review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Gautam Menghani <gautammenghani201@gmail.com>
	Wed, 19 Oct 2022 05:02:14 +0000 (06:02 +0100)
committer	Mauro Carvalho Chehab <mchehab@kernel.org>
	Fri, 25 Nov 2022 08:00:45 +0000 (08:00 +0000)
commit	813ceef062b53d68f296aa3cb944b21a091fabdb
tree	b44f241888a1f804dfe8a68d8b8460ed394ab573	tree \| snapshot
parent	a42f363e6b58d1fc642d6d082dc660be73656ba5	commit \| diff

media: imon: fix a race condition in send_packet()

The function send_packet() has a race condition as follows:

func send_packet()
{
    // do work
    call usb_submit_urb()
    mutex_unlock()
    wait_for_event_interruptible()  <-- lock gone
    mutex_lock()
}

func vfd_write()
{
    mutex_lock()
    call send_packet()  <- prev call is not completed
    mutex_unlock()
}

When the mutex is unlocked and the function send_packet() waits for the
call to complete, vfd_write() can start another call, which leads to the
"URB submitted while active" warning in usb_submit_urb().
Fix this by removing the mutex_unlock() call in send_packet() and using
mutex_lock_interruptible().

Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e
Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")
Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>