3362732a94
[ Upstream commit ded85b0c0edd8f45fec88783d7555a5b982449c1 ] Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack. Reported-and-tested-by: syzbot+621409285c4156a009b3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a02a4205fff8eb92@google.com/ Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net> Acked-by: Mike Isely <isely@pobox.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
pvrusb2-audio.c | ||
pvrusb2-audio.h | ||
pvrusb2-context.c | ||
pvrusb2-context.h | ||
pvrusb2-cs53l32a.c | ||
pvrusb2-cs53l32a.h | ||
pvrusb2-ctrl.c | ||
pvrusb2-ctrl.h | ||
pvrusb2-cx2584x-v4l.c | ||
pvrusb2-cx2584x-v4l.h | ||
pvrusb2-debug.h | ||
pvrusb2-debugifc.c | ||
pvrusb2-debugifc.h | ||
pvrusb2-devattr.c | ||
pvrusb2-devattr.h | ||
pvrusb2-dvb.c | ||
pvrusb2-dvb.h | ||
pvrusb2-eeprom.c | ||
pvrusb2-eeprom.h | ||
pvrusb2-encoder.c | ||
pvrusb2-encoder.h | ||
pvrusb2-fx2-cmd.h | ||
pvrusb2-hdw-internal.h | ||
pvrusb2-hdw.c | ||
pvrusb2-hdw.h | ||
pvrusb2-i2c-core.c | ||
pvrusb2-i2c-core.h | ||
pvrusb2-io.c | ||
pvrusb2-io.h | ||
pvrusb2-ioread.c | ||
pvrusb2-ioread.h | ||
pvrusb2-main.c | ||
pvrusb2-std.c | ||
pvrusb2-std.h | ||
pvrusb2-sysfs.c | ||
pvrusb2-sysfs.h | ||
pvrusb2-util.h | ||
pvrusb2-v4l2.c | ||
pvrusb2-v4l2.h | ||
pvrusb2-video-v4l.c | ||
pvrusb2-video-v4l.h | ||
pvrusb2-wm8775.c | ||
pvrusb2-wm8775.h | ||
pvrusb2.h |