Hi Everyone, I joined the syzbot mailing list last week. It seems quite fun. I'm puzzling over this one right now. https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 Notice the kernel is 5.5.0-rc3-syzkaller (git checkout v5.5-rc3). 1801 static int uvc_scan_device(struct uvc_device *dev) 1802 { 1803 struct uvc_video_chain *chain; 1804 struct uvc_entity *term; 1805 1806 list_for_each_entry(term, &dev->entities, list) { 1807 if (!UVC_ENTITY_IS_OTERM(term)) 1808 continue; 1809 1810 /* If the terminal is already included in a chain, skip it. 1811 * This can happen for chains that have multiple output 1812 * terminals, where all output terminals beside the first one 1813 * will be inserted in the chain in forward scans. 1814 */ 1815 if (term->chain.next || term->chain.prev) 1816 continue; 1817 1818 chain = uvc_alloc_chain(dev); 1819 if (chain == NULL) 1820 return -ENOMEM; 1821 1822 term->flags |= UVC_ENTITY_FLAG_DEFAULT; 1823 1824 if (uvc_scan_chain(chain, term) < 0) { 1825 kfree(chain); ^^^^^ Somehow this "chain" is used after it has been freed. That doesn't seem possible because uvc_scan_chain() doesn't store any reference to it. 1826 continue; 1827 } 1828 1829 uvc_trace(UVC_TRACE_PROBE, "Found a valid video chain (%s).\n", 1830 uvc_print_chain(chain)); 1831 1832 list_add_tail(&chain->list, &dev->chains); 1833 } Its like solving a puzzle. Reviewing code skills etc. regards, dan carpenter
