Re: [media] hdpvr: Fix an error handling path in hdpvr_probe()

2017-12-14 Thread Andrey Konovalov 
On Fri, Dec 15, 2017 at 12:25 AM, Guenter Roeck <li...@roeck-us.net> wrote:
> On Fri, Sep 22, 2017 at 06:37:06PM +0530, Arvind Yadav wrote:
>> Here, hdpvr_register_videodev() is responsible for setup and
>> register a video device. Also defining and initializing a worker.
>> hdpvr_register_videodev() is calling by hdpvr_probe at last.
>> So No need to flash any work here.
>> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>>
>> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
>> Reported-by: Andrey Konovalov <andreyk...@google.com>
>> Tested-by: Andrey Konovalov <andreyk...@google.com>
>
> It looks like this patch was never applied upstream. It fixes
> CVE-2017-16644 [1].
>
> Did it get lost, or is there some reason for not applying it ?

Hi!

I got an email that It was queued to the media tree about a week ago.
I guess that means that it's going to be applied upstream eventually.
It took quite a lot of time for some reason though.

Thanks!

>
> Thanks,
> Guenter
>
> ---
> [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16644
>
>> ---
>>  drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++---
>>  1 file changed, 15 insertions(+), 11 deletions(-)
>>
>> diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c 
>> b/drivers/media/usb/hdpvr/hdpvr-core.c
>> index dbe29c6..1e8cbaf 100644
>> --- a/drivers/media/usb/hdpvr/hdpvr-core.c
>> +++ b/drivers/media/usb/hdpvr/hdpvr-core.c
>> @@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
>>   /* register v4l2_device early so it can be used for printks */
>>   if (v4l2_device_register(>dev, >v4l2_dev)) {
>>   dev_err(>dev, "v4l2_device_register failed\n");
>> - goto error;
>> + goto error_free_dev;
>>   }
>>
>>   mutex_init(>io_mutex);
>> @@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
>>   dev->usbc_buf = kmalloc(64, GFP_KERNEL);
>>   if (!dev->usbc_buf) {
>>   v4l2_err(>v4l2_dev, "Out of memory\n");
>> - goto error;
>> + goto error_v4l2_unregister;
>>   }
>>
>>   init_waitqueue_head(>wait_buffer);
>> @@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
>>   }
>>   if (!dev->bulk_in_endpointAddr) {
>>   v4l2_err(>v4l2_dev, "Could not find bulk-in endpoint\n");
>> - goto error;
>> + goto error_put_usb;
>>   }
>>
>>   /* init the device */
>>   if (hdpvr_device_init(dev)) {
>>   v4l2_err(>v4l2_dev, "device init failed\n");
>> - goto error;
>> + goto error_put_usb;
>>   }
>>
>>   mutex_lock(>io_mutex);
>> @@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
>>   mutex_unlock(>io_mutex);
>>   v4l2_err(>v4l2_dev,
>>"allocating transfer buffers failed\n");
>> - goto error;
>> + goto error_put_usb;
>>   }
>>   mutex_unlock(>io_mutex);
>>
>> @@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
>>   retval = hdpvr_register_i2c_adapter(dev);
>>   if (retval < 0) {
>>   v4l2_err(>v4l2_dev, "i2c adapter register failed\n");
>> - goto error;
>> + goto error_free_buffers;
>>   }
>>
>>   client = hdpvr_register_ir_rx_i2c(dev);
>> @@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
>>  reg_fail:
>>  #if IS_ENABLED(CONFIG_I2C)
>>   i2c_del_adapter(>i2c_adapter);
>> +error_free_buffers:
>>  #endif
>> + hdpvr_free_buffers(dev);
>> +error_put_usb:
>> + usb_put_dev(dev->udev);
>> + kfree(dev->usbc_buf);
>> +error_v4l2_unregister:
>> + v4l2_device_unregister(>v4l2_dev);
>> +error_free_dev:
>> + kfree(dev);
>>  error:
>> - if (dev) {
>> - flush_work(>worker);
>> - /* this frees allocated memory */
>> - hdpvr_delete(dev);
>> - }
>>   return retval;
>>  }
>>

Re: usb/media/em28xx: use-after-free in dvb_unregister_frontend

2017-11-23 Thread Andrey Konovalov 
On Thu, Nov 23, 2017 at 8:25 AM, Matthias Schwarzott <z...@gentoo.org> wrote:
> Am 21.11.2017 um 14:51 schrieb Andrey Konovalov:
>> Hi!
>>
> Hi Andrey,
>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1).
>>
>> em28xx 1-1:9.0: Disconnecting
>> tc90522 1-0015: Toshiba TC90522 attached.
>> qm1d1c0042 2-0061: Sharp QM1D1C0042 attached.
>> dvbdev: DVB: registering new adapter (1-1:9.0)
>> em28xx 1-1:9.0: DVB: registering adapter 0 frontend 0 (Toshiba TC90522
>> ISDB-S module)...
>> dvbdev: dvb_create_media_entity: media entity 'Toshiba TC90522 ISDB-S
>> module' registered.
>> dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
>> em28xx 1-1:9.0: DVB extension successfully initialized
>> em28xx 1-1:9.0: Remote control support is not available for this card.
>> em28xx 1-1:9.0: Closing DVB extension
>> ==
>> BUG: KASAN: use-after-free in dvb_unregister_frontend+0x8f/0xa0
>> Read of size 8 at addr 880067853628 by task kworker/0:3/3182
>>
>> CPU: 0 PID: 3182 Comm: kworker/0:3 Not tainted 4.14.0-57501-g9284d204d604 
>> #119
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17
>>  dump_stack+0xe1/0x157 lib/dump_stack.c:53
>>  print_address_description+0x71/0x234 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351
>>  kasan_report+0x173/0x270 mm/kasan/report.c:409
>>  __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
>>  dvb_unregister_frontend+0x8f/0xa0 drivers/media/dvb-core/dvb_frontend.c:2768
>>  em28xx_unregister_dvb drivers/media/usb/em28xx/em28xx-dvb.c:1122
>>  em28xx_dvb_fini+0x62d/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2129
>>  em28xx_close_extension+0x71/0x220 
>> drivers/media/usb/em28xx/em28xx-core.c:1122
>>  em28xx_usb_disconnect+0xd7/0x130 
>> drivers/media/usb/em28xx/em28xx-cards.c:3763
>>  usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
>>  __device_release_driver drivers/base/dd.c:870
>>  device_release_driver_internal+0x563/0x630 drivers/base/dd.c:903
>>  device_release_driver+0x1e/0x30 drivers/base/dd.c:928
>>  bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
>>  device_del+0x39f/0xa70 drivers/base/core.c:1984
>>  usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1205
>>  usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
>>  hub_port_connect drivers/usb/core/hub.c:4851
>>  hub_port_connect_change drivers/usb/core/hub.c:5106
>>  port_event drivers/usb/core/hub.c:5212
>>  hub_event_impl+0x10f0/0x3440 drivers/usb/core/hub.c:5324
>>  hub_event+0x38/0x50 drivers/usb/core/hub.c:5222
>>  process_one_work+0x944/0x15f0 kernel/workqueue.c:2112
>>  worker_thread+0xef/0x10d0 kernel/workqueue.c:2246
>>  kthread+0x367/0x420 kernel/kthread.c:238
>>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437
>>
>
> this looks similar to the oops fixed by this patch:
>
> https://patchwork.linuxtv.org/patch/45219/
>
> Could you try if it fixes your case also?

Hi Matthias!

Yes, it does fixes the crash for me.

Thanks!

>
> Regards
> Matthias

usb/media/em28xx: use-after-free in dvb_unregister_frontend

2017-11-21 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1).

em28xx 1-1:9.0: Disconnecting
tc90522 1-0015: Toshiba TC90522 attached.
qm1d1c0042 2-0061: Sharp QM1D1C0042 attached.
dvbdev: DVB: registering new adapter (1-1:9.0)
em28xx 1-1:9.0: DVB: registering adapter 0 frontend 0 (Toshiba TC90522
ISDB-S module)...
dvbdev: dvb_create_media_entity: media entity 'Toshiba TC90522 ISDB-S
module' registered.
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
em28xx 1-1:9.0: DVB extension successfully initialized
em28xx 1-1:9.0: Remote control support is not available for this card.
em28xx 1-1:9.0: Closing DVB extension
==
BUG: KASAN: use-after-free in dvb_unregister_frontend+0x8f/0xa0
Read of size 8 at addr 880067853628 by task kworker/0:3/3182

CPU: 0 PID: 3182 Comm: kworker/0:3 Not tainted 4.14.0-57501-g9284d204d604 #119
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:17
 dump_stack+0xe1/0x157 lib/dump_stack.c:53
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 dvb_unregister_frontend+0x8f/0xa0 drivers/media/dvb-core/dvb_frontend.c:2768
 em28xx_unregister_dvb drivers/media/usb/em28xx/em28xx-dvb.c:1122
 em28xx_dvb_fini+0x62d/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2129
 em28xx_close_extension+0x71/0x220 drivers/media/usb/em28xx/em28xx-core.c:1122
 em28xx_usb_disconnect+0xd7/0x130 drivers/media/usb/em28xx/em28xx-cards.c:3763
 usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:870
 device_release_driver_internal+0x563/0x630 drivers/base/dd.c:903
 device_release_driver+0x1e/0x30 drivers/base/dd.c:928
 bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
 device_del+0x39f/0xa70 drivers/base/core.c:1984
 usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1205
 usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
 hub_port_connect drivers/usb/core/hub.c:4851
 hub_port_connect_change drivers/usb/core/hub.c:5106
 port_event drivers/usb/core/hub.c:5212
 hub_event_impl+0x10f0/0x3440 drivers/usb/core/hub.c:5324
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5222
 process_one_work+0x944/0x15f0 kernel/workqueue.c:2112
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2246
 kthread+0x367/0x420 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437

Allocated by task 25:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11a/0x290 mm/slub.c:2752
 kmalloc ./include/linux/slab.h:499
 kzalloc ./include/linux/slab.h:688
 tc90522_probe+0x3b/0x440 drivers/media/dvb-frontends/tc90522.c:777
 i2c_device_probe+0x5bf/0x7e0 drivers/i2c/i2c-core-base.c:408
 really_probe drivers/base/dd.c:424
 driver_probe_device+0x564/0x820 drivers/base/dd.c:566
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:662
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1ab/0x2a0 drivers/base/dd.c:719
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:766
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 device_register+0x22/0x30 drivers/base/core.c:1905
 i2c_new_device+0x5dd/0xdc0 drivers/i2c/i2c-core-base.c:792
 em28xx_dvb_init.part.4+0x49f4/0x91d0 drivers/media/usb/em28xx/em28xx-dvb.c:1860
 em28xx_dvb_init+0xb8/0xe0 drivers/media/usb/em28xx/em28xx-dvb.c:2062
 em28xx_init_extension+0x11a/0x190 drivers/media/usb/em28xx/em28xx-core.c:1110
 request_module_async+0x6a/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3161
 process_one_work+0x944/0x15f0 kernel/workqueue.c:2112
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2246
 kthread+0x367/0x420 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437

Freed by task 3182:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1391
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2968
 kfree+0xf2/0x2e0 mm/slub.c:3899
 tc90522_remove+0x4b/0x60 drivers/media/dvb-frontends/tc90522.c:814
 i2c_device_remove+0xc8/0x120 drivers/i2c/i2c-core-base.c:438
 __device_release_driver drivers/base/dd.c:868
 device_release_driver_internal+0x34e/0x630 drivers/base/dd.c:903
 device_release_driver+0x1e/0x30 drivers/base/dd.c:928
 bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
 device_del+0x39f/0xa70 drivers/base/core.c:1984
 device_unregister+0x1a/0x40 drivers/base/core.c:2020
 i2c_unregister_device.part.41+0xfd/0x130 drivers/i2c/i2c-core-base.c:828
 i2c_unregister_device+0x24/0x30 drivers/i2c/i2c-core-base.c:822

Re: [PATCH] au0828: fix use-after-free at USB probing

2017-11-20 Thread Andrey Konovalov 
On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva
<garsi...@embeddedor.com> wrote:
>
> Quoting Andrey Konovalov <andreyk...@google.com>:
>
>> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
>> <garsi...@embeddedor.com> wrote:
>>>
>>> Hi Andrey,
>>>
>>> Could you please try this patch?
>>>
>>> Thank you

Hi!

Sorry for the delay.

With this patch I still see the same report:

au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
au0828: probe of 1-1:0.0 failed with error -22
usb 1-1: USB disconnect, device number 3
==
BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
Read of size 8 at addr 880062a74410 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc8-44455-ge2105594a876-dirty #111
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:17
 dump_stack+0xe1/0x157 lib/dump_stack.c:53
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
 __list_del_entry ./include/linux/list.h:117
 list_del_init ./include/linux/list.h:159
 device_pm_remove+0x4a/0x1e7 drivers/base/power/main.c:149
 device_del+0x599/0xa70 drivers/base/core.c:1986
 usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
 usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
 hub_port_connect drivers/usb/core/hub.c:4838
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 process_scheduled_works kernel/workqueue.c:2173
 worker_thread+0x72e/0x10d0 kernel/workqueue.c:2249
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

The buggy address belongs to the page:
page:ea00018a9d00 count:0 mapcount:-127 mapping:  (null) index:0x0
flags: 0x100()
raw: 0100   ff80
raw: 88007fffa690 ea00018e6120 0002 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 880062a74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880062a74380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>880062a74400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ^
 880062a74480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880062a74500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
=

Thanks!

>>
>>
>> Hi Gustavo,
>>
>> With your patch I get a different crash. Not sure if it's another bug
>> or the same one manifesting differently.
>>
>
> That's the same one. It seems that the best solution is to remove the kfree
> after the mutex_unlock and let the device resources be freed in
> au0828_usb_disconnect.
>
> Please try the following patch instead.
>
> I appreciate your help.
>
> Thank you, Andrey.
>
> ---
>  drivers/media/usb/au0828/au0828-core.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/drivers/media/usb/au0828/au0828-core.c
> b/drivers/media/usb/au0828/au0828-core.c
> index cd363a2..257ae0d 100644
> --- a/drivers/media/usb/au0828/au0828-core.c
> +++ b/drivers/media/usb/au0828/au0828-core.c
> @@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface
> *interface,
> pr_err("%s() au0282_dev_register failed to register on
> V4L2\n",
> __func__);
> mutex_unlock(>lock);
> -   kfree(dev);
> goto done;
> }
>
> --
> 2.7.4
>
>
>> au0828: recv_control_msg() Failed receiving control message, error -71.
>> au0828: recv_control_msg() Failed receiving control message, error -71.
>> au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
>> usb 1-1: selecting invalid altsetting 5
>> au0828: Failure setting usb interface0 to as5
>> au0828: au0828_usb_probe() au0

Re: [PATCH] au0828: fix use-after-free at USB probing

2017-11-10 Thread Andrey Konovalov 
On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
 wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you

Hi Gustavo,

With your patch I get a different crash. Not sure if it's another bug
or the same one manifesting differently.

au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
au0828: probe of 1-1:0.0 failed with error -22
usb 1-1: USB disconnect, device number 2
==
BUG: KASAN: use-after-free in __list_del_entry_valid+0xda/0xf3
Read of size 8 at addr 8800641d0410 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc5-43687-g72e555fa3d2e-dirty #105
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0xc1/0x11f lib/dump_stack.c:52
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 __list_del_entry_valid+0xda/0xf3 lib/list_debug.c:54
 __list_del_entry ./include/linux/list.h:116
 list_del_init ./include/linux/list.h:158
 device_pm_remove+0x4a/0x1da drivers/base/power/main.c:149
 device_del+0x55f/0xa30 drivers/base/core.c:1986
 usb_disable_device+0x1df/0x670 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0xe09/0x2eb0 drivers/usb/core/hub.c:5195
 process_one_work+0x86d/0x13e0 kernel/workqueue.c:2119
 process_scheduled_works kernel/workqueue.c:2179
 worker_thread+0x689/0xea0 kernel/workqueue.c:2255
 kthread+0x334/0x400 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the page:
page:ea0001907400 count:0 mapcount:-127 mapping:  (null) index:0x0
flags: 0x100()
raw: 0100   ff80
raw: ea00018a8f20 88007fffa690 0002 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8800641d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 8800641d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>8800641d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ^
 8800641d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 8800641d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==

Thanks!

