git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Hans Verkuil <hverkuil-cisco@xs4all.nl>
	Mon, 12 Jun 2023 13:58:37 +0000 (15:58 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 16 Jun 2024 11:39:53 +0000 (13:39 +0200)
commit	a896c674d512ff47e3005713442b2ddbdbfaaa9a
tree	15122f87f1c0be4b64a511a56cf798a927d40189	tree
parent	8d49ca19727b46a39a70bb9780f07825ebd67f0b	commit \| diff

media: cec: core: add adap_nb_transmit_canceled() callback

commit da53c36ddd3f118a525a04faa8c47ca471e6c467 upstream.

A potential deadlock was found by Zheng Zhang with a local syzkaller
instance.

The problem is that when a non-blocking CEC transmit is canceled by calling
cec_data_cancel, that in turn can call the high-level received() driver
callback, which can call cec_transmit_msg() to transmit a new message.

The cec_data_cancel() function is called with the adap->lock mutex held,
and cec_transmit_msg() tries to take that same lock.

The root cause is that the received() callback can either be used to pass
on a received message (and then adap->lock is not held), or to report a
canceled transmit (and then adap->lock is held).

This is confusing, so create a new low-level adap_nb_transmit_canceled
callback that reports back that a non-blocking transmit was canceled.

And the received() callback is only called when a message is received,
as was the case before commit f9d0ecbf56f4 ("media: cec: correctly pass
on reply results") complicated matters.

Reported-by: Zheng Zhang <zheng.zhang@email.ucr.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: f9d0ecbf56f4 ("media: cec: correctly pass on reply results")
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/media/cec/core/cec-adap.c		diff \| blob \| blame \| history
include/media/cec.h		diff \| blob \| blame \| history