media: cec: core: add adap_nb_transmit_canceled() callback
authorHans Verkuil <hverkuil-cisco@xs4all.nl>
Mon, 12 Jun 2023 13:58:37 +0000 (15:58 +0200)
committerMauro Carvalho Chehab <mchehab@kernel.org>
Thu, 10 Aug 2023 05:58:32 +0000 (07:58 +0200)
A potential deadlock was found by Zheng Zhang with a local syzkaller
instance.

The problem is that when a non-blocking CEC transmit is canceled by calling
cec_data_cancel, that in turn can call the high-level received() driver
callback, which can call cec_transmit_msg() to transmit a new message.

The cec_data_cancel() function is called with the adap->lock mutex held,
and cec_transmit_msg() tries to take that same lock.

The root cause is that the received() callback can either be used to pass
on a received message (and then adap->lock is not held), or to report a
canceled transmit (and then adap->lock is held).

This is confusing, so create a new low-level adap_nb_transmit_canceled
callback that reports back that a non-blocking transmit was canceled.

And the received() callback is only called when a message is received,
as was the case before commit f9d0ecbf56f4 ("media: cec: correctly pass
on reply results") complicated matters.

Reported-by: Zheng Zhang <zheng.zhang@email.ucr.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: f9d0ecbf56f4 ("media: cec: correctly pass on reply results")
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
drivers/media/cec/core/cec-adap.c
include/media/cec.h

index 241b1621b197c4f64677a6a16108f72b7322db11..a9b73fb33888d9397b70eeb27c25a85d907c201d 100644 (file)
@@ -385,8 +385,8 @@ static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status)
        cec_queue_msg_monitor(adap, &data->msg, 1);
 
        if (!data->blocking && data->msg.sequence)
        cec_queue_msg_monitor(adap, &data->msg, 1);
 
        if (!data->blocking && data->msg.sequence)
-               /* Allow drivers to process the message first */
-               call_op(adap, received, &data->msg);
+               /* Allow drivers to react to a canceled transmit */
+               call_void_op(adap, adap_nb_transmit_canceled, &data->msg);
 
        cec_data_completed(data);
 }
 
        cec_data_completed(data);
 }
index abee41ae02d0e91457ee584ca5696678e25943d7..6556cc161dc0ab43efdbe0dd5378f9398555947d 100644 (file)
@@ -121,14 +121,16 @@ struct cec_adap_ops {
        void (*adap_configured)(struct cec_adapter *adap, bool configured);
        int (*adap_transmit)(struct cec_adapter *adap, u8 attempts,
                             u32 signal_free_time, struct cec_msg *msg);
        void (*adap_configured)(struct cec_adapter *adap, bool configured);
        int (*adap_transmit)(struct cec_adapter *adap, u8 attempts,
                             u32 signal_free_time, struct cec_msg *msg);
+       void (*adap_nb_transmit_canceled)(struct cec_adapter *adap,
+                                         const struct cec_msg *msg);
        void (*adap_status)(struct cec_adapter *adap, struct seq_file *file);
        void (*adap_free)(struct cec_adapter *adap);
 
        void (*adap_status)(struct cec_adapter *adap, struct seq_file *file);
        void (*adap_free)(struct cec_adapter *adap);
 
-       /* Error injection callbacks */
+       /* Error injection callbacks, called without adap->lock held */
        int (*error_inj_show)(struct cec_adapter *adap, struct seq_file *sf);
        bool (*error_inj_parse_line)(struct cec_adapter *adap, char *line);
 
        int (*error_inj_show)(struct cec_adapter *adap, struct seq_file *sf);
        bool (*error_inj_parse_line)(struct cec_adapter *adap, char *line);
 
-       /* High-level CEC message callback */
+       /* High-level CEC message callback, called without adap->lock held */
        int (*received)(struct cec_adapter *adap, struct cec_msg *msg);
 };
 
        int (*received)(struct cec_adapter *adap, struct cec_msg *msg);
 };