Patch "media: cec: core: add adap_nb_transmit_canceled() callback" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    media: cec: core: add adap_nb_transmit_canceled() callback

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-cec-core-add-adap_nb_transmit_canceled-callbac.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 382467e0656b22d202965b76dd72b49ff237b67b
Author: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Date:   Mon Jun 12 15:58:37 2023 +0200

    media: cec: core: add adap_nb_transmit_canceled() callback
    
    [ Upstream commit da53c36ddd3f118a525a04faa8c47ca471e6c467 ]
    
    A potential deadlock was found by Zheng Zhang with a local syzkaller
    instance.
    
    The problem is that when a non-blocking CEC transmit is canceled by calling
    cec_data_cancel, that in turn can call the high-level received() driver
    callback, which can call cec_transmit_msg() to transmit a new message.
    
    The cec_data_cancel() function is called with the adap->lock mutex held,
    and cec_transmit_msg() tries to take that same lock.
    
    The root cause is that the received() callback can either be used to pass
    on a received message (and then adap->lock is not held), or to report a
    canceled transmit (and then adap->lock is held).
    
    This is confusing, so create a new low-level adap_nb_transmit_canceled
    callback that reports back that a non-blocking transmit was canceled.
    
    And the received() callback is only called when a message is received,
    as was the case before commit f9d0ecbf56f4 ("media: cec: correctly pass
    on reply results") complicated matters.
    
    Reported-by: Zheng Zhang <zheng.zhang@xxxxxxxxxxxxx>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
    Fixes: f9d0ecbf56f4 ("media: cec: correctly pass on reply results")
    Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
index bf5386d0f5858..1f8ac656aede1 100644
--- a/drivers/media/cec/core/cec-adap.c
+++ b/drivers/media/cec/core/cec-adap.c
@@ -397,8 +397,8 @@ static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status)
 	cec_queue_msg_monitor(adap, &data->msg, 1);
 
 	if (!data->blocking && data->msg.sequence)
-		/* Allow drivers to process the message first */
-		call_op(adap, received, &data->msg);
+		/* Allow drivers to react to a canceled transmit */
+		call_void_op(adap, adap_nb_transmit_canceled, &data->msg);
 
 	cec_data_completed(data);
 }
diff --git a/include/media/cec.h b/include/media/cec.h
index 23202bf439b47..38eb9334d854f 100644
--- a/include/media/cec.h
+++ b/include/media/cec.h
@@ -120,14 +120,16 @@ struct cec_adap_ops {
 	int (*adap_log_addr)(struct cec_adapter *adap, u8 logical_addr);
 	int (*adap_transmit)(struct cec_adapter *adap, u8 attempts,
 			     u32 signal_free_time, struct cec_msg *msg);
+	void (*adap_nb_transmit_canceled)(struct cec_adapter *adap,
+					  const struct cec_msg *msg);
 	void (*adap_status)(struct cec_adapter *adap, struct seq_file *file);
 	void (*adap_free)(struct cec_adapter *adap);
 
-	/* Error injection callbacks */
+	/* Error injection callbacks, called without adap->lock held */
 	int (*error_inj_show)(struct cec_adapter *adap, struct seq_file *sf);
 	bool (*error_inj_parse_line)(struct cec_adapter *adap, char *line);
 
-	/* High-level CEC message callback */
+	/* High-level CEC message callback, called without adap->lock held */
 	int (*received)(struct cec_adapter *adap, struct cec_msg *msg);
 };
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux