This is a note to let you know that I've just added the patch titled media: ttusb-dec: avoid release of non-acquired mutex to the 5.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch and it can be found in the queue-5.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 102f30f38b9b9ab1daa8e539c7690347e3669997 Author: Evgeny Novikov <novikov@xxxxxxxxx> Date: Tue Jul 20 11:28:27 2021 +0200 media: ttusb-dec: avoid release of non-acquired mutex [ Upstream commit 36b9d695aa6fb8e9a312db21af41f90824d16ab4 ] ttusb_dec_send_command() invokes mutex_lock_interruptible() that can fail but then it releases the non-acquired mutex. The patch fixes that. Found by Linux Driver Verification project (linuxtesting.org). Fixes: dba328bab4c6 ("media: ttusb-dec: cleanup an error handling logic") Signed-off-by: Evgeny Novikov <novikov@xxxxxxxxx> Signed-off-by: Sean Young <sean@xxxxxxxx> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c index bfda46a36dc50..38822cedd93a9 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -327,7 +327,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, result = mutex_lock_interruptible(&dec->usb_mutex); if (result) { printk("%s: Failed to lock usb mutex.\n", __func__); - goto err; + goto err_free; } b[0] = 0xaa; @@ -349,7 +349,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, if (result) { printk("%s: command bulk message failed: error %d\n", __func__, result); - goto err; + goto err_mutex_unlock; } result = usb_bulk_msg(dec->udev, dec->result_pipe, b, @@ -358,7 +358,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, if (result) { printk("%s: result bulk message failed: error %d\n", __func__, result); - goto err; + goto err_mutex_unlock; } else { if (debug) { printk(KERN_DEBUG "%s: result: %*ph\n", @@ -371,9 +371,9 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, memcpy(cmd_result, &b[4], b[3]); } -err: +err_mutex_unlock: mutex_unlock(&dec->usb_mutex); - +err_free: kfree(b); return result; }