From nobody Fri Dec 19 20:16:38 2025 Received: from mailhub9-fb.kaspersky-labs.com (mailhub9-fb.kaspersky-labs.com [195.122.169.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F088838DE1; Fri, 7 Nov 2025 15:45:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.122.169.2 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762530345; cv=none; b=aG4bmCM0G3zoX08Fnb6I/CRYk/lcgswcbTBu5e8RsE7vh5JoPKyc6gX1AydCZMfefZzW5owGAMZb0RBIjJF535P4LdLXfUvm25nRkkZ7BiqigdwtNp0k3F0a44Gr+qrhGiYG9XYAlyLp5QSEEuchuL5HmDUpaQft4l1jODgY744= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762530345; c=relaxed/simple; bh=nsCJ6a381lZvXja5H/Dqoj6c/Rc2k2EOWhfoNqA+Fw0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FsBqjNmVss9RxJCvkqBGFf9RSDP0Xlq6WJxGnVcxnTT5uER7EgpPpZqCKV6Yz4q2YSZAsNSyH099Lg62aca48gk0CrNTqcxFEbW0sKLjl/ki8kXWT4pFoEezMQ5wjqs6xHFnrIIWFINXYfJtHMW1ybOAan6S9G6OgPyvSRaWmyU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com; spf=pass smtp.mailfrom=kaspersky.com; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=PhooyY3I; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=bPqVF78q; arc=none smtp.client-ip=195.122.169.2 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="PhooyY3I"; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="bPqVF78q" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1762530340; bh=JInZQS1g+rhl7OoPvdNtZ79da3janGd3rLGqkYOhSjM=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=PhooyY3I2ZFBPyJLUgb6e0B3olAAzgZoMuTYIaTbXVRnpHXGYY/9JwjsE1nfZgcJ6 MEYba8EF+NK5F2tgVcGn1bVBCjV2d55I5OA8864saCmwxWz22WLAarZqmfa6F2vRVP k8u+eQbqz6y0YUqdCXDB+kBVzTJIr2inhCHzb9Fs50H6ENvxQ1n2dhOUFCbPX8/WWR LMjCvqZI3u21MvQURxy8bjjy7D29gJMbNaWbLPRUyTTaW7vWBfaDonMRMvbPVpy52q A3SpPvPbJ5XnaLjFm24QQDHwTgs3ErRw7VpCg4Ez1kcSUh/UexGDrezl5858CzyYKP TLxGxjHTOkc7w== Received: from mailhub9-fb.kaspersky-labs.com (localhost [127.0.0.1]) by mailhub9-fb.kaspersky-labs.com (Postfix) with ESMTP id DE68790122D; Fri, 7 Nov 2025 18:45:40 +0300 (MSK) Received: from mx12.kaspersky-labs.com (mx12.kaspersky-labs.com [91.103.66.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mx12.kaspersky-labs.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub9-fb.kaspersky-labs.com (Postfix) with ESMTPS id A96F39000C3; Fri, 7 Nov 2025 18:45:40 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1762530331; bh=JInZQS1g+rhl7OoPvdNtZ79da3janGd3rLGqkYOhSjM=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=bPqVF78q98WTcYGobI9hLzSoNdn5zviMygQrA9ngaZYOSLlQA5sikJWWa5zpg4E0B ACj7yncowQZzWqgTZZDtkYVS94wrRdepRQeHeglXaUVlI6Xmlb349h7tumBEaLKrk5 +AFbYF0NTwT5Xp3SviZJDu/tDjYF6EiUBYx1lbhToi+4TxB0Ixjo/vO1cx517LV/S1 b4c4tJmmmb04j/4+7Vy0MmG16b94P6VWP1oP4pBkrM4CS/3mRlG3m4JX0hzKXac5EO khxpapk8r935uUCT372FyxSuPHRNp7wxHhEnaeWx5/06Mchb7/t2Z6a2R27JiFijJe udjvvKT+e1a5w== Received: from relay12.kaspersky-labs.com (localhost [127.0.0.1]) by relay12.kaspersky-labs.com (Postfix) with ESMTP id 918DF5A197C; Fri, 7 Nov 2025 18:45:31 +0300 (MSK) Received: from mail-hq2.kaspersky.com (unknown [91.103.66.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-hq2.kaspersky.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub12.kaspersky-labs.com (Postfix) with ESMTPS id BAE7A5A4942; Fri, 7 Nov 2025 18:45:30 +0300 (MSK) Received: from Nalivayko.avp.ru (10.16.105.14) by HQMAILSRV3.avp.ru (10.64.57.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Fri, 7 Nov 2025 18:45:16 +0300 From: Nalivayko Sergey To: CC: Nalivayko Sergey , , , Mauro Carvalho Chehab , Michael Krufky Subject: [PATCH 1/2] media: dvb-usb-v2: add device init_ready flag Date: Fri, 7 Nov 2025 18:44:25 +0300 Message-ID: <20251107154426.2116743-2-Sergey.Nalivayko@kaspersky.