Test patch for KASAN: use-after-free Read in v4l2_fh_open

[Soumya Negi]

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff --git a/drivers/media/usb/em28xx/em28xx-video.c
b/drivers/media/usb/em28xx/em28xx-video.c
index 8181c0e6a25b..900a1eacb1c7 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2320,6 +2320,19 @@ static int em28xx_v4l2_close(struct file *filp)
return 0;
}

+/* Used to temporarily disable file operations on video_device until successful
+ * initialization in em28xx_v4l2_init().
+ */
+static const struct v4l2_file_operations em28xx_v4l_fops_empty = {
+ .owner = THIS_MODULE,
+ .open = NULL,
+ .release = NULL,
+ .read = NULL,
+ .poll = NULL,
+ .mmap = NULL,
+ .unlocked_ioctl = NULL,
+};
+
static const struct v4l2_file_operations em28xx_v4l_fops = {
:...skipping...
diff --git a/drivers/media/usb/em28xx/em28xx-video.c
b/drivers/media/usb/em28xx/em28xx-video.c
index 8181c0e6a25b..900a1eacb1c7 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2320,6 +2320,19 @@ static int em28xx_v4l2_close(struct file *filp)
return 0;
}

+/* Used to temporarily disable file operations on video_device until successful
+ * initialization in em28xx_v4l2_init().
+ */
+static const struct v4l2_file_operations em28xx_v4l_fops_empty = {
+ .owner = THIS_MODULE,
+ .open = NULL,
+ .release = NULL,
+ .read = NULL,
+ .poll = NULL,
+ .mmap = NULL,
+ .unlocked_ioctl = NULL,
+};
+
static const struct v4l2_file_operations em28xx_v4l_fops = {
.owner = THIS_MODULE,
.open = em28xx_v4l2_open,
@@ -2375,12 +2388,22 @@ static const struct v4l2_ioctl_ops video_ioctl_ops = {
};

static const struct video_device em28xx_video_template = {
- .fops = &em28xx_v4l_fops,
+ .fops = &em28xx_v4l_fops_empty,
.ioctl_ops = &video_ioctl_ops,
.release = video_device_release_empty,
.tvnorms = V4L2_STD_ALL,
};

+/* Used to temporarily disable file operations on video_device until successful
+ * initialization in em28xx_v4l2_init().
+ */
+static const struct v4l2_file_operations radio_fops_empty = {
+ .owner = THIS_MODULE,
+ .open = NULL,
+ .release = NULL,
+ .unlocked_ioctl = NULL,
+};
+
static const struct v4l2_file_operations radio_fops = {
.owner = THIS_MODULE,
.open = em28xx_v4l2_open,
@@ -2404,7 +2427,7 @@ static const struct v4l2_ioctl_ops radio_ioctl_ops = {
};

static struct video_device em28xx_radio_template = {
- .fops = &radio_fops,
+ .fops = &radio_fops_empty,
.ioctl_ops = &radio_ioctl_ops,
.release = video_device_release_empty,
};
@@ -2833,9 +2856,6 @@ static int em28xx_v4l2_init(struct em28xx *dev)
"can't register radio device\n");
goto unregister_dev;
}

[syzbot]

> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want 2 args (repo, branch), got 4

[syzbot]

> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want 2 args (repo, branch), got 4

>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXd_-gDMdF9UHK-9X6-FvNzEhVet8FuqeCnbaN_FoDNNaw%40mail.gmail.com.

[Soumya Negi]

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

diff --git a/drivers/media/usb/em28xx/em2
8xx-video.c

[syzbot]

> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want 2 args (repo, branch), got 4

>

[syzbot]

> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

want 2 args (repo, branch), got 4

>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAHH-VXdjq%2BABytwPiCknETRi-ZWsipnmHkh6g3QMq4u0VXfUhA%40mail.gmail.com.

[Soumya Negi]

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e4e453434a19

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/media/usb/em28xx/em28xx-video.c
patch: **** malformed patch at line 8: diff --git a/drivers/media/usb/em28xx/em28xx-video.c




Tested on:

commit: e4e45343 Merge tag 'perf-tools-fixes-for-v5.13-2021-06..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=b2391895514ed9ef4a8e
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=158ffd4d080000

[Soumya Negi]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+b23918...@syzkaller.appspotmail.com

Tested on:

commit: e4e45343 Merge tag 'perf-tools-fixes-for-v5.13-2021-06..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1371fc8b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=876d14a39e1ea0ff
dashboard link: https://syzkaller.appspot.com/bug?extid=b2391895514ed9ef4a8e
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14ab0893080000

Note: testing is done by a robot and is best-effort only.