>
>
> The device is typically freed on failure after trying to set
> USB interface0 to as5 in function au0828_analog_register.
>
> Fix use-after-free by returning the error value inmediately
> after failure, instead of jumping to au0828_usb_disconnect
> where _dev_ is also freed.
>
> Signed-off-by: Gustavo A. R. Silva 
> ---
>  drivers/media/usb/au0828/au0828-core.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/media/usb/au0828/au0828-core.c 
> b/drivers/media/usb/au0828/au0828-core.c
> index cd363a2..b4abd90 100644
> --- a/drivers/media/usb/au0828/au0828-core.c
> +++ b/drivers/media/usb/au0828/au0828-core.c
> @@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface 
> *interface,
> __func__);
> mutex_unlock(>lock);
> kfree(dev);
> -   goto done;
> +   return retval;
> }
>
> /* Digital TV */
> @@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface 
> *interface,
>
> retval = au0828_media_device_register(dev, usbdev);
>
> -done:
> if (retval < 0)
> au0828_usb_disconnect(interface);
>
> --
> 2.7.4
>

Re: [RFT] [media] em28xx: Fix use-after-free in v4l2_fh_init

2017-11-09 Thread Andrey Konovalov 
^
 88006b40ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88006b40ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======

> ---
> This bug report by Andrey Konovalov "net/media/em28xx: use-after-free in 
> v4l2_fh_init"
>
>  drivers/media/usb/em28xx/em28xx-video.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/em28xx/em28xx-video.c 
> b/drivers/media/usb/em28xx/em28xx-video.c
> index 8d253a5..f1ee53f 100644
> --- a/drivers/media/usb/em28xx/em28xx-video.c
> +++ b/drivers/media/usb/em28xx/em28xx-video.c
> @@ -2785,8 +2785,8 @@ static int em28xx_v4l2_init(struct em28xx *dev)
> v4l2_ctrl_handler_free(>ctrl_handler);
> v4l2_device_unregister(>v4l2_dev);
>  err:
> -   dev->v4l2 = NULL;
> kref_put(>ref, em28xx_free_v4l2);
> +   dev->v4l2 = NULL;
> mutex_unlock(>lock);
> return ret;
>  }
> --
> 1.9.1
>

Re: usb/media/uvc: slab-out-of-bounds in uvc_probe

2017-11-09 Thread Andrey Konovalov 
On Thu, Nov 9, 2017 at 2:35 AM,  <ansonjacob...@gmail.com> wrote:
> Hi,
>
> Could you try this untested patch.
>
>   Anson

Hi!

This patch doesn't compile.

drivers/media/usb/uvc/uvc_driver.c: In function ‘uvc_parse_standard_control’:
drivers/media/usb/uvc/uvcvideo.h:29:43: error: invalid type argument
of ‘->’ (have ‘int’)
 #define UVC_ENTITY_TYPE(entity)  ((entity)->type & 0x7fff)
   ^~
drivers/media/usb/uvc/uvc_driver.c:1074:7: note: in expansion of macro
‘UVC_ENTITY_TYPE’
   if (UVC_ENTITY_TYPE(type) == UVC_ITT_CAMERA) {

I see what you're trying to do though and I'd say a better patch would
be to reset the UVC_TERM_INPUT flag or fail when this flag is set. But
it's up to maintainers.

Thanks!

>
>
> On Monday, November 6, 2017 at 8:27:23 AM UTC-5, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
>>
>> It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type ==
>> UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) ==
>> UVC_ITT_CAMERA) passes, so len ends up being 8 instead of 15.
>>
>> ==
>> BUG: KASAN: slab-out-of-bounds in uvc_probe+0x6469/0x6dd0
>> Read of size 2 at addr 88006975864e by task kworker/1:1/33
>>
>> CPU: 1 PID: 33 Comm: kworker/1:1 Not tainted
>> 4.14.0-rc8-44453-g1fdc1a82c34f #56
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>> 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17
>>  dump_stack+0xe1/0x157 lib/dump_stack.c:53
>>  print_address_description+0x71/0x234 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351
>>  kasan_report+0x173/0x270 mm/kasan/report.c:409
>>  __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:428
>>  __le16_to_cpup ./include/uapi/linux/byteorder/little_endian.h:66
>>  get_unaligned_le16 ./include/linux/unaligned/access_ok.h:10
>>  uvc_parse_standard_control drivers/media/usb/uvc/uvc_driver.c:1104
>>  uvc_parse_control drivers/media/usb/uvc/uvc_driver.c:1281
>>  uvc_probe+0x6469/0x6dd0 drivers/media/usb/uvc/uvc_driver.c:2064
>>  usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
>>  really_probe drivers/base/dd.c:413
>>  driver_probe_device+0x522/0x740 drivers/base/dd.c:557
>>  __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
>>  bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
>>  __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
>>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>  bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
>>  device_add+0xc27/0x15a0 drivers/base/core.c:1835
>>  usb_set_configuration+0xd4f/0x17a0 drivers/usb/core/message.c:1932
>>  generic_probe+0xbb/0x120 drivers/usb/core/generic.c:174
>>  usb_probe_device+0xab/0x100 drivers/usb/core/driver.c:266
>>  really_probe drivers/base/dd.c:413
>>  driver_probe_device+0x522/0x740 drivers/base/dd.c:557
>>  __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
>>  bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
>>  __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
>>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>  bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
>>  device_add+0xc27/0x15a0 drivers/base/core.c:1835
>>  usb_new_device+0x7fa/0x1090 drivers/usb/core/hub.c:2538
>>  hub_port_connect drivers/usb/core/hub.c:4987
>>  hub_port_connect_change drivers/usb/core/hub.c:5093
>>  port_event drivers/usb/core/hub.c:5199
>>  hub_event_impl+0x17b8/0x3440 drivers/usb/core/hub.c:5311
>>  hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
>>  process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
>>  worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
>>  kthread+0x346/0x410 kernel/kthread.c:231
>>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432
>>
>> Allocated by task 33:
>>  save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459
>>  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
>>  __kmalloc+0x1bc/0x300 mm/slub.c:3783
>>  kmalloc ./include/linux/slab.h:499
>>  usb_get_configuration+0x299/0x4e60 drivers/usb/core/config.c:856
>>  usb_enumerate_device drivers/usb/core/hub.c:2371
>>  usb_new_device+0xab1/0x1090 drivers/usb/core/hub.c:2507
>>  hub_port_connect drivers/usb/core/hub.c:4987
>>  hub_port_connect_change drivers/usb/core/hub.c:5093
>>

Re: usb/media/dtt200u: use-after-free in __dvb_frontend_free

2017-11-07 Thread Andrey Konovalov 
On Tue, Nov 7, 2017 at 11:31 AM, Mauro Carvalho Chehab
<mche...@s-opensource.com> wrote:
> Em Mon, 23 Oct 2017 20:58:09 +0200
> Matthias Schwarzott <z...@gentoo.org> escreveu:
>
>> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> > Hi!
>> >
>> > I've got the following report while fuzzing the kernel with syzkaller.
>> >
>> > On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>> >
>> > dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)'
>> > in warm state.
>> > dvb-usb: bulk message failed: -22 (2/1102416563)
>> > dvb-usb: will use the device's hardware PID filter (table count: 15).
>> > dvbdev: DVB: registering new adapter (WideView WT-220U PenType
>> > Receiver (based on ZL353))
>> > usb 1-1: media controller created
>> > dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
>> > usb 1-1: DVB: registering adapter 0 frontend 0 (WideView USB DVB-T)...
>> > dvbdev: dvb_create_media_entity: media entity 'WideView USB DVB-T' 
>> > registered.
>> > Registered IR keymap rc-dtt200u
>> > rc rc1: IR-receiver inside an USB DVB receiver as
>> > /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1
>> > input: IR-receiver inside an USB DVB receiver as
>> > /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1/input9
>> > dvb-usb: schedule remote query interval to 300 msecs.
>> > dvb-usb: WideView WT-220U PenType Receiver (based on ZL353)
>> > successfully initialized and connected.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > dvb-usb: bulk message failed: -22 (1/1807119384)
>> > dvb-usb: error -22 while querying for an remote control event.
>> > usb 1-1: USB disconnect, device number 2
>> > ==
>> > BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
>> > Write of size 8 at addr 880067d45a00 by task kworker/0:1/24
>> >
>> > CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 
>> > 4.14.0-rc5-43687-g06ab8a23e0e6 #545
>> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 
>> > 01/01/2011
>> > Workqueue: usb_hub_wq hub_event
>> > Call Trace:
>> >  __dump_stack lib/dump_stack.c:16
>> >  dump_stack+0x292/0x395 lib/dump_stack.c:52
>> >  print_address_description+0x78/0x280 mm/kasan/report.c:252
>> >  kasan_report_error mm/kasan/report.c:351
>> >  kasan_report+0x23d/0x350 mm/kasan/report.c:409
>> >  __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
>> >  __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
>> >  dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
>> >  dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
>> >  dvb_usb_adapter_frontend_exit+0xd6/0x160
>> > drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
>> >  dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
>> >  dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
>> >  dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
>> >  usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
>> >  __device_release_driver drivers/base/dd.c:861
>> >  device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
>> >  device_release_driver+0x1e/0x30 drivers/base/dd.c:918
>> >  bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
>> >  device_del+0x5c4/0xab0 drivers/base/core.c:1985
>> >  usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
>> >  usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
>> >  hub_port_connect drivers/usb/core/hub.c:4754
>> >  hub_port_connect_change drivers/usb/core/hub.c:5009
>> >  port_event drivers/usb/core/hub.c:5115
>> >  hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
>> >  process_one_work+0xc73/0x1d90 kernel/workqueue.c:21

usb/media/uvc: slab-out-of-bounds in uvc_probe

2017-11-06 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).

It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type ==
UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) ==
UVC_ITT_CAMERA) passes, so len ends up being 8 instead of 15.

==
BUG: KASAN: slab-out-of-bounds in uvc_probe+0x6469/0x6dd0
Read of size 2 at addr 88006975864e by task kworker/1:1/33

CPU: 1 PID: 33 Comm: kworker/1:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:17
 dump_stack+0xe1/0x157 lib/dump_stack.c:53
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load2_noabort+0x19/0x20 mm/kasan/report.c:428
 __le16_to_cpup ./include/uapi/linux/byteorder/little_endian.h:66
 get_unaligned_le16 ./include/linux/unaligned/access_ok.h:10
 uvc_parse_standard_control drivers/media/usb/uvc/uvc_driver.c:1104
 uvc_parse_control drivers/media/usb/uvc/uvc_driver.c:1281
 uvc_probe+0x6469/0x6dd0 drivers/media/usb/uvc/uvc_driver.c:2064
 usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_set_configuration+0xd4f/0x17a0 drivers/usb/core/message.c:1932
 generic_probe+0xbb/0x120 drivers/usb/core/generic.c:174
 usb_probe_device+0xab/0x100 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_new_device+0x7fa/0x1090 drivers/usb/core/hub.c:2538
 hub_port_connect drivers/usb/core/hub.c:4987
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x17b8/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Allocated by task 33:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 __kmalloc+0x1bc/0x300 mm/slub.c:3783
 kmalloc ./include/linux/slab.h:499
 usb_get_configuration+0x299/0x4e60 drivers/usb/core/config.c:856
 usb_enumerate_device drivers/usb/core/hub.c:2371
 usb_new_device+0xab1/0x1090 drivers/usb/core/hub.c:2507
 hub_port_connect drivers/usb/core/hub.c:4987
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x17b8/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Freed by task 1:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1391
 slab_free_freelist_hook mm/slub.c:1413
 slab_free mm/slub.c:2989
 kfree+0xf2/0x2e0 mm/slub.c:3920
 kobject_uevent_env+0x249/0xd40 lib/kobject_uevent.c:533
 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:550
 tty_register_device_attr+0x505/0x650 drivers/tty/tty_io.c:2976
 tty_register_device drivers/tty/tty_io.c:2889
 tty_register_driver+0x3ed/0x770 drivers/tty/tty_io.c:3160
 vty_init+0x337/0x374 drivers/tty/vt/vt.c:3100
 tty_init+0x192/0x197 drivers/tty/tty_io.c:3318
 chr_dev_init+0x14b/0x15d drivers/char/mem.c:921
 do_one_initcall+0x6d/0x177 init/main.c:826
 do_initcall_level init/main.c:892
 do_initcalls init/main.c:900
 do_basic_setup init/main.c:918
 kernel_init_freeable+0x3b5/0x49e init/main.c:1066
 kernel_init+0x16/0x1b7 init/main.c:993
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

The buggy address belongs to the object at 880069758630
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 30 bytes inside

usb/media/tm6000: use-after-free in tm6000_read_write_usb

2017-11-06 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).

usb 1-1: USB disconnect, device number 11
tm6000: disconnecting tm6000 #0
xc2028 0-0061: destroying instance
==
BUG: KASAN: use-after-free in tm6000_read_write_usb+0x3cd/0x3f0
Read of size 4 at addr 8800697c4c80 by task v4l_id/5544

CPU: 1 PID: 5544 Comm: v4l_id Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17
 dump_stack+0xe1/0x157 lib/dump_stack.c:53
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x19/0x20 mm/kasan/report.c:429
 tm6000_read_write_usb+0x3cd/0x3f0 drivers/media/usb/tm6000/tm6000-core.c:48
 tm6000_set_reg+0x3d/0x50 drivers/media/usb/tm6000/tm6000-core.c:113
 tm6000_set_standard+0x7f1/0x13dc drivers/media/usb/tm6000/tm6000-stds.c:574
 tm6000_init_analog_mode+0x232/0x990 drivers/media/usb/tm6000/tm6000-core.c:340
 __tm6000_open drivers/media/usb/tm6000/tm6000-video.c:1373
 tm6000_open+0x409/0x830 drivers/media/usb/tm6000/tm6000-video.c:1406
 v4l2_open+0x1b7/0x380 drivers/media/v4l2-core/v4l2-dev.c:425
 chrdev_open+0x1db/0x520 fs/char_dev.c:417
 do_dentry_open+0x735/0xe20 fs/open.c:752
 vfs_open+0x13e/0x230 fs/open.c:866
 do_last fs/namei.c:3388
 path_openat+0x722/0x2860 fs/namei.c:3528
 do_filp_open+0x13f/0x1d0 fs/namei.c:3563
 do_sys_open+0x362/0x4c0 fs/open.c:1059
 SYSC_open fs/open.c:1077
 SyS_open+0x32/0x40 fs/open.c:1072
 entry_SYSCALL_64_fastpath+0x23/0xc2 arch/x86/entry/entry_64.S:203
RIP: 0033:0x7f10089a9120
RSP: 002b:7ffd20f92098 EFLAGS: 0246 ORIG_RAX: 0002
RAX: ffda RBX: 0046 RCX: 7f10089a9120
RDX: 7f1008c5e138 RSI:  RDI: 7ffd20f93f27
RBP:  R08:  R09: 
R10:  R11: 0246 R12: 00400884
R13: 7ffd20f921f0 R14:  R15: 

Allocated by task 2263:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11a/0x290 mm/slub.c:2773
 kmalloc ./include/linux/slab.h:494
 kzalloc ./include/linux/slab.h:667
 usb_alloc_dev+0x3a/0xd86 drivers/usb/core/usb.c:561
 hub_port_connect drivers/usb/core/hub.c:4893
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x124b/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Freed by task 2263:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1391
 slab_free_freelist_hook mm/slub.c:1413
 slab_free mm/slub.c:2989
 kfree+0xf2/0x2e0 mm/slub.c:3920
 usb_release_dev+0xe3/0x110 drivers/usb/core/usb.c:424
 device_release+0xfc/0x1b0 drivers/base/core.c:812
 kobject_cleanup lib/kobject.c:648
 kobject_release lib/kobject.c:677
 kref_put ./include/linux/kref.h:70
 kobject_put+0x18f/0x240 lib/kobject.c:694
 put_device+0x25/0x30 drivers/base/core.c:1931
 usb_disconnect+0x5de/0x7f0 drivers/usb/core/hub.c:2248
 hub_port_connect drivers/usb/core/hub.c:4838
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

The buggy address belongs to the object at 8800697c4c80
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [8800697c4c80, 8800697c5480)
The buggy address belongs to the page:
page:ea0001a5f000 count:1 mapcount:0 mapping:  (null)
index:0x0 compound_mapcount: 0
flags: 0x1008100(slab|head)
raw: 01008100   0001000f000f
raw: dead0100 dead0200 88006c402d80 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8800697c4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 8800697c4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>8800697c4c80: fb fb fb fb fb fb fb fb fb fb fb fb

usb/media/technisat: slab-out-of-bounds in technisat_usb2_rc_query

2017-11-06 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).

It seems that there's no check of the received buffer length in
technisat_usb2_get_ir().

