[Bug 106084] [CI] igt at .* - BUG kmalloc-2048 (Tainted: G U W ): Poison overwritten
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri May 11 14:31:21 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=106084
Chris Wilson <chris at chris-wilson.co.uk> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #8 from Chris Wilson <chris at chris-wilson.co.uk> ---
commit 44a182b9d17765514fa2b1cc911e4e65134eef93
Author: Mathias Nyman <mathias.nyman at linux.intel.com>
Date: Thu May 3 17:30:07 2018 +0300
xhci: Fix use-after-free in xhci_free_virt_device
KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
where xhci_free_virt_device() sets slot id to 0 if udev exists:
if (dev->udev && dev->udev->slot_id)
dev->udev->slot_id = 0;
dev->udev will be true even if udev is freed because dev->udev is
not set to NULL.
set dev->udev pointer to NULL in xhci_free_dev()
The original patch went to stable so this fix needs to be applied
there as well.
Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling
and freeing a xhci slot")
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20180511/a89fa07d/attachment.html>
More information about the intel-gfx-bugs
mailing list