superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/media/rc
History
Gautam Menghani 3f8b24ab0d media: imon: fix a race condition in send_packet() 
[ Upstream commit 813ceef062 ]

The function send_packet() has a race condition as follows:

func send_packet()
{
    // do work
    call usb_submit_urb()
    mutex_unlock()
    wait_for_event_interruptible()  <-- lock gone
    mutex_lock()
}

func vfd_write()
{
    mutex_lock()
    call send_packet()  <- prev call is not completed
    mutex_unlock()
}

When the mutex is unlocked and the function send_packet() waits for the
call to complete, vfd_write() can start another call, which leads to the
"URB submitted while active" warning in usb_submit_urb().
Fix this by removing the mutex_unlock() call in send_packet() and using
mutex_lock_interruptible().

Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e

Fixes: 21677cfc56 ("V4L/DVB: ir-core: add imon driver")
Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-12-31 13:32:16 +01:00
..
img-ir
keymaps
Kconfig
Makefile
ati_remote.c media: ati-remote: remove private err() macro 2022-07-15 14:54:59 +01:00
bpf-lirc.c
ene_ir.c
ene_ir.h
fintek-cir.c
fintek-cir.h
gpio-ir-recv.c
gpio-ir-tx.c
igorplugusb.c media: igorplugusb: use correct size pass to igorplugusb_probe() 2022-07-15 14:52:20 +01:00
iguanair.c media: iguanair: no superfluous usb_unlink_urb() 2022-06-20 10:30:33 +01:00
imon.c media: imon: fix a race condition in send_packet() 2022-12-31 13:32:16 +01:00
imon_raw.c media: imon_raw: respect DMA coherency 2022-06-20 10:30:33 +01:00
ir-hix5hd2.c
ir-imon-decoder.c
ir-jvc-decoder.c
ir-mce_kbd-decoder.c
ir-nec-decoder.c
ir-rc5-decoder.c
ir-rc6-decoder.c
ir-rcmm-decoder.c
ir-rx51.c
ir-sanyo-decoder.c
ir-sharp-decoder.c
ir-sony-decoder.c
ir-spi.c
ir-xmp-decoder.c
ir_toy.c
ite-cir.c
ite-cir.h
lirc_dev.c media: rc: Directly use ida_free() 2022-06-20 10:30:33 +01:00
mceusb.c media: mceusb: set timeout to at least timeout provided 2022-09-24 07:50:42 +02:00
meson-ir-tx.c
meson-ir.c
mtk-cir.c
nuvoton-cir.c
nuvoton-cir.h
pwm-ir-tx.c
rc-core-priv.h
rc-ir-raw.c
rc-loopback.c
rc-main.c media: lirc: ensure lirc device receives repeats 2022-07-15 14:55:23 +01:00
redrat3.c media: redrat3: no unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
serial_ir.c
st_rc.c
streamzap.c media: streamzap: avoid unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
sunxi-cir.c
ttusbir.c media: ttusbir: avoid unnecessary usb_unlink_urb() 2022-06-20 10:30:33 +01:00
winbond-cir.c
xbox_remote.c media: xbox_remote: xbox_remote_initialize() cannot fail 2022-06-20 10:30:33 +01:00