==
BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5a2/0x5c0
Read of size 1 at addr 880064457230 by task kworker/1:2/2650

CPU: 1 PID: 2650 Comm: kworker/1:2 Not tainted
4.14.0-rc8-44453-g1fdc1a82c34f #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events dvb_usb_read_remote_control
Call Trace:
 __dump_stack lib/dump_stack.c:17
 dump_stack+0xe1/0x157 lib/dump_stack.c:53
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
 technisat_usb2_get_ir drivers/media/usb/dvb-usb/technisat-usb2.c:663
 technisat_usb2_rc_query+0x5a2/0x5c0
drivers/media/usb/dvb-usb/technisat-usb2.c:678
 dvb_usb_read_remote_control+0xb6/0x150
drivers/media/usb/dvb-usb/dvb-usb-remote.c:261
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Allocated by task 40:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 __kmalloc+0x1bc/0x300 mm/slub.c:3783
 kmalloc ./include/linux/slab.h:499
 kzalloc ./include/linux/slab.h:667
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:152
 dvb_usb_device_init.cold.7+0x2d7/0x1029
drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 technisat_usb2_probe+0x36/0x270 drivers/media/usb/dvb-usb/technisat-usb2.c:762
 usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_set_configuration+0xd4f/0x17a0 drivers/usb/core/message.c:1932
 generic_probe+0xbb/0x120 drivers/usb/core/generic.c:174
 usb_probe_device+0xab/0x100 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_new_device+0x7fa/0x1090 drivers/usb/core/hub.c:2538
 hub_port_connect drivers/usb/core/hub.c:4987
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x17b8/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432

Freed by task 5251:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1391
 slab_free_freelist_hook mm/slub.c:1413
 slab_free mm/slub.c:2989
 kfree+0xf2/0x2e0 mm/slub.c:3920
 seq_release fs/seq_file.c:366
 single_release+0x85/0xb0 fs/seq_file.c:602
 close_pdeo.part.1+0xe6/0x2e0 fs/proc/inode.c:165
 close_pdeo+0xd9/0x100 fs/proc/inode.c:173
 proc_reg_release+0x130/0x170 fs/proc/inode.c:376
 __fput+0x2b6/0x730 fs/file_table.c:210
 fput+0x1a/0x20 fs/file_table.c:244
 task_work_run+0x13d/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume ./include/linux/tracehook.h:191
 exit_to_usermode_loop+0xb9/0x190 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197
 syscall_return_slowpath+0x21a/0x260 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xc0/0xc2 arch/x86/entry/entry_64.S:239

The buggy address belongs to the object at 880064457140
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 240 bytes inside of
 256-byte region [880064457140, 880064457240)
The buggy address belongs to the page:
page:ea00019115c0 count:1 mapcount:0 mapping:  (null) index:0x0
flags: 0x1000100(slab)
raw: 01000100   0001000c000c
raw: ea000187d640 00060006 88006c403200 
page

usb/media/dw2102: null-ptr-deref in dvb_usb_adapter_frontend_init/tt_s2_4600_frontend_attach

2017-11-03 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).

The report is a little confusing, as the top stack frame is not
actually present. As far as my debugging showed, the NULL pointer
that's being executed actually corresponds to
m88ds3103_pdata.get_dvb_frontend in tt_s2_4600_frontend_attach().

dw2102: su3000_identify_state
dvb-usb: found a 'TeVii S482 (tuner 1)' in warm state.
dw2102: su3000_power_ctrl: 1, initialized 0
dvb-usb: bulk message failed: -22 (2/-30720)
dvb-usb: will pass the complete MPEG2 transport stream to the software demuxer.
dvbdev: DVB: registering new adapter (TeVii S482 (tuner 1))
usb 1-1: media controller created
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: bulk message failed: -22 (6/-30720)
dw2102: i2c transfer failed.
dvb-usb: MAC address: 02:02:02:02:02:02
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
dvb-usb: bulk message failed: -22 (3/-30720)
dw2102: command 0x0e transfer failed.
dvb-usb: bulk message failed: -22 (3/-1)
dw2102: command 0x0e transfer failed.
dvb-usb: bulk message failed: -22 (3/-30720)
dw2102: command 0x0e transfer failed.
dvb-usb: bulk message failed: -22 (3/-1)
dw2102: command 0x0e transfer failed.
dvb-usb: bulk message failed: -22 (1/-1)
dw2102: command 0x51 transfer failed.
dvb-usb: bulk message failed: -22 (5/-30720)
dw2102: i2c transfer failed.
BUG: unable to handle kernel NULL pointer dereference at   (null)
IP:   (null)
PGD 6a9fb067 P4D 6a9fb067 PUD 684a4067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 40 Comm: kworker/1:1 Not tainted 4.14.0-rc7-44290-gf28444df2601 #50
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006bfe9700 task.stack: 88006b89
RIP: 0010:  (null)
RSP: 0018:88006b8973d0 EFLAGS: 00010293
RAX: 88006bfe9700 RBX: 880069f77780 RCX: 840c0153
RDX:  RSI: 840c0161 RDI: 880060bc1980
RBP: 88006b8974b8 R08: 88006bfe9700 R09: 0005
R10: 88006bfe9700 R11: a23aacbae336f3e6 R12: 880060bc1980
R13: 8800629e5f00 R14: ffea R15: 8800629e56d8
FS:  () GS:88006cb0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2:  CR3: 6349a000 CR4: 06e0
Call Trace:
 dvb_usb_adapter_frontend_init+0x358/0x4b0
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init.cold.7+0x971/0x1029
drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dw2102_probe+0xa67/0xc50 drivers/media/usb/dvb-usb/dw2102.c:2406
 usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_set_configuration+0xd4f/0x17a0 drivers/usb/core/message.c:1932
 generic_probe+0xbb/0x120 drivers/usb/core/generic.c:174
 usb_probe_device+0xab/0x100 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x522/0x740 drivers/base/dd.c:557
 __device_attach_driver+0x25d/0x2d0 drivers/base/dd.c:653
 bus_for_each_drv+0xff/0x160 drivers/base/bus.c:463
 __device_attach+0x1a8/0x2a0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1fc/0x2a0 drivers/base/bus.c:523
 device_add+0xc27/0x15a0 drivers/base/core.c:1835
 usb_new_device+0x7fa/0x1090 drivers/usb/core/hub.c:2538
 hub_port_connect drivers/usb/core/hub.c:4987
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x17b8/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code:  Bad RIP value.
RIP:   (null) RSP: 88006b8973d0
CR2: 
---[ end trace ab991a6d52472450 ]---

net/media/em28xx: use-after-free in v4l2_fh_init

2017-11-03 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).

em28xx 1-1:0.0: analog set to bulk mode.
em28xx 1-1:0.0: Registering V4L2 extension
usb 1-1: USB disconnect, device number 39
em28xx 1-1:0.0: Disconnecting
em28xx 1-1:0.0: reading from i2c device at 0x4a failed (error=-5)
em28xx 1-1:0.0: Config register raw data: 0xffed
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: failed to create media graph
em28xx 1-1:0.0: V4L2 device video0 deregistered
em28xx 1-1:0.0: Binding DVB extension
==
BUG: KASAN: use-after-free in v4l2_fh_init+0x239/0x280
Read of size 8 at addr 88006aea0798 by task v4l_id/5819

CPU: 0 PID: 5819 Comm: v4l_id Not tainted
4.14.0-rc7-44290-gf28444df2601-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0xe1/0x157 lib/dump_stack.c:52
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 v4l2_fh_init+0x239/0x280 drivers/media/v4l2-core/v4l2-fh.c:33
 v4l2_fh_open+0x76/0xa0 drivers/media/v4l2-core/v4l2-fh.c:70
 em28xx_v4l2_open+0x252/0x6f0 drivers/media/usb/em28xx/em28xx-video.c:2060
 v4l2_open+0x1b7/0x380 drivers/media/v4l2-core/v4l2-dev.c:425
 chrdev_open+0x1db/0x520 fs/char_dev.c:416
 do_dentry_open+0x735/0xe20 fs/open.c:752
 vfs_open+0x13e/0x230 fs/open.c:866
 do_last fs/namei.c:3387
 path_openat+0x722/0x2860 fs/namei.c:3527
 do_filp_open+0x13f/0x1d0 fs/namei.c:3562
 do_sys_open+0x362/0x4c0 fs/open.c:1059
 SYSC_open fs/open.c:1077
 SyS_open+0x32/0x40 fs/open.c:1072
 entry_SYSCALL_64_fastpath+0x23/0xc2 arch/x86/entry/entry_64.S:202
RIP: 0033:0x7f51f3ecb120
RSP: 002b:7ffc0140cb68 EFLAGS: 0246 ORIG_RAX: 0002
RAX: ffda RBX: 0046 RCX: 7f51f3ecb120
RDX: 7f51f4180138 RSI:  RDI: 7ffc0140df1e
RBP:  R08:  R09: 
R10:  R11: 0246 R12: 00400884
R13: 7ffc0140ccc0 R14:  R15: 

Allocated by task 2263:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11a/0x290 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 em28xx_v4l2_init+0x10c/0x3660 drivers/media/usb/em28xx/em28xx-video.c:2438
 em28xx_init_extension+0x11a/0x190 drivers/media/usb/em28xx/em28xx-core.c:1110
 request_module_async+0x6a/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3161
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Freed by task 2263:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf2/0x2e0 mm/slub.c:3919
 em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2025
 kref_put ./include/linux/kref.h:70
 em28xx_v4l2_init+0x237f/0x3660 drivers/media/usb/em28xx/em28xx-video.c:2789
 em28xx_init_extension+0x11a/0x190 drivers/media/usb/em28xx/em28xx-core.c:1110
 request_module_async+0x6a/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3161
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at 88006aea
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 1944 bytes inside of
 8192-byte region [88006aea, 88006aea2000)
The buggy address belongs to the page:
page:ea0001aba800 count:1 mapcount:0 mapping:  (null)
index:0x0 compound_mapcount: 0
flags: 0x1008100(slab|head)
raw: 01008100   000180030003
raw:  00010001 88006c402a80 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 88006aea0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88006aea0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>88006aea0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
 88006aea0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88006aea0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Re: usb/media/em28xx: use-after-free in em28xx_dvb_fini

2017-11-03 Thread Andrey Konovalov 
On Fri, Nov 3, 2017 at 3:44 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> em28xx 1-1:2.0: New device a  @ 480 Mbps (eb1a:2801, interface 0, class 0)
> em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
> em28xx 1-1:2.0: chip ID is em2860
> em28xx 1-1:2.0: Config register raw data: 0x22
> em28xx 1-1:2.0: I2S Audio (3 sample rate(s))
> em28xx 1-1:2.0: No AC97 audio processor
> em28xx 1-1:2.0: Binding audio extension
> em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2006 Markus Rechberger
> em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2007-2016 Mauro Carvalho Chehab
> em28xx 1-1:2.0: alt 0 doesn't exist on interface 7
> usb 1-1: USB disconnect, device number 2
> em28xx 1-1:2.0: Disconnecting
> em28xx 1-1:2.0: Closing audio extension
> em28xx 1-1:2.0: Freeing device
> ==
> BUG: KASAN: use-after-free in em28xx_dvb_fini+0x74b/0x8e0
> Read of size 1 at addr 880069d2c12c by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc7-44290-gf28444df2601-dirty #52
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>  __dump_stack lib/dump_stack.c:16
>  dump_stack+0xe1/0x157 lib/dump_stack.c:52
>  print_address_description+0x71/0x234 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351
>  kasan_report+0x173/0x270 mm/kasan/report.c:409
>  __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
>  em28xx_dvb_fini+0x74b/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2076
>  em28xx_close_extension+0x71/0x220 drivers/media/usb/em28xx/em28xx-core.c:1122
>  em28xx_usb_disconnect+0xd7/0x140 drivers/media/usb/em28xx/em28xx-cards.c:3763
>  usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
>  __device_release_driver drivers/base/dd.c:861
>  device_release_driver_internal+0x529/0x5f0 drivers/base/dd.c:893
>  device_release_driver+0x1e/0x30 drivers/base/dd.c:918
>  bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
>  device_del+0x591/0xa70 drivers/base/core.c:1985
>  usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
>  usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
>  hub_port_connect drivers/usb/core/hub.c:4838
>  hub_port_connect_change drivers/usb/core/hub.c:5093
>  port_event drivers/usb/core/hub.c:5199
>  hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
>  hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
>  process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
>  worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
>  kthread+0x346/0x410 kernel/kthread.c:231
>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> The buggy address belongs to the page:
> page:ea0001a74b00 count:0 mapcount:-127 mapping:  (null) index:0x0
> flags: 0x100()
> raw: 0100   ff80
> raw: ea00019f0320 88007fffa690 0002 
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  880069d2c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  880069d2c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>880069d2c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>   ^
>  880069d2c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>  880069d2c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==

-linux-ker...@vger.kernel.or
+linux-ker...@vger.kernel.org

usb/media/pvrusb2: WARNING in pvr2_i2c_core_done/sysfs_remove_group

2017-11-03 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).

pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2: Module ID 3 (saa7115) for device OnAir Creator Hybrid USB
tuner failed to load.  Possible missing sub-device kernel module or
initialization failure within module.
cs53l32a 0-0011: chip found @ 0x22 (pvrusb2_a)
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2: Attached sub-driver cs53l32a
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2: Module ID 4 (tuner) for device OnAir Creator Hybrid USB tuner
failed to load.  Possible missing sub-device kernel module or
initialization failure within module.
pvrusb2: Device being rendered inoperable
pvrusb2: ***WARNING*** pvrusb2 driver initialization failed due to the
failure of one or more sub-device kernel modules.
pvrusb2: You need to resolve the failing condition before this driver
can function.  There should be some earlier messages giving more
information about the problem.
usb 1-1: USB disconnect, device number 11
sysfs group 'power' not found for kobject '0-0011'
[ cut here ]
WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237
sysfs_remove_group.cold.6+0x57/0x63
Modules linked in:
CPU: 0 PID: 2896 Comm: pvrusb2-context Not tainted
4.14.0-rc7-44290-gf28444df2601-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 88006b752e00 task.stack: 88006b6c8000
RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235
RSP: 0018:88006b6cfc28 EFLAGS: 00010292
RAX: 0032 RBX: 85b7a480 RCX: 812495b5
RDX:  RSI: 8124d76a RDI: 0005
RBP: 88006b6cfc48 R08: 88006b752e00 R09: 
R10:  R11:  R12: 880069a3e8a0
R13: 88006b9b5530 R14: 85b7a4c8 R15: 83c90160
FS:  () GS:88006ca0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 01e8a908 CR3: 63834000 CR4: 06f0
Call Trace:
 dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769
 device_del+0x2b5/0xa70 drivers/base/core.c:1962
 device_unregister+0x1a/0x40 drivers/base/core.c:2020
 i2c_unregister_device+0xfd/0x130 drivers/i2c/i2c-core-base.c:815
 __unregister_client+0x83/0x90 drivers/i2c/i2c-core-base.c:1413
 device_for_each_child+0xb2/0x110 drivers/base/core.c:2120
 i2c_del_adapter+0x2be/0x550 drivers/i2c/i2c-core-base.c:1477
 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671
 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671
 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79
 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:146
 pvr2_context_thread_func+0x420/0x670
drivers/media/usb/pvrusb2/pvrusb2-context.c:167
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 8b 65 00 48 c1 ea 03 48 c1 e0 2a 80 3c 02 00 74 08 48 89 df e8
9e 70 e1 ff 48 8b 33 4c 89 e2 48 c7 c7 68 63 11 86 e8 66 89 aa ff <0f>
ff e9 63 fc ff ff 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5
---[ end trace c49faec9cc373c2a ]---
sysfs group 'power' not found for kobject 'i2c-0'
[ cut here ]
WARNING: CPU: 0 PID: 2896 at fs/sysfs/group.c:237
sysfs_remove_group.cold.6+0x57/0x63
Modules linked in:
CPU: 0 PID: 2896 Comm: pvrusb2-context Tainted: GW
4.14.0-rc7-44290-gf28444df2601-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 88006b752e00 task.stack: 88006b6c8000
RIP: 0010:sysfs_remove_group.cold.6+0x57/0x63 fs/sysfs/group.c:235
RSP: 0018:88006b6cfcc0 EFLAGS: 00010282
RAX: 0031 RBX: 85b7a480 RCX: 812495b5
RDX:  RSI: 8124d76a RDI: 0005
RBP: 88006b6cfce0 R08: 88006b752e00 R09: 
R10:  R11:  R12: 88006998b4e0
R13: 880062ba0348 R14: 85b7a4c8 R15: 880062ba0898
FS:  () GS:88006ca0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 01e8a908 CR3: 63834000 CR4: 06f0
Call Trace:
 dpm_sysfs_remove+0x5d/0x70 drivers/base/power/sysfs.c:769
 device_del+0x2b5/0xa70 drivers/base/core.c:1962
 device_unregister+0x1a/0x40 drivers/base/core.c:2020
 i2c_del_adapter+0x3f8/0x550 drivers/i2c/i2c-core-base.c:1500
 pvr2_i2c_core_done+0x79/0xcb drivers/media/usb/pvrusb2/pvrusb2-i2c-core.c:671
 pvr2_hdw_destroy+0x157/0x350 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2671
 pvr2_context_destroy+0x64/0x200 drivers/media/usb/pvrusb2/pvrusb2-context.c:79
 pvr2_context_check

usb/media/em28xx: use-after-free in em28xx_dvb_fini

2017-11-03 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).

em28xx 1-1:2.0: New device a  @ 480 Mbps (eb1a:2801, interface 0, class 0)
em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:2.0: chip ID is em2860
em28xx 1-1:2.0: Config register raw data: 0x22
em28xx 1-1:2.0: I2S Audio (3 sample rate(s))
em28xx 1-1:2.0: No AC97 audio processor
em28xx 1-1:2.0: Binding audio extension
em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2006 Markus Rechberger
em28xx 1-1:2.0: em28xx-audio.c: Copyright (C) 2007-2016 Mauro Carvalho Chehab
em28xx 1-1:2.0: alt 0 doesn't exist on interface 7
usb 1-1: USB disconnect, device number 2
em28xx 1-1:2.0: Disconnecting
em28xx 1-1:2.0: Closing audio extension
em28xx 1-1:2.0: Freeing device
==
BUG: KASAN: use-after-free in em28xx_dvb_fini+0x74b/0x8e0
Read of size 1 at addr 880069d2c12c by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc7-44290-gf28444df2601-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0xe1/0x157 lib/dump_stack.c:52
 print_address_description+0x71/0x234 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x173/0x270 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
 em28xx_dvb_fini+0x74b/0x8e0 drivers/media/usb/em28xx/em28xx-dvb.c:2076
 em28xx_close_extension+0x71/0x220 drivers/media/usb/em28xx/em28xx-core.c:1122
 em28xx_usb_disconnect+0xd7/0x140 drivers/media/usb/em28xx/em28xx-cards.c:3763
 usb_unbind_interface+0x1b6/0x950 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x529/0x5f0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2fc/0x4b0 drivers/base/bus.c:565
 device_del+0x591/0xa70 drivers/base/core.c:1985
 usb_disable_device+0x223/0x710 drivers/usb/core/message.c:1170
 usb_disconnect+0x285/0x7f0 drivers/usb/core/hub.c:2205
 hub_port_connect drivers/usb/core/hub.c:4838
 hub_port_connect_change drivers/usb/core/hub.c:5093
 port_event drivers/usb/core/hub.c:5199
 hub_event_impl+0x10ec/0x3440 drivers/usb/core/hub.c:5311
 hub_event+0x38/0x50 drivers/usb/core/hub.c:5209
 process_one_work+0x925/0x15d0 kernel/workqueue.c:2113
 worker_thread+0xef/0x10d0 kernel/workqueue.c:2247
 kthread+0x346/0x410 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the page:
page:ea0001a74b00 count:0 mapcount:-127 mapping:  (null) index:0x0
flags: 0x100()
raw: 0100   ff80
raw: ea00019f0320 88007fffa690 0002 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 880069d2c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880069d2c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>880069d2c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ^
 880069d2c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 880069d2c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==

[PATCH] media: dib0700: fix invalid dvb_detach argument

2017-11-02 Thread Andrey Konovalov 
dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer
to a function. Right now a pointer to state->dib7000p_ops is passed to
dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by
syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.

