In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function irraweventstorewithfilter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzapdisconnect() function: rcunregisterdevice() is called before usbkillurb(). The dev->raw pointer is freed and set to NULL in rcunregisterdevice(), and only after that usbkillurb() waits for in-progress requests to finish. If rcunregisterdevice() is called while streamzapcallback() handler is not finished, this can lead to accessing freed resources. Thus rcunregisterdevice() should be called after usbkill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "5.15.0-1019.24~20.04.1.1", "binary_name": "linux-image-unsigned-5.15.0-1019-azure-fde" }, { "binary_version": "5.15.0-1019.24~20.04.1.1", "binary_name": "linux-image-unsigned-5.15.0-1019-azure-fde-dbgsym" } ] }