Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized
mutex. The problem was in wrong mutex_init() location.
Previous mutex_init(&state->msg_lock) call was in ->init() function, but
dvb_usbv2_init() has this order of calls:
dvb_usbv2_init()
dvb_usbv2_adapter_init()
dvb_usbv2_adapter_frontend_init()
props->frontend_attach()
props->init()
Since mxl111sf_frontend_attach_atsc_mh() calls mxl111sf_ctrl_msg()
internally we need to initialize state->msg_lock in it to make lockdep
happy.
Reported-and-tested-by: syzbot+5ca0bf339f13c4243001@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 8572211842af ("[media] mxl111sf: convert to new DVB USB")
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
drivers/media/usb/dvb-usb-v2/mxl111sf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/mxl111sf.c b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
index 7865fa0a8295..2e5663ffa7ce 100644
--- a/drivers/media/usb/dvb-usb-v2/mxl111sf.c
+++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
@@ -931,8 +931,6 @@ static int mxl111sf_init(struct dvb_usb_device *d)
.len = sizeof(eeprom), .buf = eeprom },
};
- mutex_init(&state->msg_lock);
-
ret = get_chip_info(state);
if (mxl_fail(ret))
pr_err("failed to get chip info during probe");
@@ -979,8 +977,12 @@ static int mxl111sf_frontend_attach_mh(struct dvb_usb_adapter *adap)
static int mxl111sf_frontend_attach_atsc_mh(struct dvb_usb_adapter *adap)
{
int ret;
+ struct mxl111sf_state *state = d_to_priv(adap_to_d(adap));
+
pr_debug("%s\n", __func__);
+ mutex_init(&state->msg_lock);
+
ret = mxl111sf_lgdt3305_frontend_attach(adap, 0);
if (ret < 0)
return ret;
--
2.32.0