[ cut here ]
kernel BUG at kernel/module.c:1081!
invalid opcode:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: GW
4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006a336300 task.stack: 88006a7c8000
RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
RSP: 0018:88006a7ce210 EFLAGS: 00010246
RAX:  RBX: 880062a8d190 RCX: 
RDX: dc20 RSI: 85876d60 RDI: 880062a8d190
RBP: 88006a7ce218 R08: 11000d4f9c12 R09: 11000d4f9ae4
R10: 11000d4f9bed R11:  R12: 880062a8d180
R13: ffed R14: 880062a8d190 R15: 88006947c000
FS:  () GS:88006c90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f6416532000 CR3: 632f5000 CR4: 06e0
Call Trace:
 stk7070p_frontend_attach+0x515/0x610
drivers/media/usb/dvb-usb/dib0700_devices.c:1013
 dvb_usb_adapter_frontend_init+0x32b/0x660
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210
---[ end trace b75b357739e7e116 ]---

Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
 drivers/media/usb/dvb-usb/dib0700_devices.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c 
b/drivers/media/usb/dvb-usb/dib0700_devices.c
index 6020170fe99a..92098c1b78e5 100644
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
@@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(struct dvb_usb_adapter 
*adap)
 stk7700d_dib7000p_mt2266_config)
!= 0) {
err("%s: state->dib7000p_ops.i2c_enumeration failed.  
Cannot continue\n", __func__);
-   dvb_detach(>dib7000p_ops);
+   dvb_detach(state->dib7000p_ops.set_wbd_ref);
return -ENODEV;
}
}
@@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(struct dvb_usb_adapter 
*adap)
 stk7700d_dib7000p_mt2266_config)
!= 0) {
err("%s: state->dib7000p_ops.i2c_enumeration failed.  
Cannot continue\n", __func__);
-   dvb_detach(>dib7000p_ops);
+   dvb_detach(state->dib7000p_ops.set_wbd_ref);
retu

Re: [PATCH] media: pvrusb2: properly check endpoint types

2017-11-02 Thread Andrey Konovalov 
On Thu, Nov 2, 2017 at 2:52 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
> the the endpoint type is actually blunk. Add a check.
>
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> [ cut here ]
> WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449 
> usb_submit_urb+0xf8a/0x11d0
> Modules linked in:
> CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted
> 4.14.0-rc1-42251-gebb2c2437d80 #210
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: 88006b7a18c0 task.stack: 880069978000
> RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
> RSP: 0018:88006997f990 EFLAGS: 00010286
> RAX: 0029 RBX: 880063661900 RCX: 
> RDX: 0029 RSI: 86876d60 RDI: ed000d32ff24
> RBP: 88006997fa90 R08: 11000d32fdca R09: 
> R10:  R11:  R12: 11000d32ff39
> R13: 0001 R14: 0003 R15: 880068bbed68
> FS:  () GS:88006c60() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 01032000 CR3: 6a0ff000 CR4: 06f0
> Call Trace:
>  pvr2_send_request_ex+0xa57/0x1d80 
> drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645
>  pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812
>  pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107
>  pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250
>  pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327
>  pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118
>  pvr2_context_thread_func+0x361/0x8c0 
> drivers/media/usb/pvrusb2/pvrusb2-context.c:167
>  kthread+0x3a1/0x470 kernel/kthread.c:231
>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
> Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
> e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
> ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
> ---[ end trace 6919030503719da6 ]---
>
> Signed-off-by: Andrey Konovalov <andreyk...@google.com>
> ---

Note: this patch is based on a patch [1] by Takashi Iwai that adds
usb_urb_ep_type_check().

[1] https://www.spinics.net/lists/alsa-devel/msg68365.html

>  drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 12 
>  1 file changed, 12 insertions(+)
>
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c 
> b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> index ad5b25b89699..44975061b953 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
> @@ -3642,6 +3642,12 @@ static int pvr2_send_request_ex(struct pvr2_hdw *hdw,
>   hdw);
> hdw->ctl_write_urb->actual_length = 0;
> hdw->ctl_write_pend_flag = !0;
> +   if (usb_urb_ep_type_check(hdw->ctl_write_urb)) {
> +   pvr2_trace(
> +   PVR2_TRACE_ERROR_LEGS,
> +   "Invalid write control endpoint");
> +   return -EINVAL;
> +   }
> status = usb_submit_urb(hdw->ctl_write_urb,GFP_KERNEL);
> if (status < 0) {
> pvr2_trace(PVR2_TRACE_ERROR_LEGS,
> @@ -3666,6 +3672,12 @@ status);
>   hdw);
> hdw->ctl_read_urb->actual_length = 0;
> hdw->ctl_read_pend_flag = !0;
> +   if (usb_urb_ep_type_check(hdw->ctl_read_urb)) {
> +   pvr2_trace(
> +   PVR2_TRACE_ERROR_LEGS,
> +   "Invalid read control endpoint");
> +   return -EINVAL;
> +   }
> status = usb_submit_urb(hdw->ctl_read_urb,GFP_KERNEL);
> if (status < 0) {
> pvr2_trace(PVR2_TRACE_ERROR_LEGS,
> --
> 2.15.0.403.gc27cc4dac6-goog
>

[PATCH] media: pvrusb2: properly check endpoint types

2017-11-02 Thread Andrey Konovalov 
As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
the the endpoint type is actually blunk. Add a check.

usb 1-1: BOGUS urb xfer, pipe 3 != type 1
[ cut here ]
WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449 
usb_submit_urb+0xf8a/0x11d0
Modules linked in:
CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #210
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 88006b7a18c0 task.stack: 880069978000
RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
RSP: 0018:88006997f990 EFLAGS: 00010286
RAX: 0029 RBX: 880063661900 RCX: 
RDX: 0029 RSI: 86876d60 RDI: ed000d32ff24
RBP: 88006997fa90 R08: 11000d32fdca R09: 
R10:  R11:  R12: 11000d32ff39
R13: 0001 R14: 0003 R15: 880068bbed68
FS:  () GS:88006c60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 01032000 CR3: 6a0ff000 CR4: 06f0
Call Trace:
 pvr2_send_request_ex+0xa57/0x1d80 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645
 pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812
 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107
 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250
 pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327
 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118
 pvr2_context_thread_func+0x361/0x8c0 
drivers/media/usb/pvrusb2/pvrusb2-context.c:167
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
---[ end trace 6919030503719da6 ]---

Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c 
b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index ad5b25b89699..44975061b953 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -3642,6 +3642,12 @@ static int pvr2_send_request_ex(struct pvr2_hdw *hdw,
  hdw);
hdw->ctl_write_urb->actual_length = 0;
hdw->ctl_write_pend_flag = !0;
+   if (usb_urb_ep_type_check(hdw->ctl_write_urb)) {
+   pvr2_trace(
+   PVR2_TRACE_ERROR_LEGS,
+   "Invalid write control endpoint");
+   return -EINVAL;
+   }
status = usb_submit_urb(hdw->ctl_write_urb,GFP_KERNEL);
if (status < 0) {
pvr2_trace(PVR2_TRACE_ERROR_LEGS,
@@ -3666,6 +3672,12 @@ status);
  hdw);
hdw->ctl_read_urb->actual_length = 0;
hdw->ctl_read_pend_flag = !0;
+   if (usb_urb_ep_type_check(hdw->ctl_read_urb)) {
+   pvr2_trace(
+   PVR2_TRACE_ERROR_LEGS,
+   "Invalid read control endpoint");
+   return -EINVAL;
+   }
status = usb_submit_urb(hdw->ctl_read_urb,GFP_KERNEL);
if (status < 0) {
pvr2_trace(PVR2_TRACE_ERROR_LEGS,
-- 
2.15.0.403.gc27cc4dac6-goog

Re: [RFT] media: dvb_frontend: Fix use-after-free in __dvb_frontend_free

2017-10-24 Thread Andrey Konovalov 
On Tue, Oct 24, 2017 at 1:36 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> Here, dvb_free_device will free dvb_device. dvb_frontend_invoke_release
> is using  dvb_device after free.

Hi Arvind,

Matthias already suggested a fix. Also it looks like your patch is
based on an outdated tree, which doesn't contain the commit that seems
to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e).

Thanks!

>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
> ---
> This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free
> in __dvb_frontend_free).
>
>  drivers/media/dvb-core/dvb_frontend.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/dvb-core/dvb_frontend.c 
> b/drivers/media/dvb-core/dvb_frontend.c
> index 2fcba16..7f1ef12 100644
> --- a/drivers/media/dvb-core/dvb_frontend.c
> +++ b/drivers/media/dvb-core/dvb_frontend.c
> @@ -147,10 +147,10 @@ static void dvb_frontend_free(struct kref *ref)
> container_of(ref, struct dvb_frontend, refcount);
> struct dvb_frontend_private *fepriv = fe->frontend_priv;
>
> -   dvb_free_device(fepriv->dvbdev);
> -
> dvb_frontend_invoke_release(fe, fe->ops.release);
>
> +   dvb_free_device(fepriv->dvbdev);
> +
> kfree(fepriv);
>  }
>
> --
> 1.9.1
>

Re: usb/media/dtt200u: use-after-free in __dvb_frontend_free

2017-10-24 Thread Andrey Konovalov 
On Mon, Oct 23, 2017 at 8:58 PM, Matthias Schwarzott <z...@gentoo.org> wrote:
> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
>>
>> dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)'
>> in warm state.
>> dvb-usb: bulk message failed: -22 (2/1102416563)
>> dvb-usb: will use the device's hardware PID filter (table count: 15).
>> dvbdev: DVB: registering new adapter (WideView WT-220U PenType
>> Receiver (based on ZL353))
>> usb 1-1: media controller created
>> dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
>> usb 1-1: DVB: registering adapter 0 frontend 0 (WideView USB DVB-T)...
>> dvbdev: dvb_create_media_entity: media entity 'WideView USB DVB-T' 
>> registered.
>> Registered IR keymap rc-dtt200u
>> rc rc1: IR-receiver inside an USB DVB receiver as
>> /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1
>> input: IR-receiver inside an USB DVB receiver as
>> /devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1/input9
>> dvb-usb: schedule remote query interval to 300 msecs.
>> dvb-usb: WideView WT-220U PenType Receiver (based on ZL353)
>> successfully initialized and connected.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> dvb-usb: bulk message failed: -22 (1/1807119384)
>> dvb-usb: error -22 while querying for an remote control event.
>> usb 1-1: USB disconnect, device number 2
>> ==
>> BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
>> Write of size 8 at addr 880067d45a00 by task kworker/0:1/24
>>
>> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 
>> #545
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:16
>>  dump_stack+0x292/0x395 lib/dump_stack.c:52
>>  print_address_description+0x78/0x280 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351
>>  kasan_report+0x23d/0x350 mm/kasan/report.c:409
>>  __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
>>  __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
>>  dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
>>  dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
>>  dvb_usb_adapter_frontend_exit+0xd6/0x160
>> drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
>>  dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
>>  dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
>>  dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
>>  usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
>>  __device_release_driver drivers/base/dd.c:861
>>  device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
>>  device_release_driver+0x1e/0x30 drivers/base/dd.c:918
>>  bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
>>  device_del+0x5c4/0xab0 drivers/base/core.c:1985
>>  usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
>>  usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
>>  hub_port_connect drivers/usb/core/hub.c:4754
>>  hub_port_connect_change drivers/usb/core/hub.c:5009
>>  port_event drivers/usb/core/hub.c:5115
>>  hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
>>  process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
>>  worker_thread+0x221/0x1850 kernel/workqueue.c:2253
>>  kthread+0x363/0x440 kernel/kthread.c:231
>>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>>
> It looks like this is caused by commit
> ead666000a5fe34bdc82d61838e4df2d416ea15e ("media: dvb_frontend: only use
> kref after initialized").
>
> The writing to "fe->frontend_priv" in dvb_frontend.c:156 is a
> use-after-free in case the object dvb_frontend *fe is alr

usb/media/au0828: use-after-free in au0828_rc_unregister

2017-10-23 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).

au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au8522_writereg: writereg error (reg == 0x106, val == 0x0001, ret == -5)
usb 1-1: selecting invalid altsetting 5
au0828: Failure setting usb interface0 to as5
au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
==
BUG: KASAN: use-after-free in au0828_rc_unregister+0xaa/0xc0
Read of size 8 at addr 8800626e2b90 by task kworker/1:1/1491

CPU: 1 PID: 1491 Comm: kworker/1:1 Not tainted
4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 au0828_rc_unregister+0xaa/0xc0 drivers/media/usb/au0828/au0828-input.c:367
 au0828_usb_disconnect+0x63/0x130 drivers/media/usb/au0828/au0828-core.c:189
 au0828_usb_probe+0xb3e/0xf20 drivers/media/usb/au0828/au0828-core.c:660
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the page:
page:ea000189b880 count:0 mapcount:0 mapping:  (null) index:0x0
flags: 0x100()
raw: 0100   
raw:  dead0200 88006c00d980 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 8800626e2a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 8800626e2b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>8800626e2b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ^
 8800626e2c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 8800626e2c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==

usb/media/mxl111sf: trying to register non-static key in mxl111sf_ctrl_msg

2017-10-23 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).

usb 1-1: New USB device found, idVendor=2040, idProduct=c602
usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
usb 1-1: Product: a
usb 1-1: dvb_usb_v2: found a 'HCW 126xxx' in warm state
usb 1-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to
the software demuxer
dvbdev: DVB: registering new adapter (HCW 126xxx)
usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
usb 1-1: selecting invalid altsetting 1
set interface failed
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
 __lock_acquire+0x244/0x3610 kernel/locking/lockdep.c:3377
 lock_acquire+0x259/0x620 kernel/locking/lockdep.c:3994
 __mutex_lock_common kernel/locking/mutex.c:756
 __mutex_lock+0x18e/0x1a60 kernel/locking/mutex.c:893
 mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:908
 mxl111sf_ctrl_msg+0x93/0x1f0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:69
 mxl111sf_write_reg+0xc9/0x170 drivers/media/usb/dvb-usb-v2/mxl111sf.c:126
 mxl1x1sf_soft_reset+0x69/0x1a0 drivers/media/usb/dvb-usb-v2/mxl111sf-phy.c:56
 mxl111sf_lg2160_frontend_attach+0x27b/0x9e0
drivers/media/usb/dvb-usb-v2/mxl111sf.c:521
 mxl111sf_frontend_attach_mh+0x1c/0x20
drivers/media/usb/dvb-usb-v2/mxl111sf.c:977
 dvb_usbv2_adapter_frontend_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:655
 dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:818
 dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:881
 dvb_usbv2_probe+0x143d/0x32f0 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:992
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
usb 1-1: dvb_usb_v2: usb_bulk_msg() failed=-22
error writing reg: 0xff, val: 0x00
dvb_usb_mxl111sf: probe of 1-1:1.0 failed with error -22

usb/media/dtt200u: use-after-free in __dvb_frontend_free

2017-10-23 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).

dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)'
in warm state.
dvb-usb: bulk message failed: -22 (2/1102416563)
dvb-usb: will use the device's hardware PID filter (table count: 15).
dvbdev: DVB: registering new adapter (WideView WT-220U PenType
Receiver (based on ZL353))
usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
usb 1-1: DVB: registering adapter 0 frontend 0 (WideView USB DVB-T)...
dvbdev: dvb_create_media_entity: media entity 'WideView USB DVB-T' registered.
Registered IR keymap rc-dtt200u
rc rc1: IR-receiver inside an USB DVB receiver as
/devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1
input: IR-receiver inside an USB DVB receiver as
/devices/platform/dummy_hcd.0/usb1/1-1/rc/rc1/input9
dvb-usb: schedule remote query interval to 300 msecs.
dvb-usb: WideView WT-220U PenType Receiver (based on ZL353)
successfully initialized and connected.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
dvb-usb: bulk message failed: -22 (1/1807119384)
dvb-usb: error -22 while querying for an remote control event.
usb 1-1: USB disconnect, device number 2
==
BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
Write of size 8 at addr 880067d45a00 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
 __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
 dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
 dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
 dvb_usb_adapter_frontend_exit+0xd6/0x160
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
 dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
 dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
 dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212
 dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136
 dvb_usb_adapter_frontend_init+0x32b/0x660
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710

Re: [PATCH] media: imon: Fix null-ptr-deref in imon_probe

2017-10-10 Thread Andrey Konovalov 
On Mon, Oct 9, 2017 at 8:14 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> It seems that the return value of usb_ifnum_to_if() can be NULL and
> needs to be checked.

