https://bugzilla.kernel.org/show_bug.cgi?id=215241 --- Comment #4 from Maximilian Böhm (mabo@xxxxxxxxxx) --- Hallo again, found the commit: $ git bisect bad 2899243f272f8801dceb1bb692bd1a3ae3f281c2 is the first bad commit commit 2899243f272f8801dceb1bb692bd1a3ae3f281c2 Author: Pavel Skripkin <paskripkin@xxxxxxxxx> Date: Thu Jul 29 22:23:33 2021 +0200 media: em28xx: add missing em28xx_close_extension [ Upstream commit 2c98b8a3458df03abdc6945bbef67ef91d181938 ] If em28xx dev has ->dev_next pointer, we need to delete ->dev_next list node from em28xx_extension_devlist on disconnect to avoid UAF bugs and corrupted list bugs, since driver frees this pointer on disconnect. Reported-and-tested-by: syzbot+a6969ef522a36d3344c9@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 1a23f81b7dc3 ("V4L/DVB (9979): em28xx: move usb probe code to a proper place") Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> drivers/media/usb/em28xx/em28xx-cards.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) What next? -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
