forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Andrey Konovalov 0a418e5771 media: dib0700: fix invalid dvb_detach argument 
commit eb0c199422 upstream.

dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer
to a function. Right now a pointer to state->dib7000p_ops is passed to
dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by
syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.

------------[ cut here ]------------
kernel BUG at kernel/module.c:1081!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G        W
4.14.0-rc1-42251-gebb2c2437d80 #224
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: ffff88006a336300 task.stack: ffff88006a7c8000
RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083
RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000
RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190
RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4
R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180
R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000
FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0
Call Trace:
 stk7070p_frontend_attach+0x515/0x610
drivers/media/usb/dvb-usb/dib0700_devices.c:1013
 dvb_usb_adapter_frontend_init+0x32b/0x660
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210
---[ end trace b75b357739e7e116 ]---

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-21 09:21:17 +01:00
..
accessibility
acpi ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal 2017-08-30 10:19:29 +02:00
amba
android ANDROID: binder: fix proc->tsk check. 2017-08-30 10:19:26 +02:00
ata libata: transport: Remove circular dependency at free time 2017-10-08 10:14:20 +02:00
atm
auxdisplay
base PM / wakeirq: report a wakeup_event on dedicated wekup irq 2017-11-08 10:06:28 +01:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block rbd: use GFP_NOIO for parent stat and data requests 2017-11-15 17:13:13 +01:00
bluetooth Bluetooth: Add support of 13d3:3494 RTL8723BE device 2017-09-13 14:09:45 -07:00
bus bus: mbus: fix window size calculation for 4GB windows 2017-10-27 10:23:17 +02:00
cdrom
char tpm: Replace device number bitmap with IDR 2017-08-06 19:19:43 -07:00
clk clk: Make x86/ conditional on CONFIG_COMMON_CLK 2017-05-14 13:32:55 +02:00
clocksource clockevents/drivers/cs5535: Improve resilience to spurious interrupts 2017-10-27 10:23:17 +02:00
connector
cpufreq cpufreq: CPPC: add ACPI_PROCESSOR dependency 2017-10-21 17:09:06 +02:00
cpuidle ARM: cpuidle: Fix error return code 2016-10-16 17:36:15 +02:00
crypto crypto: vmx - disable preemption to enable vsx in aes_ctr.c 2017-11-15 17:13:10 +01:00
dca
devfreq
dio
dma dmaengine: edma: Align the memcpy acnt array size with the transfer 2017-10-18 09:20:41 +02:00
dma-buf
edac EDAC: Increment correct counter in edac_inc_ue_error() 2016-09-07 08:32:41 +02:00
eisa
extcon extcon: axp288: Use vbus-valid instead of -present to determine cable presence 2017-10-08 10:14:16 +02:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware drivers: firmware: psci: drop duplicate const from psci_of_match 2017-10-08 10:14:20 +02:00
fmc
fpga
gpio gpio: mpc8xxx: Correct irq handler function 2016-10-28 03:01:25 -04:00
gpu drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue 2017-11-15 17:13:13 +01:00
hid HID: usbhid: fix out-of-bounds bug 2017-10-18 09:20:41 +02:00
hsi
hv Drivers: hv: fcopy: restore correct transfer length 2017-10-12 11:27:33 +02:00
hwmon hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes 2017-10-08 10:14:17 +02:00
hwspinlock
hwtracing stm class: Fix a use-after-free 2017-10-12 11:27:33 +02:00
i2c i2c: riic: correctly finish transfers 2017-11-08 10:06:29 +01:00
ide
idle intel_idle: Support for Intel Xeon Phi Processor x200 Product Family 2016-09-15 08:27:46 +02:00
iio iio: trigger: free trigger resource correctly 2017-11-15 17:13:10 +01:00
infiniband IB/ipoib: Change list_del to list_del_init in the tx object 2017-11-15 17:13:11 +01:00
input Input: ims-psu - check if CDC union descriptor is sane 2017-11-18 11:11:05 +01:00
iommu iommu/arm-smmu-v3: Clear prior settings when updating STEs 2017-11-15 17:13:09 +01:00
ipack
irqchip irqchip/crossbar: Fix incorrect type of local variables 2017-10-21 17:09:04 +02:00
isdn isdn/i4l: fetch the ppp_write buffer in one shot 2017-10-21 17:09:02 +02:00
leds leds: ktd2692: avoid harmless maybe-uninitialized warning 2017-05-14 13:32:55 +02:00
lguest
lightnvm lightnvm: put bio before return 2016-09-24 10:07:35 +02:00
