>>
>> On Fri, Sep 22, 2017 at 9:41 AM, Arvind Yadav <arvind.yadav...@gmail.com>
>> wrote:
o No need to flash any work here.
> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
Reported-by: Andrey Konovalov <andreyk...@google.com>
Thanks, this fixes the crash!
Tested-by:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
==
BUG: KASAN: use-after-free in v4l2_ctrl_handler_free+0x9e1/0x9f0
Read of size 8 at addr
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
dib0700: stk7070p_frontend_attach: state->dib7000p_ops.i2c_enumeration
failed. Cannot continue
[ cut here ]
kernel BUG at
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 225 has an invalid
e
dev->worker is initialized.
Could you send a fix?
I'm able to reproduce the issue, so I can test your patches if needed.
Thanks!
>
>
> On Thursday 21 September 2017 09:09 PM, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 24 Comm:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
smsusb:smsusb_probe: board id=1, interface number 0
smsusb:siano_media_device_register: media controller created
smsusb:smsusb1_detectmode: product string not
4): Add cx231xx USB driver")
> Cc: stable <sta...@vger.kernel.org> # 2.6.30
> Cc: Sri Deevi <srinivasa.de...@conexant.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Johan Hovold <jo...@kernel.org>
Tested-by: Andrey Kon
sure, exploitable bugs in
PCE-Express device drivers would be a viable attack vector for systems
with proper IOMMU support. Same goes for any other hot-pluggable
externally accessible port/protocol.
>
> -Mike
[1] https://int3.cc/products/facedancer21
[2] https://www.raspberrypi.org/pro
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
There seems to be no check on endpoint type before submitting bulk urb
in pvr2_send_request_ex().
usb 1-1: New USB device found, idVendor=2040, idProduct=7500
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
The null-ptr-deref happens on
dev->udev->ep_in[1]->desc.wMaxPacketSize. There seems to be no check
on the number of endpoints.
usb 1-1: New USB device found,
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
The null-ptr-deref happens on assoc_desc->bFirstInterface, where
assoc_desc = udev->actconfig->intf_assoc[0]. There seems to be no
check that the device
53 matches
Mail list logo