[Bug 106084] [CI] igt at .* - BUG kmalloc-2048 (Tainted: G U W ): Poison overwritten

Fri May 11 14:31:21 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=106084

Chris Wilson <chris at chris-wilson.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #8 from Chris Wilson <chris at chris-wilson.co.uk> ---
commit 44a182b9d17765514fa2b1cc911e4e65134eef93
Author: Mathias Nyman <mathias.nyman at linux.intel.com>
Date:   Thu May 3 17:30:07 2018 +0300

    xhci: Fix use-after-free in xhci_free_virt_device

    KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
    where xhci_free_virt_device() sets slot id to 0 if udev exists:
    if (dev->udev && dev->udev->slot_id)
            dev->udev->slot_id = 0;

    dev->udev will be true even if udev is freed because dev->udev is
    not set to NULL.

    set dev->udev pointer to NULL in xhci_free_dev()

    The original patch went to stable so this fix needs to be applied
    there as well.

    Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling
and freeing a xhci slot")

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20180511/a89fa07d/attachment.html>