Hi Arvind,

Your patch fixes the issue.

Thanks!

Tested-by: Andrey Konovalov <andreyk...@google.com>

>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
> ---
> This bug report by Andrey Konovalov usb/media/imon: null-ptr-deref
> in imon_probe
>
>  drivers/media/rc/imon.c | 5 +
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
> index 7b3f31c..0c46155 100644
> --- a/drivers/media/rc/imon.c
> +++ b/drivers/media/rc/imon.c
> @@ -2517,6 +2517,11 @@ static int imon_probe(struct usb_interface *interface,
> mutex_lock(_lock);
>
> first_if = usb_ifnum_to_if(usbdev, 0);
> +   if (!first_if) {
> +   ret = -ENODEV;
> +   goto fail;
> +   }
> +
> first_if_ctx = usb_get_intfdata(first_if);
>
> if (ifnum == 0) {
> --
> 2.7.4
>

usb/media/imon: null-ptr-deref in imon_probe

2017-10-09 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).

It seems that the return value of usb_ifnum_to_if() can be NULL and
needs to be checked.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 1497 Comm: kworker/1:1 Not tainted
4.14.0-rc4-43418-g43a3f84d2109-dirty #380
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006a5618c0 task.stack: 880068bc8000
RIP: 0010:imon_probe+0x231/0x3f10 drivers/media/rc/imon.c:2519
RSP: 0018:880068bce2d8 EFLAGS: 00010206
RAX:  RBX: 8800627dd500 RCX: 0027
RDX: dc00 RSI:  RDI: 0138
RBP: 880068bce5e8 R08: 88006a5618c0 R09: 84b380fc
R10: 880068bce2c8 R11: 11000d4ac5b3 R12: 88006183
R13: 880061830008 R14: 883fa200 R15: 883fa080
FS:  () GS:88006c50() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 206cbffc CR3: 61085000 CR4: 06e0
Call Trace:
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: ff e8 a4 81 cb 01 31 f6 48 89 df e8 2a cc 65 ff 0f ae f0 48 8d
b8 38 01 00 00 48 ba 00 00 00 00 00 fc ff df 48 89 f9 48 c1 e9 03 <80>
3c 11 00 0f 85 e8 31 00 00 48 8b 98 38 01 00 00 0f ae f0 44
RIP: imon_probe+0x231/0x3f10 RSP: 880068bce2d8
---[ end trace 07febd2eebe02f84 ]---

usb/media/imon: global-out-of-bounds in imon_probe/imon_init_intf0

2017-10-09 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).

It seems that imon_ir_raw doesn't have the .key_table initializer,
which causes out-of-bounds access when iterating over the key table.

==
BUG: KASAN: global-out-of-bounds in imon_probe+0x3ade/0x3f00
Read of size 8 at addr 871c5468 by task kworker/1:1/1494

CPU: 1 PID: 1494 Comm: kworker/1:1 Not tainted
4.14.0-rc4-43418-g43a3f84d2109-dirty #391
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x1d9/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 imon_init_intf0 drivers/media/rc/imon.c:2142
 imon_probe+0x3ade/0x3f00 drivers/media/rc/imon.c:2523
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the variable:
 imon_ir_raw+0x8/0x40

Memory state around the buggy address:
 871c5300: fa fa fa fa 00 03 fa fa fa fa fa fa 00 fa fa fa
 871c5380: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 06 fa
>871c5400: fa fa fa fa 00 04 fa fa fa fa fa fa 00 fa fa fa
  ^
 871c5480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
 871c5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==

usb/media/uvc: BUG in uvc_mc_create_links/media_create_pad_link

2017-10-02 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).

uvcvideo: Found UVC 0.00 device a (2833:0201)
uvcvideo 1-1:3.92: Entity type for entity Output 2 was not initialized!
[ cut here ]
kernel BUG at drivers/media/media-entity.c:686!
invalid opcode:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 40 Comm: kworker/1:1 Not tainted 4.14.0-rc3-42944-g2de0634c9ea5 #347
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006b8698c0 task.stack: 88006b81
RIP: 0010:media_create_pad_link+0x427/0x5b0 drivers/media/media-entity.c:686
RSP: 0018:88006b815e40 EFLAGS: 00010297
RAX: 88006b8698c0 RBX: 8800699b56f0 RCX: 
RDX:  RSI:  RDI: 88006a1676a8
RBP: 88006b815e88 R08: 0003 R09: 11000d702b6a
R10: 88006b8698c0 R11: 0005 R12: 88006a167670
R13:  R14:  R15: 0003
FS:  () GS:88006c90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 20003000 CR3: 6765b000 CR4: 06e0
Call Trace:
 uvc_mc_create_links drivers/media/usb/uvc/uvc_entity.c:55
 uvc_mc_register_entities+0x3df/0x770 drivers/media/usb/uvc/uvc_entity.c:119
 uvc_register_chains drivers/media/usb/uvc/uvc_driver.c:1989
 uvc_probe+0x848f/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2108
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 66 41 83 44 24 3a 01 31 db e8 d6 73 6b fd 89 d8 48 83 c4 20 5b
41 5c 41 5d 41 5e 41 5f 5d c3 e8 c0 73 6b fd 0f 0b e8 b9 73 6b fd <0f>
0b e8 b2 73 6b fd 0f 0b e8 5b 9e 9d fd e9 35 fc ff ff e8 51
RIP: media_create_pad_link+0x427/0x5b0 RSP: 88006b815e40
---[ end trace 803624f49c213c15 ]---

usb/media/v4l2: use-after-free in video_unregister_device/device_del

2017-10-02 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).

usb 1-1: config 48 interface 0 altsetting 0 endpoint 0x4 has invalid
maxpacket 1956, setting to 64
usb 1-1: New USB device found, idVendor=0573, idProduct=4d34
usb 1-1: New USB device strings: Mfr=63, Product=4, SerialNumber=2
usb 1-1: Product: a
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #48
usbvision_probe: Hauppauge WinTV USB Pro (PAL D/K FM) found
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_audio_off: can't write reg
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_i2c_register: can't write reg
USBVision[15]: registered USBVision Video device video0 [v4l2]
USBVision[15]: registered USBVision Radio device radio0 [v4l2]
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_set_audio: can't write iopin register for audio switching
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_audio_off: can't write reg
usbvision_set_video_format: ERROR=-2. USBVISION stopped - reconnect or
reload driver.
usb 1-1: usbvision_set_dram_settings: ERROR=-2
usbvision_set_compresion_params: ERROR=-2. USBVISION stopped -
reconnect or reload driver.
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_set_input: ERROR=-2. USBVISION stopped - reconnect or reload driver.
usb 1-1: usbvision_set_output failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_write_reg: failed: error -2
usb 1-1: usbvision_read_reg: failed: error -90
usb 1-1: usbvision_init_isoc: usb_submit_urb(0) failed: error -90
usb 1-1: usbvision_init_isoc: usb_submit_urb(1) failed: error -90
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_set_audio: can't write iopin register for audio switching
usb 1-1: usbvision_write_reg: failed: error -2
usbvision_audio_off: can't write reg
usb 1-1: usbvision_write_reg: failed: error -2
gadgetfs: disconnected
usb 1-1: USB disconnect, device number 17
usb 1-1: usbvision_stop_isoc: usb_set_interface() failed: error -71
usbvision_v4l2_close: Final disconnect
==
BUG: KASAN: use-after-free in device_del+0xa1c/0xab0
Read of size 8 at addr 8800692649f8 by task kworker/1:1/1150

CPU: 1 PID: 1150 Comm: kworker/1:1 Not tainted
4.14.0-rc3-42944-g2de0634c9ea5 #347
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 device_del+0xa1c/0xab0 drivers/base/core.c:1970
 device_unregister+0x1a/0x40 drivers/base/core.c:2020
 video_unregister_device+0x80/0x90 drivers/media/v4l2-core/v4l2-dev.c:1028
 usbvision_unregister_video+0xb1/0x200
drivers/media/usb/usbvision/usbvision-video.c:1264
 usbvision_release+0x105/0x1f0
drivers/media/usb/usbvision/usbvision-video.c:1364
 usbvision_disconnect+0x15e/0x260
drivers/media/usb/usbvision/usbvision-video.c:1593
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 usbvision_alloc drivers/media/usb/usbvision/usbvision-video.c:1322
 usbvision_probe+0x72e/0x1cf0 drivers/media/usb/usbvision/usbvision-video.c:1476
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

2017-09-27 Thread Andrey Konovalov 
On Wed, Sep 27, 2017 at 8:38 PM, arvind <arvind.yadav...@gmail.com> wrote:
>
>
> On Wednesday 27 September 2017 05:47 PM, Andrey Konovalov wrote:
>
> On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com>
> wrote:
>
> On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav
> <arvind.yadav...@gmail.com> wrote:
>
> If CONFIG_MEDIA_CONTROLLER_DVB is enable, We are not releasing
> media device and memory on any failure or disconnect a device.
>
> Adding structure media_device 'mdev' as part of 'smsusb_device_t'
> structure to make proper handle for media device.
> Now releasing a media device and memory on failure. It's allocate
> first in siano_media_device_register() and it should be freed last
> in smsusb_disconnect().
>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
>
> Hi Arvind,
>
> I've tried your patch and still see a crash.
>
> My guess is that here the issue is similar to the one in lan78xx,
> surb->wq work isn't shutdown properly.
>
> Hi Andrey,
>
> Yes, You are right. We have not flush work which is initialized in
> smsusb_onresponse(). I have send one more patch to you. I hope this will fix
> this issue. Thanks for your suggestion. :)

Hi Arvind,

Replied in the patch thread.

Thanks!

>
> ~arvind
>
> Thanks!
>
> gadgetfs: bound to dummy_udc driver
> usb 1-1: new full-speed USB device number 2 using dummy_hcd
> gadgetfs: connected
> gadgetfs: disconnected
> gadgetfs: connected
> usb 1-1: config 189 interface 0 altsetting 0 endpoint 0x9 has an
> invalid bInterval 0, changing to 4
> usb 1-1: New USB device found, idVendor=187f, idProduct=0100
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> gadgetfs: configuration #189
> smsusb:smsusb_probe: board id=1, interface number 0
> smsusb:siano_media_device_register: media controller created
> smsusb:smsusb1_detectmode: product string not found
> smsmdtv:smscore_set_device_mode: return error code -22.
> smsmdtv:smscore_start_device: set device mode failed , rc -22
> smsusb:smsusb_init_device: smscore_start_device(...) failed
> smsusb:smsusb_onresponse: error, urb status -2, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_probe: Device initialized with return code -22
> ==
> BUG: KASAN: use-after-free in worker_thread+0x1468/0x1850
> Read of size 8 at addr 88006a2b80f0 by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc2-42660-g24b7bd59eec0-dirty #273
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:16
>  dump_stack+0x292/0x395 lib/dump_stack.c:52
>  print_address_description+0x78/0x280 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351
>  kasan_report+0x23d/0x350 mm/kasan/report.c:409
>  __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
>  worker_thread+0x1468/0x1850 kernel/workqueue.c:2251
>  kthread+0x3a1/0x470 kernel/kthread.c:231
>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> Allocated by task 1846:
>  save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459
>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>  kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
>  kmalloc ./include/linux/slab.h:493
>  kzalloc ./include/linux/slab.h:666
>  smsusb_init_device+0xd5/0xe40 drivers/media/usb/siano/smsusb.c:418
>  smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:580
>  usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>  really_probe drivers/base/dd.c:413
>  driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>  __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>  bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>  __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>  bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>  device_add+0xd0b/0x1660 drivers/base/core.c:1835
>  usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>  generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>  usb_probe_d

Re: [RFT v2] [media] siano: FIX use-after-free in worker_thread

2017-09-27 Thread Andrey Konovalov 
slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 smsusb_term_device+0xd2/0x130 drivers/media/usb/siano/smsusb.c:365
 smsusb_init_device+0xd03/0xd10 drivers/media/usb/siano/smsusb.c:494
 smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:573
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at 88006b86b300
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 72 bytes inside of
 4096-byte region [88006b86b300, 88006b86c300)
The buggy address belongs to the page:
page:ea0001ae1a00 count:1 mapcount:0 mapping:  (null)
index:0x0 compound_mapcount: 0
flags: 0x1008100(slab|head)
raw: 01008100   000180070007
raw: ea0001ae8c00 00030003 88006c402c00 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 88006b86b200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88006b86b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>88006b86b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ^
 88006b86b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88006b86b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==

Thanks!

> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
> worker_thread".
> changes in v2 :
>   call flush_work() in smsusb_stop_streaming().
>
>  drivers/media/usb/siano/smsusb.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/media/usb/siano/smsusb.c 
> b/drivers/media/usb/siano/smsusb.c
> index 8c1f926..8142ba4 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c
> @@ -192,6 +192,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t 
> *dev)
> for (i = 0; i < MAX_URBS; i++) {
> usb_kill_urb(>surbs[i].urb);
>
> +   flush_work(>surbs[i].wq);
> +
> if (dev->surbs[i].cb) {
> smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
> dev->surbs[i].cb = NULL;
> --
> 2.7.4
>

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

2017-09-27 Thread Andrey Konovalov 
On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav
> <arvind.yadav...@gmail.com> wrote:
>> If CONFIG_MEDIA_CONTROLLER_DVB is enable, We are not releasing
>> media device and memory on any failure or disconnect a device.
>>
>> Adding structure media_device 'mdev' as part of 'smsusb_device_t'
>> structure to make proper handle for media device.
>> Now releasing a media device and memory on failure. It's allocate
>> first in siano_media_device_register() and it should be freed last
>> in smsusb_disconnect().
>>
>> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
>
> Hi Arvind,
>
> I've tried your patch and still see a crash.

My guess is that here the issue is similar to the one in lan78xx,
surb->wq work isn't shutdown properly.

