[PATCH v2] media: cec: disable delayed work before freeing an interrupted transmit
0 views
Skip to first unread message
Biren Pandya
2:57 AM (20 hours ago) 2:57 AM
to Hans Verkuil, Mauro Carvalho Chehab, Kees Cook, linux...@vger.kernel.org, linux-...@vger.kernel.org, hda...@sina.com, syzbot+051024...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Biren Pandya, sta...@vger.kernel.org
cec_transmit_msg_fh() drops adap->lock to wait for a blocking transmit in
wait_for_completion_killable(). If that wait is interrupted by a signal,
cancel_delayed_work_sync() can run before the CEC kthread arms the reply
timeout via schedule_delayed_work(&data->work) in cec_transmit_done_ts().
The work is then armed after the cancel, and the data is freed with its
delayed_work still pending:
ODEBUG: free active (active state 0) object: ... hint: cec_wait_timeout
Use disable_delayed_work_sync(): it cancels the work and disables it, so
the later schedule_delayed_work() becomes a no-op and the work cannot be
re-armed. The data is freed right after, so it need not be re-enabled.
Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work")
Reported-by: syzbot+051024...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=051024d603432b4ab395
Suggested-by: Hillf Danton <hda...@sina.com>
Cc: sta...@vger.kernel.org
Signed-off-by: Biren Pandya <biren...@gmail.com>
---
v2: Use disable_delayed_work_sync() instead of reordering the cancel, and
name the re-arm path. Suggested by Hillf Danton.
drivers/media/cec/core/cec-adap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
index 8f7244ac1d43..acb0b5483bbf 100644
--- a/drivers/media/cec/core/cec-adap.c
+++ b/drivers/media/cec/core/cec-adap.c
@@ -965,7 +965,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg,
*/
mutex_unlock(&adap->lock);
err = wait_for_completion_killable(&data->c);
- cancel_delayed_work_sync(&data->work);
+ disable_delayed_work_sync(&data->work);
mutex_lock(&adap->lock);
if (err)
--
2.50.1
wait_for_completion_killable(). If that wait is interrupted by a signal,
cancel_delayed_work_sync() can run before the CEC kthread arms the reply
timeout via schedule_delayed_work(&data->work) in cec_transmit_done_ts().
The work is then armed after the cancel, and the data is freed with its
delayed_work still pending:
ODEBUG: free active (active state 0) object: ... hint: cec_wait_timeout
Use disable_delayed_work_sync(): it cancels the work and disables it, so
the later schedule_delayed_work() becomes a no-op and the work cannot be
re-armed. The data is freed right after, so it need not be re-enabled.
Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work")
Reported-by: syzbot+051024...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=051024d603432b4ab395
Suggested-by: Hillf Danton <hda...@sina.com>
Cc: sta...@vger.kernel.org
Signed-off-by: Biren Pandya <biren...@gmail.com>
---
v2: Use disable_delayed_work_sync() instead of reordering the cancel, and
name the re-arm path. Suggested by Hillf Danton.
drivers/media/cec/core/cec-adap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
index 8f7244ac1d43..acb0b5483bbf 100644
--- a/drivers/media/cec/core/cec-adap.c
+++ b/drivers/media/cec/core/cec-adap.c
@@ -965,7 +965,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg,
*/
mutex_unlock(&adap->lock);
err = wait_for_completion_killable(&data->c);
- cancel_delayed_work_sync(&data->work);
+ disable_delayed_work_sync(&data->work);
mutex_lock(&adap->lock);
if (err)
--
2.50.1
Reply all
Reply to author
Forward
0 new messages