Patch "media: ttusb-dec: avoid release of non-acquired mutex" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:16:02 -0500

This is a note to let you know that I've just added the patch titled

    media: ttusb-dec: avoid release of non-acquired mutex

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 102f30f38b9b9ab1daa8e539c7690347e3669997
Author: Evgeny Novikov <novikov@xxxxxxxxx>
Date:   Tue Jul 20 11:28:27 2021 +0200

    media: ttusb-dec: avoid release of non-acquired mutex
    
    [ Upstream commit 36b9d695aa6fb8e9a312db21af41f90824d16ab4 ]
    
    ttusb_dec_send_command() invokes mutex_lock_interruptible() that can
    fail but then it releases the non-acquired mutex. The patch fixes that.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Fixes: dba328bab4c6 ("media: ttusb-dec: cleanup an error handling logic")
    Signed-off-by: Evgeny Novikov <novikov@xxxxxxxxx>
    Signed-off-by: Sean Young <sean@xxxxxxxx>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c
index bfda46a36dc50..38822cedd93a9 100644
--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c
+++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c
@@ -327,7 +327,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
 	result = mutex_lock_interruptible(&dec->usb_mutex);
 	if (result) {
 		printk("%s: Failed to lock usb mutex.\n", __func__);
-		goto err;
+		goto err_free;
 	}
 
 	b[0] = 0xaa;
@@ -349,7 +349,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
 	if (result) {
 		printk("%s: command bulk message failed: error %d\n",
 		       __func__, result);
-		goto err;
+		goto err_mutex_unlock;
 	}
 
 	result = usb_bulk_msg(dec->udev, dec->result_pipe, b,
@@ -358,7 +358,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
 	if (result) {
 		printk("%s: result bulk message failed: error %d\n",
 		       __func__, result);
-		goto err;
+		goto err_mutex_unlock;
 	} else {
 		if (debug) {
 			printk(KERN_DEBUG "%s: result: %*ph\n",
@@ -371,9 +371,9 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
 			memcpy(cmd_result, &b[4], b[3]);
 	}
 
-err:
+err_mutex_unlock:
 	mutex_unlock(&dec->usb_mutex);
-
+err_free:
 	kfree(b);
 	return result;
 }