>
> Thanks!
>
> gadgetfs: bound to dummy_udc driver
> usb 1-1: new full-speed USB device number 2 using dummy_hcd
> gadgetfs: connected
> gadgetfs: disconnected
> gadgetfs: connected
> usb 1-1: config 189 interface 0 altsetting 0 endpoint 0x9 has an
> invalid bInterval 0, changing to 4
> usb 1-1: New USB device found, idVendor=187f, idProduct=0100
> usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> gadgetfs: configuration #189
> smsusb:smsusb_probe: board id=1, interface number 0
> smsusb:siano_media_device_register: media controller created
> smsusb:smsusb1_detectmode: product string not found
> smsmdtv:smscore_set_device_mode: return error code -22.
> smsmdtv:smscore_start_device: set device mode failed , rc -22
> smsusb:smsusb_init_device: smscore_start_device(...) failed
> smsusb:smsusb_onresponse: error, urb status -2, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
> smsusb:smsusb_probe: Device initialized with return code -22
> ==
> BUG: KASAN: use-after-free in worker_thread+0x1468/0x1850
> Read of size 8 at addr 88006a2b80f0 by task kworker/0:1/24
>
> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
> 4.14.0-rc2-42660-g24b7bd59eec0-dirty #273
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:16
>  dump_stack+0x292/0x395 lib/dump_stack.c:52
>  print_address_description+0x78/0x280 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351
>  kasan_report+0x23d/0x350 mm/kasan/report.c:409
>  __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
>  worker_thread+0x1468/0x1850 kernel/workqueue.c:2251
>  kthread+0x3a1/0x470 kernel/kthread.c:231
>  ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>
> Allocated by task 1846:
>  save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459
>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>  kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
>  kmalloc ./include/linux/slab.h:493
>  kzalloc ./include/linux/slab.h:666
>  smsusb_init_device+0xd5/0xe40 drivers/media/usb/siano/smsusb.c:418
>  smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:580
>  usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>  really_probe drivers/base/dd.c:413
>  driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>  __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>  bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>  __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>  bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>  device_add+0xd0b/0x1660 drivers/base/core.c:1835
>  usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>  generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>  usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
>  really_probe drivers/base/dd.c:413
>  driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>  __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>  bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>  __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>  bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>  device_

Re: [RFT] [media] siano: FIX use-after-free in worker_thread

2017-09-27 Thread Andrey Konovalov 
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 smsusb_term_device+0x166/0x1f0 drivers/media/usb/siano/smsusb.c:373
 smsusb_init_device+0xcaa/0xe40 drivers/media/usb/siano/smsusb.c:505
 smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:580
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at 88006a2b8000
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 240 bytes inside of
 4096-byte region [88006a2b8000, 88006a2b9000)
The buggy address belongs to the page:
page:ea0001a8ae00 count:1 mapcount:0 mapping:  (null)
index:0x0 compound_mapcount: 0
flags: 0x1008100(slab|head)
raw: 01008100   000180070007
raw: dead0100 dead0200 88006c402c00 
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 88006a2b7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 88006a2b8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>88006a2b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ^
 88006a2b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 88006a2b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======

> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
> worker_thread".
>
>  drivers/media/usb/siano/smsusb.c | 45 
> 
>  1 file changed, 27 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/media/usb/siano/smsusb.c 
> b/drivers/media/usb/siano/smsusb.c
> index 8c1f926..66936b3 100644
> --- a/drivers/media/usb/siano/smsusb.c
> +++ b/drivers/media/usb/siano/smsusb.c
> @@ -69,6 +69,9 @@ struct smsusb_device_t {
> unsigned char in_ep;
> unsigned char out_ep;
> enum smsusb_state state;
> +#ifdef CONFIG_MEDIA_CONTROLLER_DVB
> +   struct media_device *mdev;
> +#endif
>  };
>
>  static int smsusb_submit_urb(struct smsusb_device_t *dev,
> @@ -359,6 +362,13 @@ static void smsusb_term_device(struct usb_interface 
> *intf)
> if (dev->coredev)
> smscore_unregister_device(dev->coredev);
>
> +#ifdef CONFIG_MEDIA_CONTROLLER_DVB
> +   if (dev->mdev) {
> +   media_device_unregister(dev->mdev);
> +   media_device_cleanup(dev->mdev);
> +   kfree(dev->mdev);
> +   }
> +#endif
> pr_debug("device 0x%p destroyed\n", dev);
> kfree(dev);
> }
> @@ -370,27 +380,28 @@ static void *siano_media_device_register(struct 
> smsusb_device_t *dev,
> int board_id)
>  {
>  #ifdef CONFIG_MEDIA_CONTROLLER_DVB
> -   struct media_device *mdev;
> struct usb_device *udev = dev->udev;
> struct sms_board *board = sms_get_board(board_id);
> int ret;
>
> -   mdev = kzalloc(sizeof(*mdev), GFP_KERNEL);
> -   if (!mdev)
> +   dev->mdev = kzalloc(sizeof(*dev->mdev), GFP_KERNEL);

Re: [PATCH 2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner

2017-09-27 Thread Andrey Konovalov 
On Tue, Sep 26, 2017 at 11:10 PM, Malcolm Priestley <tvbox...@gmail.com> wrote:
> When the tuner was split from m88rs2000 the attach function is in wrong
> place.
>
> Move to dm04_lme2510_tuner to trap errors on failure and removing
> a call to lme_coldreset.
>
> Prevents driver starting up without any tuner connected.
>
> Fixes to trap for ts2020 fail.
> LME2510(C): FE Found M88RS2000
> ts2020: probe of 0-0060 failed with error -11
> ...
> LME2510(C): TUN Found RS2000 tuner
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault:  [#1] PREEMPT SMP KASAN
>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Malcolm Priestley <tvbox...@gmail.com>

Tested-by: Andrey Konovalov <andreyk...@google.com>

These 2 patches fix the crash with the reproducer that I have.

Thanks!

> ---
>  drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++---
>  1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c 
> b/drivers/media/usb/dvb-usb-v2/lmedm04.c
> index 992f2011a6ba..be26c029546b 100644
> --- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
> +++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
> @@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(struct 
> dvb_usb_adapter *adap)
>
> if (adap->fe[0]) {
> info("FE Found M88RS2000");
> -   dvb_attach(ts2020_attach, adap->fe[0], _config,
> -   >i2c_adap);
> st->i2c_tuner_gate_w = 5;
> st->i2c_tuner_gate_r = 5;
> st->i2c_tuner_addr = 0x60;
> @@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb_usb_adapter 
> *adap)
> ret = st->tuner_config;
> break;
> case TUNER_RS2000:
> -   ret = st->tuner_config;
> +   if (dvb_attach(ts2020_attach, adap->fe[0],
> +  _config, >i2c_adap))
> +   ret = st->tuner_config;
> break;
> default:
> break;
> }
>
> -   if (ret)
> +   if (ret) {
> info("TUN Found %s tuner", tun_msg[ret]);
> -   else {
> -   info("TUN No tuner found --- resetting device");
> -   lme_coldreset(d);
> +   } else {
> +   info("TUN No tuner found");
> return -ENODEV;
> }
>
> --
> 2.14.1
>

Re: usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

2017-09-26 Thread Andrey Konovalov 
On Tue, Sep 26, 2017 at 2:50 PM, Laurent Pinchart
<laurent.pinch...@ideasonboard.com> wrote:
> Hi Andrey,
>
> On Tuesday, 26 September 2017 15:41:45 EEST Andrey Konovalov wrote:
>> On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart wrote:
>> > On Monday, 25 September 2017 15:40:13 EEST Andrey Konovalov wrote:
>> >> Hi!
>> >>
>> >> I've got the following report while fuzzing the kernel with syzkaller.
>> >
>> > Thank you for the report.
>> >
>> >> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>> >>
>> >> list_add double add: new=880069084010, prev=880069084010,
>> >> next=880067d22298.
>> >> [ cut here ]
>> >> WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31
>> >> __list_add_valid+0xbd/0xf0
>> >> Modules linked in:
>> >> CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
>> >> 4.14.0-rc2-42613-g1488251d1a98 #238
>> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>> >> 01/01/2011 Workqueue: usb_hub_wq hub_event
>> >> task: 88006b01ca40 task.stack: 880064358000
>> >> RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
>> >> RSP: 0018:88006435ddd0 EFLAGS: 00010286
>> >> RAX: 0058 RBX: 880067d22298 RCX: 
>> >> RDX: 0058 RSI: 85a58800 RDI: ed000c86bbac
>> >> RBP: 88006435dde8 R08: 11000c86ba52 R09: 
>> >> R10: 0002 R11:  R12: 880069084010
>> >> R13: 880067d22298 R14: 880069084010 R15: 880067d222a0
>> >> FS:  () GS:88006c90()
>> >> knlGS: CS:  0010 DS:  ES:  CR0: 80050033
>> >> CR2: 20004ff2 CR3: 6b447000 CR4: 06e0
>> >>
>> >> Call Trace:
>> >>  __list_add ./include/linux/list.h:59
>> >>  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
>> >>  uvc_scan_chain_forward.isra.8+0x373/0x416
>> >>
>> >> drivers/media/usb/uvc/uvc_driver.c:1471
>> >>
>> >>  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
>> >>  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
>> >>  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
>> >
>> > So the issue happens at probe time, before the driver registers the V4L2
>> > device nodes that allow userspace access to the device. I wonder how
>> > fuzzing caused this. Do you have a more detailed log ?
>> >
>> > Could you also tell me what webcam you're using to test this out ? The
>> > output of lsusb -v would be useful.
>>
>> Hi Laurent,
>>
>> I fuzz the USB stack externally by emulating random USB devices via
>> dummy_hcd and gadgetfs.
>
> Ah that makes more sense indeed.
>
>> lsusb -v doesn't show anything, since the USB device doesn't finish
>> initialization.
>>
>> Since I'm able to reproduce this, I can collect debug traces for you.
>
> Could you send me the descriptors that your gadget driver returns to the host
> ? If that's difficult, as an alternative, could you enable tracing in the
> uvcvideo driver (uvcvideo.trace=0x on the kernel commmand line for
> instance) and send me the kernel log ?

The log with uvcvideo.trace=0x is below.

Also attaching usbmon trace.

gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 3 has an invalid interface number: 3 but max is 0
usb 1-1: config 3 contains an unexpected descriptor of type 0x1, skipping
usb 1-1: config 3 has an invalid descriptor of length 208, skipping
remainder of the config
usb 1-1: config 3 has no interface number 0
usb 1-1: New USB device found, idVendor=07f5, idProduct=03ff
usb 1-1: New USB device strings: Mfr=83, Product=255, SerialNumber=5
usb 1-1: Product: a
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #3
uvcvideo: Probing generic UVC device 1
uvcvideo: Found UVC 0.00 device a (07f5:03ff)
uvcvideo: Scanning UVC chain: OT 0
list_add double add: new=880061ca3a90, prev=880061ca3a90,
next=88006b3f48d8.
[ cut here ]
...
---[ end trace e2bce247826f5cdb ]---
 (-> OT 0)
uvcvideo: Found a valid video chain ( -> 0).
uvcvideo 1-1:3.3: Entity type for entity a was not initialized!
uvcvideo: UVC device initialized.
gadgetfs: disconnected
usb 1-1: USB disconnect, device number

Re: usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

2017-09-26 Thread Andrey Konovalov 
On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart
<laurent.pinch...@ideasonboard.com> wrote:
> Hi Andrey,
>
> On Monday, 25 September 2017 15:40:13 EEST Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>
> Thank you for the report.
>
>> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>>
>> list_add double add: new=880069084010, prev=880069084010,
>> next=880067d22298.
>> [ cut here ]
>> WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
>> Modules linked in:
>> CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
>> 4.14.0-rc2-42613-g1488251d1a98 #238
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> task: 88006b01ca40 task.stack: 880064358000
>> RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
>> RSP: 0018:88006435ddd0 EFLAGS: 00010286
>> RAX: 0058 RBX: 880067d22298 RCX: 
>> RDX: 0058 RSI: 85a58800 RDI: ed000c86bbac
>> RBP: 88006435dde8 R08: 11000c86ba52 R09: 
>> R10: 0002 R11:  R12: 880069084010
>> R13: 880067d22298 R14: 880069084010 R15: 880067d222a0
>> FS:  () GS:88006c90() knlGS:
>> CS:  0010 DS:  ES:  CR0: 80050033
>> CR2: 20004ff2 CR3: 6b447000 CR4: 06e0
>> Call Trace:
>>  __list_add ./include/linux/list.h:59
>>  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
>>  uvc_scan_chain_forward.isra.8+0x373/0x416
>> drivers/media/usb/uvc/uvc_driver.c:1471
>>  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
>>  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
>>  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
>
> So the issue happens at probe time, before the driver registers the V4L2
> device nodes that allow userspace access to the device. I wonder how fuzzing
> caused this. Do you have a more detailed log ?
>
> Could you also tell me what webcam you're using to test this out ? The output
> of lsusb -v would be useful.

Hi Laurent,

I fuzz the USB stack externally by emulating random USB devices via
dummy_hcd and gadgetfs.

lsusb -v doesn't show anything, since the USB device doesn't finish
initialization.

Since I'm able to reproduce this, I can collect debug traces for you.

Here's a part of the log around the warning report:

gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 3 has an invalid interface number: 3 but max is 0
usb 1-1: config 3 contains an unexpected descriptor of type 0x1, skipping
usb 1-1: config 3 has an invalid descriptor of length 208, skipping
remainder of the config
usb 1-1: config 3 has no interface number 0
usb 1-1: New USB device found, idVendor=07f5, idProduct=03ff
usb 1-1: New USB device strings: Mfr=83, Product=255, SerialNumber=5
usb 1-1: Product: a
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #3
uvcvideo: Found UVC 0.00 device a (07f5:03ff)
list_add double add: new=880069a64910, prev=880069a64910,
next=8800698468d8.
[ cut here ]
WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
...
---[ end trace ea45186b02846d5a ]---
uvcvideo 1-1:3.3: Entity type for entity a was not initialized!
gadgetfs: disconnected
usb 1-1: USB disconnect, device number 2

Thanks!

>
>>  usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>>  really_probe drivers/base/dd.c:413
>>  driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>  __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>  bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>  __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>  bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>>  device_add+0xd0b/0x1660 drivers/base/core.c:1835
>>  usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>>  generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>>  usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
>>  really_probe drivers/base/dd.c:413
>>  driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>  __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>  bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>  __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>  device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
&g

usb/media/b2c2: GPF in flexcop_usb_transfer_init

2017-09-26 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).

It seems that there's no check on the actual number of endpoints.

usb 1-1: New USB device strings: Mfr=212, Product=0, SerialNumber=6
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #3
flexcop_usb: running at FULL speed.
gadgetfs: disconnected
flexcop_usb: error while reading dword from 161 (516).
flexcop_usb: error while writing dword from 33 (516).
flexcop_usb: error while writing dword from 33 (516).
flexcop_usb: error while reading dword from 161 (516).
flexcop_usb: error while reading dword from 247 (1820).
flexcop_usb: error while writing dword from 119 (1820).
flexcop_usb: error while reading dword from 176 (768).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 48 (768).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 176 (768).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 48 (768).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 177 (772).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 49 (772).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 177 (772).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 49 (772).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 178 (776).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 50 (776).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 178 (776).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 50 (776).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while writing dword from 51 (780).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 178 (776).
flexcop_usb: error while writing dword from 50 (776).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 34 (520).
flexcop_usb: error while reading dword from 162 (520).
flexcop_usb: error while writing dword from 34 (520).
dvbdev: DVB: registering new adapter (FlexCop Digital TV device)
b2c2-flexcop: reading of MAC address failed.

CX24123: wrong demod revision: 0
nxt200x: Unknown/Unsupported NXT chip: 00 00 00 00 00
tuner-simple 0-0061: creating new instance
tuner-simple 0-0061: type set to 64 (LG TDVS-H06xF)
b2c2-flexcop: found 'LG Electronics LGDT3303 VSB/QAM Frontend' .
usb 1-1: DVB: registering adapter 0 frontend 0 (LG Electronics
LGDT3303 VSB/QAM Frontend)...
b2c2-flexcop: initialization of 'Air2PC/AirStar 2 ATSC 3rd generation
(HD5000)' at the 'USB' bus controlled by a 'FlexCopIII' complete
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc2-42613-g1488251d1a98 #254
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006befe300 task.stack: 88006bf78000
RIP: 0010:flexcop_usb_transfer_init drivers/media/usb/b2c2/flexcop-usb.c:429
RIP: 0010:flexcop_usb_probe+0x4c9/0xc00 drivers/media/usb/b2c2/flexcop-usb.c:574
RSP: 0018:88006bf7e570 EFLAGS: 00010247
RAX: dc00 RBX: 88006944 RCX: 
RDX:  RSI: 88006befeca8 RDI: 0004
RBP: 88006bf7e5e8 R08: 11000d7efb34 R09: 
R10: 88006bf7e4d0 R11:  R12: 88006bafa200
R13:  R14:  R15: 880062b51198
FS:  () GS:88006c80() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 2fb4 CR3: 674bb000 CR4: 06f0
Call Trace:
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413

Re: usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint

2017-09-26 Thread Andrey Konovalov 
On Mon, Sep 25, 2017 at 3:30 PM, Malcolm Priestley <tvbox...@gmail.com> wrote:
>
>
> On 25/09/17 13:39, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
>>
>> usb 1-1: new full-speed USB device number 2 using dummy_hcd
>> gadgetfs: connected
>> gadgetfs: disconnected
>> gadgetfs: connected
>> usb 1-1: config 63 interface 0 altsetting 32 endpoint 0x7 has invalid
>> maxpacket 476, setting to 64
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0x0, skipping
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0xE7, skipping
>> usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
>> with address 0x7F, skipping
>> usb 1-1: config 63 interface 0 has no altsetting 0
>> usb 1-1: New USB device found, idVendor=3344, idProduct=22f0
>> usb 1-1: New USB device strings: Mfr=255, Product=0, SerialNumber=8
>> usb 1-1: Manufacturer: a
>> usb 1-1: SerialNumber: a
>> gadgetfs: configuration #63
>> gadgetfs: configuration #63
>> usb 1-1: selecting invalid altsetting 1
>> LME2510(C): Firmware Status: 4 (61)
>> usb 1-1: dvb_usb_v2: found a 'DM04_LME2510C_DVB-S RS2000' in warm state
>> usb 1-1: dvb_usb_v2: will use the device's hardware PID filter (table
>> count: 15)
>> dvbdev: DVB: registering new adapter (DM04_LME2510C_DVB-S RS2000)
>> usb 1-1: media controller created
>> dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
>> LME2510(C): FE Found M88RS2000
>> ts2020: probe of 0-0060 failed with error -11
>> usb 1-1: DVB: registering adapter 0 frontend 0 (DM04_LME2510C_DVB-S
>> RS2000 RS2000)...
>> dvbdev: dvb_create_media_entity: media entity 'DM04_LME2510C_DVB-S
>> RS2000 RS2000' registered.
>> LME2510(C): TUN Found RS2000 tuner
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault:  [#1] PREEMPT SMP KASAN
>
>
> Neither it it null or user memory and it is always present regardless of
> tuner state when _real_ hardware is connected.

