From f314fd3c70a4c95ca05a4b5782ed468f6fbe9d60 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 Jun 2024 13:40:48 +0200 Subject: [PATCH] 5.10-stable patches added patches: media-cec-core-add-adap_nb_transmit_canceled-callback.patch --- ...d-adap_nb_transmit_canceled-callback.patch | 74 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 75 insertions(+) create mode 100644 queue-5.10/media-cec-core-add-adap_nb_transmit_canceled-callback.patch diff --git a/queue-5.10/media-cec-core-add-adap_nb_transmit_canceled-callback.patch b/queue-5.10/media-cec-core-add-adap_nb_transmit_canceled-callback.patch new file mode 100644 index 00000000000..7030ce8a6bd --- /dev/null +++ b/queue-5.10/media-cec-core-add-adap_nb_transmit_canceled-callback.patch @@ -0,0 +1,74 @@ +From da53c36ddd3f118a525a04faa8c47ca471e6c467 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 12 Jun 2023 15:58:37 +0200 +Subject: media: cec: core: add adap_nb_transmit_canceled() callback + +From: Hans Verkuil + +commit da53c36ddd3f118a525a04faa8c47ca471e6c467 upstream. + +A potential deadlock was found by Zheng Zhang with a local syzkaller +instance. + +The problem is that when a non-blocking CEC transmit is canceled by calling +cec_data_cancel, that in turn can call the high-level received() driver +callback, which can call cec_transmit_msg() to transmit a new message. + +The cec_data_cancel() function is called with the adap->lock mutex held, +and cec_transmit_msg() tries to take that same lock. + +The root cause is that the received() callback can either be used to pass +on a received message (and then adap->lock is not held), or to report a +canceled transmit (and then adap->lock is held). + +This is confusing, so create a new low-level adap_nb_transmit_canceled +callback that reports back that a non-blocking transmit was canceled. + +And the received() callback is only called when a message is received, +as was the case before commit f9d0ecbf56f4 ("media: cec: correctly pass +on reply results") complicated matters. + +Reported-by: Zheng Zhang +Signed-off-by: Hans Verkuil +Fixes: f9d0ecbf56f4 ("media: cec: correctly pass on reply results") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/core/cec-adap.c | 4 ++-- + include/media/cec.h | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/cec/core/cec-adap.c ++++ b/drivers/media/cec/core/cec-adap.c +@@ -397,8 +397,8 @@ static void cec_data_cancel(struct cec_d + cec_queue_msg_monitor(adap, &data->msg, 1); + + if (!data->blocking && data->msg.sequence) +- /* Allow drivers to process the message first */ +- call_op(adap, received, &data->msg); ++ /* Allow drivers to react to a canceled transmit */ ++ call_void_op(adap, adap_nb_transmit_canceled, &data->msg); + + cec_data_completed(data); + } +--- a/include/media/cec.h ++++ b/include/media/cec.h +@@ -120,14 +120,16 @@ struct cec_adap_ops { + int (*adap_log_addr)(struct cec_adapter *adap, u8 logical_addr); + int (*adap_transmit)(struct cec_adapter *adap, u8 attempts, + u32 signal_free_time, struct cec_msg *msg); ++ void (*adap_nb_transmit_canceled)(struct cec_adapter *adap, ++ const struct cec_msg *msg); + void (*adap_status)(struct cec_adapter *adap, struct seq_file *file); + void (*adap_free)(struct cec_adapter *adap); + +- /* Error injection callbacks */ ++ /* Error injection callbacks, called without adap->lock held */ + int (*error_inj_show)(struct cec_adapter *adap, struct seq_file *sf); + bool (*error_inj_parse_line)(struct cec_adapter *adap, char *line); + +- /* High-level CEC message callback */ ++ /* High-level CEC message callback, called without adap->lock held */ + int (*received)(struct cec_adapter *adap, struct cec_msg *msg); + }; + diff --git a/queue-5.10/series b/queue-5.10/series index 03af91b4db4..4043eadf54b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -261,3 +261,4 @@ powerpc-uaccess-use-asm-goto-for-get_user-when-compi.patch hwmon-shtc1-fix-property-misspelling.patch alsa-timer-set-lower-bound-of-start-tick-time.patch genirq-cpuhotplug-x86-vector-prevent-vector-leak-during-cpu-offline.patch +media-cec-core-add-adap_nb_transmit_canceled-callback.patch -- 2.47.3