From 087bbf5393f105ce3f002e131f374fcc0612a345 Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Fri, 5 Jul 2024 14:14:32 +0800 Subject: [PATCH 1/2] media: cec: cec-adap: always cancel work in cec_transmit_msg_fh stable inclusion from stable-v4.19.316 commit 896dfd4d74f84c854d3a24d889e54a44329d313e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=896dfd4d74f84c854d3a24d889e54a44329d313e -------------------------------- [ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ] Do not check for !data->completed, just always call cancel_delayed_work_sync(). This fixes a small race condition. Signed-off-by: Hans Verkuil Reported-by: Yang, Chenyuan Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Yongqiang Liu --- drivers/media/cec/cec-adap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index ba7e976bf6dc..a9b8c6636e50 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -863,8 +863,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, */ mutex_unlock(&adap->lock); wait_for_completion_killable(&data->c); - if (!data->completed) - cancel_delayed_work_sync(&data->work); + cancel_delayed_work_sync(&data->work); mutex_lock(&adap->lock); /* Cancel the transmit if it was interrupted */ -- Gitee From 60c392ac3b616adcbf4b310fa7cf70bbef211adc Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Fri, 5 Jul 2024 14:14:33 +0800 Subject: [PATCH 2/2] media: cec: cec-api: add locking in cec_release() stable inclusion from stable-v4.19.316 commit d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c -------------------------------- [ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ] When cec_release() uses fh->msgs it has to take fh->lock, otherwise the list can get corrupted. Signed-off-by: Hans Verkuil Reported-by: Yang, Chenyuan Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Yongqiang Liu --- drivers/media/cec/cec-api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c index b2b3f779592f..d4c848c2f376 100644 --- a/drivers/media/cec/cec-api.c +++ b/drivers/media/cec/cec-api.c @@ -660,6 +660,8 @@ static int cec_release(struct inode *inode, struct file *filp) list_del(&data->xfer_list); } mutex_unlock(&adap->lock); + + mutex_lock(&fh->lock); while (!list_empty(&fh->msgs)) { struct cec_msg_entry *entry = list_first_entry(&fh->msgs, struct cec_msg_entry, list); @@ -677,6 +679,7 @@ static int cec_release(struct inode *inode, struct file *filp) kfree(entry); } } + mutex_unlock(&fh->lock); kfree(fh); cec_put_device(devnode); -- Gitee