Hi Malcolm,

An attacker may connect a malicious USB device having physical access
to a machine. In this case such device would only cause a kernel
crash, which might not be considered that critical, but other bugs
might be exploitable and allow to execute arbitrary code or leak data.
It would be nice to get this fixed to allow further testing of this
driver.

Thanks!

>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

usb/media/uvc: warning in uvc_scan_chain_forward/__list_add

2017-09-25 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).

list_add double add: new=880069084010, prev=880069084010,
next=880067d22298.
[ cut here ]
WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
Modules linked in:
CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
4.14.0-rc2-42613-g1488251d1a98 #238
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006b01ca40 task.stack: 880064358000
RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
RSP: 0018:88006435ddd0 EFLAGS: 00010286
RAX: 0058 RBX: 880067d22298 RCX: 
RDX: 0058 RSI: 85a58800 RDI: ed000c86bbac
RBP: 88006435dde8 R08: 11000c86ba52 R09: 
R10: 0002 R11:  R12: 880069084010
R13: 880067d22298 R14: 880069084010 R15: 880067d222a0
FS:  () GS:88006c90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 20004ff2 CR3: 6b447000 CR4: 06e0
Call Trace:
 __list_add ./include/linux/list.h:59
 list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
 uvc_scan_chain_forward.isra.8+0x373/0x416
drivers/media/usb/uvc/uvc_driver.c:1471
 uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
 uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
 uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: f1 48 c7 c7 c0 89 a5 85 48 89 de e8 38 34 e1 fe 0f ff 31 c0 eb
c3 48 89 f2 48 89 d9 4c 89 e6 48 c7 c7 40 8a a5 85 e8 1d 34 e1 fe <0f>
ff 31 c0 eb a8 48 89 75 e8 e8 e4 b3 2a ff 48 8b 75 e8 e9 5b
---[ end trace 23181469b7a6915e ]---

usb/media/lmedm04: GPF in lme2510_int_read/usb_pipe_endpoint

2017-09-25 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).

usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 63 interface 0 altsetting 32 endpoint 0x7 has invalid
maxpacket 476, setting to 64
usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
with address 0x0, skipping
usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
with address 0xE7, skipping
usb 1-1: config 63 interface 0 altsetting 32 has an invalid endpoint
with address 0x7F, skipping
usb 1-1: config 63 interface 0 has no altsetting 0
usb 1-1: New USB device found, idVendor=3344, idProduct=22f0
usb 1-1: New USB device strings: Mfr=255, Product=0, SerialNumber=8
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #63
gadgetfs: configuration #63
usb 1-1: selecting invalid altsetting 1
LME2510(C): Firmware Status: 4 (61)
usb 1-1: dvb_usb_v2: found a 'DM04_LME2510C_DVB-S RS2000' in warm state
usb 1-1: dvb_usb_v2: will use the device's hardware PID filter (table count: 15)
dvbdev: DVB: registering new adapter (DM04_LME2510C_DVB-S RS2000)
usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
LME2510(C): FE Found M88RS2000
ts2020: probe of 0-0060 failed with error -11
usb 1-1: DVB: registering adapter 0 frontend 0 (DM04_LME2510C_DVB-S
RS2000 RS2000)...
dvbdev: dvb_create_media_entity: media entity 'DM04_LME2510C_DVB-S
RS2000 RS2000' registered.
LME2510(C): TUN Found RS2000 tuner
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 1845 Comm: kworker/0:2 Not tainted
4.14.0-rc2-42613-g1488251d1a98 #238
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006b9e18c0 task.stack: 880064368000
RIP: 0010:usb_pipe_endpoint ./include/linux/usb.h:1913
RIP: 0010:lme2510_int_read drivers/media/usb/dvb-usb-v2/lmedm04.c:436
RIP: 0010:dm04_lme2510_tuner+0xa38/0xe60
drivers/media/usb/dvb-usb-v2/lmedm04.c:1156
RSP: 0018:88006436e2d0 EFLAGS: 00010246
RAX: dc00 RBX: 11000c86dc5f RCX: 11000d4b136d
RDX:  RSI: 88006a589b00 RDI: 0003
RBP: 88006436e440 R08: 11000c86db41 R09: 
R10:  R11:  R12: 88006a589b00
R13: 880069829f00 R14: 8800686d6600 R15: 
FS:  () GS:88006c80() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fb711d159b8 CR3: 62b33000 CR4: 06f0
Call Trace:
 dvb_usbv2_adapter_frontend_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:689
 dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:818
 dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:881
 dvb_usbv2_probe+0x15b1/0x3310 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:992
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 02 00 00 48 b8
00 00 00 00 00 fc ff df 4d 8b 3f 49 8d 7f 03 48 89 fa 48 c1 ea 03 <0f>
b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 19 02 00
RIP: dm04_lme2510_tuner+0xa38/0xe60 RSP: 88006436e2d0
---[ end trace 8adf929c013d2744 ]---

Re: usb/media/hdpvr: trying to register non-static key in hdpvr_probe

2017-09-22 Thread Andrey Konovalov 
On Fri, Sep 22, 2017 at 3:09 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> Hi Andrey,
>
>
> On Friday 22 September 2017 05:16 PM, Andrey Konovalov wrote:
>>
>> On Fri, Sep 22, 2017 at 9:41 AM, Arvind Yadav <arvind.yadav...@gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> I have a doubt. Why we are calling flush_work in hdpvr_probe for every
>>> failure.
>>> We are flushing work which is not defined yet.
>>>
>>> Here, hdpvr_register_videodev() is responsible for setup and register a
>>> video device.
>>> Also defining and initializing a worker. we are calling
>>> hdpvr_register_videodev() at last.
>>> No need to flash any work here.
>>>
>>> Please correct me, if I am wrong.
>>
>> Hi Arvind,
>>
>> I believe you're right, no need to call flush_work() before
>> dev->worker is initialized.
>>
>> Could you send a fix?
>>
>> I'm able to reproduce the issue, so I can test your patches if needed.
>
> I have send a one patch to you. which will resolve this error. But my
> question is why
> hdpvr_probe() is failing. We need to find out. Could please share more
> information and logs.

The patch helps, thanks!

hdpvr_probe() is failing, because I'm attaching a malicious USB device
that pretends to be an hdpvr device, but doesn't have a bulk-in
endpoint.

[   27.722420] gadgetfs: bound to dummy_udc driver
[   27.990245] usb 1-1: new full-speed USB device number 2 using dummy_hcd
[   28.010242] gadgetfs: connected
[   28.011732] gadgetfs: disconnected
[   28.230142] gadgetfs: connected
[   28.330313] usb 1-1: config 8 has an invalid interface number: 217
but max is 0
[   28.331981] usb 1-1: config 8 has no interface number 0
[   28.410315] usb 1-1: New USB device found, idVendor=2040, idProduct=4903
[   28.411826] usb 1-1: New USB device strings: Mfr=0, Product=0,
SerialNumber=127
[   28.413477] usb 1-1: SerialNumber: a
[   28.440134] gadgetfs: configuration #8
[   28.467705] hdpvr 1-1:8.217: Could not find bulk-in endpoint
[   28.469024] hdpvr: probe of 1-1:8.217 failed with error -12
[   29.446584] gadgetfs: disconnected
[   29.449634] usb 1-1: USB disconnect, device number 2

>
> ~arvind
>
>> Thanks!
>>
>>>
>>> On Thursday 21 September 2017 09:09 PM, Andrey Konovalov wrote:
>>>>
>>>> Hi!
>>>>
>>>> I've got the following report while fuzzing the kernel with syzkaller.
>>>>
>>>> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>>>>
>>>> INFO: trying to register non-static key.
>>>> the code is fine but needs lockdep annotation.
>>>> turning off the locking correctness validator.
>>>> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
>>>> 4.14.0-rc1-42251-gebb2c2437d80 #215
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>>>> 01/01/2011
>>>> Workqueue: usb_hub_wq hub_event
>>>> Call Trace:
>>>>__dump_stack lib/dump_stack.c:16
>>>>dump_stack+0x292/0x395 lib/dump_stack.c:52
>>>>register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
>>>>__lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
>>>>lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
>>>>flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
>>>>hdpvr_probe+0x233/0x20d0 drivers/media/usb/hdpvr/hdpvr-core.c:400
>>>>usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>>>>really_probe drivers/base/dd.c:413
>>>>driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>>>__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>>>bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>>>__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>>>device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>>>bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>>>>device_add+0xd0b/0x1660 drivers/base/core.c:1835
>>>>usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>>>>generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>>>>usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
>>>>really_probe drivers/base/dd.c:413
>>>>driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>>>__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>>>bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>>>__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>>>device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>>>bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>>>>device_add+0xd0b/0x1660 drivers/base/core.c:1835
>>>>usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
>>>>hub_port_connect drivers/usb/core/hub.c:4903
>>>>hub_port_connect_change drivers/usb/core/hub.c:5009
>>>>port_event drivers/usb/core/hub.c:5115
>>>>hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
>>>>process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
>>>>worker_thread+0x221/0x1850 kernel/workqueue.c:2253
>>>>kthread+0x3a1/0x470 kernel/kthread.c:231
>>>>ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>>>> hdpvr: probe of 1-1:8.217 failed with error -12
>>>
>>> ~arvind
>
>

Re: [PATCH] [media] hdpvr: Fix an error handling path in hdpvr_probe()

2017-09-22 Thread Andrey Konovalov 
On Fri, Sep 22, 2017 at 3:07 PM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> Here, hdpvr_register_videodev() is responsible for setup and
> register a video device. Also defining and initializing a worker.
> hdpvr_register_videodev() is calling by hdpvr_probe at last.
> So No need to flash any work here.
> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>

Reported-by: Andrey Konovalov <andreyk...@google.com>

Thanks, this fixes the crash!

Tested-by: Andrey Konovalov <andreyk...@google.com>

> ---
>  drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++---
>  1 file changed, 15 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c 
> b/drivers/media/usb/hdpvr/hdpvr-core.c
> index dbe29c6..1e8cbaf 100644
> --- a/drivers/media/usb/hdpvr/hdpvr-core.c
> +++ b/drivers/media/usb/hdpvr/hdpvr-core.c
> @@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interface *interface,
> /* register v4l2_device early so it can be used for printks */
> if (v4l2_device_register(>dev, >v4l2_dev)) {
> dev_err(>dev, "v4l2_device_register failed\n");
> -   goto error;
> +   goto error_free_dev;
> }
>
> mutex_init(>io_mutex);
> @@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interface *interface,
> dev->usbc_buf = kmalloc(64, GFP_KERNEL);
> if (!dev->usbc_buf) {
> v4l2_err(>v4l2_dev, "Out of memory\n");
> -   goto error;
> +   goto error_v4l2_unregister;
> }
>
> init_waitqueue_head(>wait_buffer);
> @@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interface *interface,
> }
> if (!dev->bulk_in_endpointAddr) {
> v4l2_err(>v4l2_dev, "Could not find bulk-in endpoint\n");
> -   goto error;
> +   goto error_put_usb;
> }
>
> /* init the device */
> if (hdpvr_device_init(dev)) {
> v4l2_err(>v4l2_dev, "device init failed\n");
> -   goto error;
> +   goto error_put_usb;
> }
>
> mutex_lock(>io_mutex);
> @@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interface *interface,
> mutex_unlock(>io_mutex);
> v4l2_err(>v4l2_dev,
>  "allocating transfer buffers failed\n");
> -   goto error;
> +   goto error_put_usb;
> }
> mutex_unlock(>io_mutex);
>
> @@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interface *interface,
> retval = hdpvr_register_i2c_adapter(dev);
> if (retval < 0) {
> v4l2_err(>v4l2_dev, "i2c adapter register failed\n");
> -   goto error;
> +   goto error_free_buffers;
> }
>
> client = hdpvr_register_ir_rx_i2c(dev);
> @@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interface *interface,
>  reg_fail:
>  #if IS_ENABLED(CONFIG_I2C)
> i2c_del_adapter(>i2c_adapter);
> +error_free_buffers:
>  #endif
> +   hdpvr_free_buffers(dev);
> +error_put_usb:
> +   usb_put_dev(dev->udev);
> +   kfree(dev->usbc_buf);
> +error_v4l2_unregister:
> +   v4l2_device_unregister(>v4l2_dev);
> +error_free_dev:
> +   kfree(dev);
>  error:
> -   if (dev) {
> -   flush_work(>worker);
> -   /* this frees allocated memory */
> -   hdpvr_delete(dev);
> -   }
> return retval;
>  }
>
> --
> 1.9.1
>

usb/media/stkwebcam: use-after-free in v4l2_ctrl_handler_free

2017-09-22 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

==
BUG: KASAN: use-after-free in v4l2_ctrl_handler_free+0x9e1/0x9f0
Read of size 8 at addr 88006a189278 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x22f/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 v4l2_ctrl_handler_free+0x9e1/0x9f0 drivers/media/v4l2-core/v4l2-ctrls.c:1765
 stk_camera_disconnect+0xf5/0x160 drivers/media/usb/stkwebcam/stk-webcam.c:1392
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 1844:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 stk_camera_probe+0xcf/0xdd0 drivers/media/usb/stkwebcam/stk-webcam.c:1287
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Freed by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 stk_v4l_dev_release+0xab/0xe0 drivers/media/usb/stkwebcam/stk-webcam.c:1244
 v4l2_device_release+0x2dc/0x390 drivers/media/v4l2-core/v4l2-dev.c:218
 device_release+0x13f/0x210 drivers/base/core.c:814
 kobject_cleanup lib/kobject.c:648
 kobject_release lib/kobject.c:677
 kref_put ./include/linux/kref.h:70
 kobject_put+0x145/0x240 lib/kobject.c:694
 put_device drivers/base/core.c:1931
 device_unregister+0x2d/0x40 drivers/base/core.c:2021
 video_unregister_device+0x80/0x90 drivers/media/v4l2-core/v4l2-dev.c:1028
 stk_camera_disconnect+0xe9/0x160 drivers/media/usb/stkwebcam/stk-webcam.c:1391
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0

usb/media/dib0700: BUG in stk7070p_frontend_attach/symbol_put_addr

2017-09-22 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

dib0700: stk7070p_frontend_attach: state->dib7000p_ops.i2c_enumeration
failed.  Cannot continue
[ cut here ]
kernel BUG at kernel/module.c:1081!
invalid opcode:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: GW
4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006a336300 task.stack: 88006a7c8000
RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
RSP: 0018:88006a7ce210 EFLAGS: 00010246
RAX:  RBX: 880062a8d190 RCX: 
RDX: dc20 RSI: 85876d60 RDI: 880062a8d190
RBP: 88006a7ce218 R08: 11000d4f9c12 R09: 11000d4f9ae4
R10: 11000d4f9bed R11:  R12: 880062a8d180
R13: ffed R14: 880062a8d190 R15: 88006947c000
FS:  () GS:88006c90() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f6416532000 CR3: 632f5000 CR4: 06e0
Call Trace:
 stk7070p_frontend_attach+0x515/0x610
drivers/media/usb/dvb-usb/dib0700_devices.c:1013
 dvb_usb_adapter_frontend_init+0x32b/0x660
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210
---[ end trace b75b357739e7e116 ]---