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20251107154426.2116743-1-Sergey.Nalivayko@kaspersky.com> References: <20251107154426.2116743-1-Sergey.Nalivayko@kaspersky.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: HQMAILSRV3.avp.ru (10.64.57.53) To HQMAILSRV3.avp.ru (10.64.57.53) X-KSE-ServerInfo: HQMAILSRV3.avp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.1, Database issued on: 11/07/2025 15:33:04 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 0 X-KSE-AntiSpam-Info: Lua profiles 197892 [Nov 07 2025] X-KSE-AntiSpam-Info: Version: 6.1.1.11 X-KSE-AntiSpam-Info: Envelope from: Sergey.Nalivayko@kaspersky.com X-KSE-AntiSpam-Info: LuaCore: 75 0.3.75 aab2175a55dcbd410b25b8694e49bbee3c09cdde X-KSE-AntiSpam-Info: {Tracking_cluster_exceptions} X-KSE-AntiSpam-Info: {Tracking_real_kaspersky_domains} X-KSE-AntiSpam-Info: {Tracking_uf_ne_domains} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2;kaspersky.com:7.1.1,5.0.1 X-KSE-AntiSpam-Info: {Tracking_white_helo} X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: Rate: 0 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Deterministic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 11/07/2025 15:34:00 X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 11/7/2025 12:14:00 PM X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSMG-AntiPhishing: NotDetected X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310, bases: 2025/11/07 15:09:00 #27893311 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 52 Content-Type: text/plain; charset="utf-8" The current implementation of dvb-usb-v2 initializes device in dvb_usbv2_probe() while making it immediately available for use in the I2C, Remote Control, demux and potentially other kernel subsystems before the driver has fully completed initialization. As a result, the device becomes accessible through these subsystem interfaces prematurely, allowing to invoke read/write operations on the device before it is fully initialized. Introduce an atomic init_ready flag in struct dvb_usb_device for the DVB-USB-V2 driver. Allow driver code to check this flag before performing actions that access device state (for example I2C reads) which may race with device initialization. Signed-off-by: Nalivayko Sergey --- drivers/media/usb/dvb-usb-v2/dvb_usb.h | 3 +++ drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb.h b/drivers/media/usb/dvb= -usb-v2/dvb_usb.h index ecdc20d45132..ecb929e006ba 100644 --- a/drivers/media/usb/dvb-usb-v2/dvb_usb.h +++ b/drivers/media/usb/dvb-usb-v2/dvb_usb.h @@ -389,6 +389,9 @@ struct dvb_usb_device { struct mutex i2c_mutex; struct i2c_adapter i2c_adap; =20 + /* Check in drivers to prevent read from uninitialized device */ + atomic_t init_ready; + struct dvb_usb_adapter adapter[MAX_NO_OF_ADAPTER_PER_DEVICE]; =20 /* remote control */ diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/us= b/dvb-usb-v2/dvb_usb_core.c index f1c79f351ec8..d1cd68f242cc 100644 --- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c @@ -988,6 +988,8 @@ int dvb_usbv2_probe(struct usb_interface *intf, exit: usb_set_intfdata(intf, d); =20 + atomic_set(&d->init_ready, 1); + return 0; err_free_all: dvb_usbv2_exit(d); @@ -1012,6 +1014,8 @@ void dvb_usbv2_disconnect(struct usb_interface *intf) dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=3D%d\n", __func__, intf->cur_altsetting->desc.bInterfaceNumber); =20 + atomic_set(&d->init_ready, 0); + if (d->props->exit) d->props->exit(d); =20 --=20 2.39.5 From nobody Fri Dec 19 20:16:38 2025 Received: from mx13.kaspersky-labs.com (mx13.kaspersky-labs.com [91.103.66.