Thanks for the heads-up about the mailing list. I've been toying with syzbot myself and created a repo that sets up and runs it for me automatically: https://github.com/ColinIanKing/syzkaller-script I've not found any issues yet; skzkaller is like bitcoin mining, lots of compute with occasional wins. Colin On 14/01/2020 16:27, Dan Carpenter wrote: > Hi Everyone, > > I joined the syzbot mailing list last week. It seems quite fun. > > I'm puzzling over this one right now. > > https://syzkaller.appspot.com/bug?extid=9a48339b077c5a80b869 > > Notice the kernel is 5.5.0-rc3-syzkaller (git checkout v5.5-rc3). > > 1801 static int uvc_scan_device(struct uvc_device *dev) > 1802 { > 1803 struct uvc_video_chain *chain; > 1804 struct uvc_entity *term; > 1805 > 1806 list_for_each_entry(term, &dev->entities, list) { > 1807 if (!UVC_ENTITY_IS_OTERM(term)) > 1808 continue; > 1809 > 1810 /* If the terminal is already included in a chain, skip it. > 1811 * This can happen for chains that have multiple output > 1812 * terminals, where all output terminals beside the first one > 1813 * will be inserted in the chain in forward scans. > 1814 */ > 1815 if (term->chain.next || term->chain.prev) > 1816 continue; > 1817 > 1818 chain = uvc_alloc_chain(dev); > 1819 if (chain == NULL) > 1820 return -ENOMEM; > 1821 > 1822 term->flags |= UVC_ENTITY_FLAG_DEFAULT; > 1823 > 1824 if (uvc_scan_chain(chain, term) < 0) { > 1825 kfree(chain); > ^^^^^ > Somehow this "chain" is used after it has been freed. That doesn't > seem possible because uvc_scan_chain() doesn't store any reference to > it. > > 1826 continue; > 1827 } > 1828 > 1829 uvc_trace(UVC_TRACE_PROBE, "Found a valid video chain (%s).\n", > 1830 uvc_print_chain(chain)); > 1831 > 1832 list_add_tail(&chain->list, &dev->chains); > 1833 } > > Its like solving a puzzle. Reviewing code skills etc. > > regards, > dan carpenter >