usb/media/zr364xx: GPF in zr364xx_vidioc_querycap/strlcpy

2017-09-22 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 225 has an invalid interface number: 1 but max is 0
usb 1-1: config 225 has no interface number 0
usb 1-1: config 225 interface 1 altsetting 0 endpoint 0x5 has invalid
maxpacket 2047, setting to 64
usb 1-1: config 225 interface 1 altsetting 0 has an invalid endpoint
with address 0xF5, skipping
usb 1-1: config 225 interface 1 altsetting 0 endpoint 0x8A has invalid
maxpacket 2047, setting to 64
usb 1-1: config 225 interface 1 altsetting 0 endpoint 0x81 has an
invalid bInterval 0, changing to 10
usb 1-1: config 225 interface 1 altsetting 0 endpoint 0x81 has invalid
maxpacket 1025, setting to 64
usb 1-1: config 225 interface 1 altsetting 0 has an invalid endpoint
with address 0xF7, skipping
usb 1-1: config 225 interface 1 altsetting 0 has an invalid endpoint
with address 0xB8, skipping
usb 1-1: New USB device found, idVendor=041e, idProduct=4024
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=1
usb 1-1: SerialNumber: a
gadgetfs: configuration #225
zr364xx 1-1:225.1: Zoran 364xx compatible webcam plugged
zr364xx 1-1:225.1: model 041e:4024 detected
usb 1-1: 320x240 mode selected
usb 1-1: Zoran 364xx controlling device video0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 4306 Comm: v4l_id Not tainted 4.14.0-rc1-42261-ga67ef73a6f27 #225
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 88006a27e300 task.stack: 880067f7
RIP: 0010:strlcpy+0x21/0x120 lib/string.c:140
RSP: 0018:880067f777a0 EFLAGS: 00010286
RAX: dc00 RBX: 880067f77c00 RCX: 
RDX: 0020 RSI:  RDI: 880067f77c10
RBP: 880067f777c8 R08: ed000cfeef82 R09: ed000cfeef82
R10: 0002 R11: ed000cfeef81 R12: 880067f77c10
R13: 880063034400 R14: 8000 R15: 880063193180
FS:  7f5561fe8700() GS:88006c80() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f5561b16110 CR3: 6b00c000 CR4: 06f0
Call Trace:
 zr364xx_vidioc_querycap+0xb8/0x220 drivers/media/usb/zr364xx/zr364xx.c:709
 v4l_querycap+0x134/0x370 drivers/media/v4l2-core/v4l2-ioctl.c:1008
 __video_do_ioctl+0x9c6/0xa80 drivers/media/v4l2-core/v4l2-ioctl.c:2750
 video_usercopy+0x4ea/0x1580 drivers/media/v4l2-core/v4l2-ioctl.c:2926
 video_ioctl2+0x31/0x40 drivers/media/v4l2-core/v4l2-ioctl.c:2968
 v4l2_ioctl+0x1c5/0x310 drivers/media/v4l2-core/v4l2-dev.c:360
 vfs_ioctl fs/ioctl.c:45
 do_vfs_ioctl+0x1c4/0x15c0 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700
 SyS_ioctl+0x94/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x23/0xc2 arch/x86/entry/entry_64.S:202
RIP: 0033:0x7f5561b1b347
RSP: 002b:7ffd403d19a8 EFLAGS: 0202 ORIG_RAX: 0010
RAX: ffda RBX: 7ffd403d1b00 RCX: 7f5561b1b347
RDX: 7ffd403d19b0 RSI: 80685600 RDI: 0003
RBP: 00400884 R08:  R09: 
R10:  R11: 0202 R12: 0003
R13: 7ffd403d1b00 R14:  R15: 
Code: 8b 45 f0 e9 64 ff ff ff 66 90 48 b8 00 00 00 00 00 fc ff df 55
48 89 f1 48 89 e5 48 c1 e9 03 41 55 41 54 49 89 fc 53 48 83 ec 10 <0f>
b6 04 01 48 89 f1 83 e1 07 38 c8 7f 08 84 c0 0f 85 9d 00 00
RIP: strlcpy+0x21/0x120 RSP: 880067f777a0
---[ end trace 23c9876972269088 ]---

Re: usb/media/hdpvr: trying to register non-static key in hdpvr_probe

2017-09-22 Thread Andrey Konovalov 
On Fri, Sep 22, 2017 at 9:41 AM, Arvind Yadav <arvind.yadav...@gmail.com> wrote:
> Hi,
>
> I have a doubt. Why we are calling flush_work in hdpvr_probe for every
> failure.
> We are flushing work which is not defined yet.
>
> Here, hdpvr_register_videodev() is responsible for setup and register a
> video device.
> Also defining and initializing a worker. we are calling
> hdpvr_register_videodev() at last.
> No need to flash any work here.
>
> Please correct me, if I am wrong.

Hi Arvind,

I believe you're right, no need to call flush_work() before
dev->worker is initialized.

Could you send a fix?

I'm able to reproduce the issue, so I can test your patches if needed.

Thanks!

>
>
> On Thursday 21 September 2017 09:09 PM, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>>
>> INFO: trying to register non-static key.
>> the code is fine but needs lockdep annotation.
>> turning off the locking correctness validator.
>> CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
>> 4.14.0-rc1-42251-gebb2c2437d80 #215
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
>> 01/01/2011
>> Workqueue: usb_hub_wq hub_event
>> Call Trace:
>>   __dump_stack lib/dump_stack.c:16
>>   dump_stack+0x292/0x395 lib/dump_stack.c:52
>>   register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
>>   __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
>>   lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
>>   flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
>>   hdpvr_probe+0x233/0x20d0 drivers/media/usb/hdpvr/hdpvr-core.c:400
>>   usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>>   really_probe drivers/base/dd.c:413
>>   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>>   device_add+0xd0b/0x1660 drivers/base/core.c:1835
>>   usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
>>   generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
>>   usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
>>   really_probe drivers/base/dd.c:413
>>   driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
>>   __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
>>   bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
>>   __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
>>   device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
>>   bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
>>   device_add+0xd0b/0x1660 drivers/base/core.c:1835
>>   usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
>>   hub_port_connect drivers/usb/core/hub.c:4903
>>   hub_port_connect_change drivers/usb/core/hub.c:5009
>>   port_event drivers/usb/core/hub.c:5115
>>   hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
>>   process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
>>   worker_thread+0x221/0x1850 kernel/workqueue.c:2253
>>   kthread+0x3a1/0x470 kernel/kthread.c:231
>>   ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
>> hdpvr: probe of 1-1:8.217 failed with error -12
>
> ~arvind

usb/media/hdpvr: trying to register non-static key in hdpvr_probe

2017-09-21 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #215
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
 __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
 lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
 flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
 hdpvr_probe+0x233/0x20d0 drivers/media/usb/hdpvr/hdpvr-core.c:400
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
hdpvr: probe of 1-1:8.217 failed with error -12

usb/media/smsusb: use-after-free in worker_thread

2017-09-21 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

smsusb:smsusb_probe: board id=1, interface number 0
smsusb:siano_media_device_register: media controller created
smsusb:smsusb1_detectmode: product string not found
smsmdtv:smscore_set_device_mode: return error code -22.
smsmdtv:smscore_start_device: set device mode failed , rc -22
smsusb:smsusb_init_device: smscore_start_device(...) failed
smsusb:smsusb_onresponse: error, urb status -2, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_onresponse: error, urb status -71, 0 bytes
smsusb:smsusb_probe: Device initialized with return code -22
==
BUG: KASAN: use-after-free in worker_thread+0x1468/0x1850
Read of size 8 at addr 880063be11f0 by task kworker/1:1/1152

CPU: 1 PID: 1152 Comm: kworker/1:1 Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #215
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x22f/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
 worker_thread+0x1468/0x1850 kernel/workqueue.c:2251
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 1848:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 smsusb_init_device+0xd5/0xd10 drivers/media/usb/siano/smsusb.c:407
 smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:571
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Freed by task 1848:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 smsusb_term_device+0xd2/0x130 drivers/media/usb/siano/smsusb.c:363
 smsusb_init_device+0xd03/0xd10 drivers/media/usb/siano/smsusb.c:492
 smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:571
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0

Re: [PATCH] [media] cx231xx-cards: fix NULL-deref on missing association descriptor

2017-09-21 Thread Andrey Konovalov 
On Thu, Sep 21, 2017 at 10:40 AM, Johan Hovold <jo...@kernel.org> wrote:
> Make sure to check that we actually have an Interface Association
> Descriptor before dereferencing it during probe to avoid dereferencing a
> NULL-pointer.
>
> Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
> Cc: stable <sta...@vger.kernel.org> # 2.6.30
> Cc: Sri Deevi <srinivasa.de...@conexant.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Johan Hovold <jo...@kernel.org>

Tested-by: Andrey Konovalov <andreyk...@google.com>

Thanks!

> ---
>  drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c 
> b/drivers/media/usb/cx231xx/cx231xx-cards.c
> index e0daa9b6c2a0..9b742d569fb5 100644
> --- a/drivers/media/usb/cx231xx/cx231xx-cards.c
> +++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
> @@ -1684,7 +1684,7 @@ static int cx231xx_usb_probe(struct usb_interface 
> *interface,
> nr = dev->devno;
>
> assoc_desc = udev->actconfig->intf_assoc[0];
> -   if (assoc_desc->bFirstInterface != ifnum) {
> +   if (!assoc_desc || assoc_desc->bFirstInterface != ifnum) {
> dev_err(d, "Not found matching IAD interface\n");
> retval = -ENODEV;
> goto err_if;
> --
> 2.14.1
>

Re: usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb

2017-09-20 Thread Andrey Konovalov 
On Wed, Sep 20, 2017 at 9:33 PM, Mike Isely <is...@isely.net> wrote:

Hi Mike!

>
> What you have here is way beyond just feeding random crap in via the
> syscall interface.  To cause this you have to fake the presence of a
> pvrusb2 compatible *hardware* USB device and then lie about its endpoint
> configuration.  Is that really a concern here?  Are we now saying that
> any kernel driver which talks via USB must now also specifically verify
> the exact expected USB endpoint configuration?  Where does that end?
> How about the vendor-specific RPC protocol that the hardware actually
> implements over the bulk endpoint?  It's likely that the pvrusb2 driver
> may be making assumptions about the expected responses over that
> protocol.

The main assumption here is that an attacker has physical access to a
USB port on a machine. In such case a 100$ Facedancer21 board [1] or a
5$ Raspberry Pi Zero [2] in device mode can be used to emulate
arbitrary USB devices and exploit bugs in the kernel (to execute
arbitrary code or to leak data). USB device descriptors during
enumeration phase and all subsequently received from the device
packets (including vendor-specific protocols) should be considered
untrusted input and checked accordingly.

>
> Please realize that I'm not dismissing this.  I can see some merit in
> this.  But I'm just a bit surprised that now we're going this far.  Is
> this really the intention?  You're talking about code
> (pvrusb2_send_request_ex()) that hasn't changed in about 10 years.
> With this level of paranoia there's got to be a pretty target-rich
> environment over the set of kernel-supported USB devices.

Yes, the intention is to fuzz Linux kernel USB drivers (and USB core
code) by connecting random malformed USB devices and by sending
garbage during subsequent communication.

The fact that the code hasn't changed doesn't mean that it's not buggy :)

>
> To take this another step, wouldn't that same level of paranoia be a
> concern for any externally connected PCI-Express device?  Because that's
> another external way into the computer that involves very non-trivial
> and very hardware-centric protocols.  Thunderbolt devices would be an
> example of this.

At this point being able to connect a PCI-Express device usually leads
to being able to do a DMA attack. But sure, exploitable bugs in
PCE-Express device drivers would be a viable attack vector for systems
with proper IOMMU support. Same goes for any other hot-pluggable
externally accessible port/protocol.

>
>   -Mike

[1] https://int3.cc/products/facedancer21

[2] https://www.raspberrypi.org/products/raspberry-pi-zero/

Thanks!

>
>
> On Wed, 20 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>>
>> There seems to be no check on endpoint type before submitting bulk urb
>> in pvr2_send_request_ex().
>>
>> usb 1-1: New USB device found, idVendor=2040, idProduct=7500
>> usb 1-1: New USB device strings: Mfr=0, Product=255, SerialNumber=0
>> usb 1-1: Product: a
>> gadgetfs: configuration #6
>> pvrusb2: Hardware description: WinTV HVR-1950 Model 750xx
>> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
>> [ cut here ]
>> WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449
>> usb_submit_urb+0xf8a/0x11d0
>> Modules linked in:
>> CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted
>> 4.14.0-rc1-42251-gebb2c2437d80 #210
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: 88006b7a18c0 task.stack: 880069978000
>> RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
>> RSP: 0018:88006997f990 EFLAGS: 00010286
>> RAX: 0029 RBX: 880063661900 RCX: 
>> RDX: 0029 RSI: 86876d60 RDI: ed000d32ff24
>> RBP: 88006997fa90 R08: 11000d32fdca R09: 
>> R10:  R11:  R12: 11000d32ff39
>> R13: 0001 R14: 0003 R15: 880068bbed68
>> FS:  () GS:88006c60() knlGS:
>> CS:  0010 DS:  ES:  CR0: 80050033
>> CR2: 01032000 CR3: 6a0ff000 CR4: 06f0
>> Call Trace:
>>  pvr2_send_request_ex+0xa57/0x1d80 
>> drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645
>>  pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812
>>  pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107
>>  pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250
>>  pvr2_hdw_initialize+0x548/0x3c10 
>> drivers/me

usb/media/pvrusb2: warning in pvr2_send_request_ex/usb_submit_urb

2017-09-20 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

There seems to be no check on endpoint type before submitting bulk urb
in pvr2_send_request_ex().

usb 1-1: New USB device found, idVendor=2040, idProduct=7500
usb 1-1: New USB device strings: Mfr=0, Product=255, SerialNumber=0
usb 1-1: Product: a
gadgetfs: configuration #6
pvrusb2: Hardware description: WinTV HVR-1950 Model 750xx
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
[ cut here ]
WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449
usb_submit_urb+0xf8a/0x11d0
Modules linked in:
CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted
4.14.0-rc1-42251-gebb2c2437d80 #210
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 88006b7a18c0 task.stack: 880069978000
RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
RSP: 0018:88006997f990 EFLAGS: 00010286
RAX: 0029 RBX: 880063661900 RCX: 
RDX: 0029 RSI: 86876d60 RDI: ed000d32ff24
RBP: 88006997fa90 R08: 11000d32fdca R09: 
R10:  R11:  R12: 11000d32ff39
R13: 0001 R14: 0003 R15: 880068bbed68
FS:  () GS:88006c60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 01032000 CR3: 6a0ff000 CR4: 06f0
Call Trace:
 pvr2_send_request_ex+0xa57/0x1d80 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645
 pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812
 pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107
 pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250
 pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327
 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118
 pvr2_context_thread_func+0x361/0x8c0
drivers/media/usb/pvrusb2/pvrusb2-context.c:167
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
---[ end trace 6919030503719da6 ]---

usb/media/smsusb: null-ptr-deref in smsusb_init_device

2017-09-20 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

The null-ptr-deref happens on
dev->udev->ep_in[1]->desc.wMaxPacketSize. There seems to be no check
on the number of endpoints.

usb 1-1: New USB device found, idVendor=2040, idProduct=5530
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
gadgetfs: configuration #4
smsusb:smsusb_probe: board id=8, interface number 0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted
4.14.0-rc1-42251-gebb2c2437d80-dirty #208
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006bb26300 task.stack: 88006bba
RIP: 0010:smsusb_init_device+0x2f0/0xd10 drivers/media/usb/siano/smsusb.c:431
RSP: 0018:88006bba6340 EFLAGS: 00010247
RAX: dc00 RBX: 880063e1 RCX: 11003ab8
RDX:  RSI: 880063e10bac RDI: 0004
RBP: 88006bba6478 R08: ed000d774c84 R09: 88006bba63b0
R10: 000e R11: ed000d774c83 R12: 
R13:  R14:  R15: 88006840d500
FS:  () GS:88006c60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fff57742008 CR3: 67444000 CR4: 06f0
Call Trace:
 smsusb_probe+0x4f5/0xdc0 drivers/media/usb/siano/smsusb.c:571
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 00 0f 85 d1 07 00 00 48 8b 85 f0 fe ff ff 4c 8b a0 a8 05 00 00
48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 04 48 89 fa 48 c1 ea 03 <0f>
b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RIP: smsusb_init_device+0x2f0/0xd10 RSP: 88006bba6340
---[ end trace 1e8f3aa7788a0764 ]---

usb/media/cx231xx: null-ptr-deref in cx231xx_usb_probe

2017-09-20 Thread Andrey Konovalov 
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

The null-ptr-deref happens on assoc_desc->bFirstInterface, where
assoc_desc = udev->actconfig->intf_assoc[0]. There seems to be no
check that the device actually contains an Interface Association
Descriptor.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80 #206
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: 88006bb26300 task.stack: 88006bba
RIP: 0010:cx231xx_usb_probe+0x96a/0x32e0
drivers/media/usb/cx231xx/cx231xx-cards.c:1687
RSP: 0018:88006bba63e0 EFLAGS: 00010246
RAX: dc00 RBX:  RCX: f8f8
RDX:  RSI: 86876d60 RDI: 0002
RBP: 88006bba65e8 R08: 0002 R09: 
R10:  R11:  R12: 870a62e0
R13: 88005ba70028 R14: 880062c9aa80 R15: 880062c9b018
FS:  () GS:88006c60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f83211b5518 CR3: 5b9dc000 CR4: 06f0
Call Trace:
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 18 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 aa 28 00 00 48 b8 00
00 00 00 00 fc ff df 48 8b 5b 18 48 8d 7b 02 48 89 fa 48 c1 ea 03 <0f>
b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 50 28 00
RIP: cx231xx_usb_probe+0x96a/0x32e0 RSP: 88006bba63e0