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 362D8125B2; Fri, 7 Nov 2025 15:45:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.103.66.164 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762530343; cv=none; b=keKi81hcCdY2dCJu43tzyM0Noi/5KsFsXfkciS+/lOWrk/08F97RfU6xai0FkXsor64l33S6hjDS8i/SADHSx6DXK7su15jvFVD3mhzucFartWBqmOQ0S4gOctHS3c+WSiW245wujvMNEK6oJ7dK7IgF+3nXPaLmdqb3DG+IljQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762530343; c=relaxed/simple; bh=gSVyAnwa/eT2IrQeUH6B6InqjR5qZpkSV+VtOrAMIBE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=EoPELley74Oi/uCCwDXwfZQ0AaysF6ckEHwUvP4zhPCjhkRo3u41CvbNm8h1CXhdw/dQRHzdRd7b+AhXOOnoHHnIX9Z/GXNa9zC8UPdUryf3tzUdBFLABFjlalU8uKztSMfXLLCNVCD2SkFsBeu0s490S+uHNdOcaeSQxoVpENs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com; spf=pass smtp.mailfrom=kaspersky.com; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b=N2KSJ4I3; arc=none smtp.client-ip=91.103.66.164 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kaspersky.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kaspersky.com header.i=@kaspersky.com header.b="N2KSJ4I3" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kaspersky.com; s=mail202505; t=1762530337; bh=NE3R/3BKJGW2lXDVXEr1LfPaybTpng72jTTBKj5B/yE=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=N2KSJ4I3tp/27fmiCuRhHaa9eB4lzMcZDmOTxqzp2rJDcUA7Dyaj8JZSnNuNPGJC6 ZWf+DIBXR2G+cAE0NGYBj+jYvbUUYQvI9pcNccrZFc+MG+8a71aE4yUVqDNSJViPaq Tdfj60wNEH1RhF10O2M6D4SpPo5wKkFTYPiGM8I6uqyoHJ7geAYPkDod10iyBbyuwA X1b2ZCWiEcHaJ+s7bElDJnv0BQdr6aMqnt6p22jfeMVuCRevLIRd7YoSf0YlXS2CIT HPWbfw5mBSSTLhuNBRTnIrll54xBetXV3Ebu29VykqRvmGhbe9eH9liHoE/NZJgXq6 DYgbBQqv5G1Cg== Received: from relay13.kaspersky-labs.com (localhost [127.0.0.1]) by relay13.kaspersky-labs.com (Postfix) with ESMTP id 30AB03E4F07; Fri, 7 Nov 2025 18:45:37 +0300 (MSK) Received: from mail-hq2.kaspersky.com (unknown [91.103.66.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-hq2.kaspersky.com", Issuer "Kaspersky MailRelays CA G3" (verified OK)) by mailhub13.kaspersky-labs.com (Postfix) with ESMTPS id BA6643E47E3; Fri, 7 Nov 2025 18:45:36 +0300 (MSK) Received: from Nalivayko.avp.ru (10.16.105.14) by HQMAILSRV3.avp.ru (10.64.57.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Fri, 7 Nov 2025 18:45:19 +0300 From: Nalivayko Sergey To: CC: Nalivayko Sergey , , , Mauro Carvalho Chehab , Michael Krufky , , Subject: [PATCH 2/2] media: mxl111sf: fix i2c race condition during device probe Date: Fri, 7 Nov 2025 18:44:26 +0300 Message-ID: <20251107154426.2116743-3-Sergey.Nalivayko@kaspersky.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20251107154426.2116743-1-Sergey.Nalivayko@kaspersky.com> References: <20251107154426.2116743-1-Sergey.Nalivayko@kaspersky.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: HQMAILSRV3.avp.ru (10.64.57.53) To HQMAILSRV3.avp.ru (10.64.57.53) X-KSE-ServerInfo: HQMAILSRV3.avp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.1, Database issued on: 11/07/2025 15:33:04 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 0 X-KSE-AntiSpam-Info: Lua profiles 197892 [Nov 07 2025] X-KSE-AntiSpam-Info: Version: 6.1.1.11 X-KSE-AntiSpam-Info: Envelope from: Sergey.Nalivayko@kaspersky.com X-KSE-AntiSpam-Info: LuaCore: 75 0.3.75 aab2175a55dcbd410b25b8694e49bbee3c09cdde X-KSE-AntiSpam-Info: {Tracking_cluster_exceptions} X-KSE-AntiSpam-Info: {Tracking_real_kaspersky_domains} X-KSE-AntiSpam-Info: {Tracking_one_url} X-KSE-AntiSpam-Info: {Tracking_uf_ne_domains} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: kaspersky.com:7.1.1,5.0.