macintosh
mailbox mailbox: handle empty message in tx_tick 2017-08-06 19:19:41 -07:00
mcb mcb: Fixed bar number assignment for the gdd 2016-06-01 12:15:53 -07:00
md md/linear: shutup lockdep warnning 2017-10-21 17:09:05 +02:00
media media: dib0700: fix invalid dvb_detach argument 2017-11-21 09:21:17 +01:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-07-27 09:47:35 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-28 03:01:35 -04:00
message
mfd mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped 2017-11-08 10:06:29 +01:00
misc mei: return error on notification request to a disconnected client 2017-11-08 10:06:30 +01:00
mmc mmc: s3cmci: include linux/interrupt.h for tasklet_struct 2017-11-08 10:06:28 +01:00
mtd mtd: bcm47xxpart: don't fail because of bit-flips 2017-07-05 14:37:18 +02:00
net brcmfmac: remove setting IBSS mode when stopping AP 2017-11-18 11:11:07 +01:00
nfc nfc: fdp: fix NULL pointer dereference 2017-08-06 19:19:40 -07:00
ntb ntb_transport: fix bug calculating num_qps_mw 2017-08-30 10:19:29 +02:00
nubus
nvdimm libnvdimm, btt: fix btt_rw_page not returning errors 2017-08-06 19:19:42 -07:00
nvme nvme: protect against simultaneous shutdown invocations 2017-10-12 11:27:35 +02:00
nvmem nvmem: imx-ocotp: Fix wrong register size 2017-08-06 19:19:46 -07:00
of of: device: Export of_device_{get_modalias, uvent_modalias} to modules 2017-07-27 15:06:09 -07:00
oprofile
parisc parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo 2017-08-24 17:02:35 -07:00
parport parisc, parport_gsc: Fixes for printk continuation lines 2017-06-17 06:39:37 +02:00
pci PCI: mvebu: Handle changes to the bridge windows while enabled 2017-11-15 17:13:09 +01:00
pcmcia
perf drivers/perf: arm_pmu: Fix leak in error path 2016-10-07 15:23:41 +02:00
phy phy: qcom-usb-hs: Add depends on EXTCON 2017-05-14 13:32:57 +02:00
pinctrl pinctrl: samsung: Remove bogus irq_[un]mask from resource management 2017-08-16 13:40:30 -07:00
platform platform/x86: hp-wmi: Do not shadow error values 2017-11-15 17:13:11 +01:00
pnp PNP: Add Broadwell to Intel MCH size workaround 2016-08-16 09:30:48 +02:00
power power: supply: bq24190_charger: Handle fault before status on interrupt 2017-05-14 13:32:54 +02:00
powercap
pps pps: do not crash when failed to register 2016-08-10 11:49:25 +02:00
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: fan53555: fix I2C device ids 2017-11-02 09:40:50 +01:00
remoteproc remoteproc: Fix potential race condition in rproc_add 2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc rtc: tegra: Implement clock handling 2017-04-21 09:30:07 +02:00
s390 s390/qeth: issue STARTLAN as first IPA command 2017-11-15 17:13:11 +01:00
sbus
scsi scsi: aacraid: Process Error for response I/O 2017-11-08 10:06:30 +01:00
sfi
sh
sn
soc soc: qcom/spm: shut up uninitialized variable warning 2016-09-24 10:07:42 +02:00
spi spi: dw: Make debugfs name unique between instances 2017-08-06 19:19:44 -07:00
spmi spmi: Include OF based modalias in device uevent 2017-07-27 15:06:10 -07:00
ssb ssb: Fix error routine when fallback SPROM fails 2017-01-09 08:07:42 +01:00
staging misc: panel: properly restore atomic counter on error path 2017-11-18 11:11:07 +01:00
target target: Fix node_acl demo-mode + uncached dynamic shutdown regression 2017-11-18 11:11:07 +01:00
tc
thermal thermal: cpu_cooling: Avoid accessing potentially freed structures 2017-07-27 15:06:02 -07:00
thunderbolt thunderbolt: Fix double free of drom buffer 2016-06-01 12:15:53 -07:00
tty serial: sh-sci: Fix register offsets for the IRDA serial port 2017-11-15 17:13:10 +01:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb usb: usbtest: fix NULL pointer dereference 2017-11-18 11:11:05 +01:00
uwb uwb: ensure that endpoint is interrupt 2017-10-12 11:27:35 +02:00
vfio vfio-pci: Handle error from pci_iomap 2017-08-06 19:19:46 -07:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-09-15 08:27:53 +02:00
video video: fbdev: pmag-ba-fb: Remove bad `__init' annotation 2017-11-15 17:13:09 +01:00
virt
virtio virtio_balloon: init 1st buffer in stats vq 2017-03-31 09:49:53 +02:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 06:37:29 +01:00
watchdog watchdog: kempld: fix gcc-4.3 build 2017-10-21 17:09:04 +02:00
xen xen: don't print error message in case of missing Xenstore entry 2017-11-08 10:06:30 +01:00
zorro
Kconfig
Makefile usb: Make sure usb/phy/of gets built-in 2017-05-20 14:26:59 +02:00