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;127.0.0.199:7.1.2;syzkaller.appspot.com:7.1.1,5.0.1 X-KSE-AntiSpam-Info: {Tracking_white_helo} X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: Rate: 0 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Deterministic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 11/07/2025 15:34:00 X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 11/7/2025 12:14:00 PM X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering rules found X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit X-KSMG-AntiPhishing: NotDetected, bases: 2025/11/07 15:29:00 X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310, bases: 2025/11/07 15:09:00 #27893311 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/11/07 15:29:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 52 Content-Type: text/plain; charset="utf-8" syzbot reports a KASAN issue as below: Oops: general protection fault, probably for non-canonical address 0xdffffc= 0000000019: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] CPU: 1 UID: 0 PID: 5849 Comm: syz-executor279 Not tainted 6.15.0-rc2-syzkal= ler #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Goo= gle 02/12/2025 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:580 [inline] RIP: 0010:__mutex_lock+0x15d/0x10c0 kernel/locking/mutex.c:746 Call Trace: dvb_usbv2_generic_write+0x26/0x50 drivers/media/usb/dvb-usb-v2/dvb_usb_urb= .c:77 mxl111sf_ctrl_msg+0x172/0x2e0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:73 mxl111sf_write_reg+0xda/0x1f0 drivers/media/usb/dvb-usb-v2/mxl111sf.c:123 mxl111sf_i2c_start drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:130 [inline] mxl111sf_i2c_sw_xfer_msg drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c:-1 [i= nline] mxl111sf_i2c_xfer+0x923/0x8aa0 drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c= :813 __i2c_transfer+0x859/0x2250 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x2c2/0x430 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x182/0x260 drivers/i2c/i2c-core-base.c:2343 i2c_master_recv include/linux/i2c.h:79 [inline] i2cdev_read+0x10a/0x220 drivers/i2c/i2c-dev.c:155 vfs_read+0x21f/0xb90 fs/read_write.c:568 ksys_read+0x19d/0x2d0 fs/read_write.c:713 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This occurs due to a race condition during DVB-USB-V2 device initialization. While initialization is in progress, I2C data may be read from userspace, leading to a NULL pointer dereference in dvb_usbv2_generic_write and a kernel panic. Thread 1 (probe device) Thread 2 (receive i2c data) ... dvb_usbv2_probe() ... d->priv =3D kzalloc( d->props->size_of_priv, GFP_KERNEL); ... dvb_usbv2_init() ... // can read data from i2c dvb_usbv2_i2c_init() ... ... i2cdev_read() ... // d->priv data is invalid. UB mxl111sf_i2c_xfer() ... mxl111sf_ctrl_msg() ... // null ptr deref dvb_usbv2_generic_write() ... ... // d->priv data is valid dvb_usbv2_adapter_init() ... Add init_ready flag check to prevent I/O on uninitialized DVB-USB-V2 device. Reported-by: syzbot+f9f5333782a854509322@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df9f5333782a854509322 Fixes: 4c66c9205c07 ("[media] dvb-usb: add ATSC support for the Hauppauge W= inTV-Aero-M") Cc: stable@vger.kernel.org Signed-off-by: Nalivayko Sergey --- drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c b/drivers/media/us= b/dvb-usb-v2/mxl111sf-i2c.c index 100a1052dcbc..b7bad90b16dc 100644 --- a/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c +++ b/drivers/media/usb/dvb-usb-v2/mxl111sf-i2c.c @@ -804,7 +804,7 @@ int mxl111sf_i2c_xfer(struct i2c_adapter *adap, int hwi2c =3D (state->chip_rev > MXL111SF_V6); int i, ret; =20 - if (mutex_lock_interruptible(&d->i2c_mutex) < 0) + if (!atomic_read(&d->init_ready) || mutex_lock_interruptible(&d->i2c_mute= x) < 0) return -EAGAIN; =20 for (i =3D 0; i < num; i++) { --=20 2.39.5