linux/drivers/media/rc
Gautam Menghani 813ceef062 media: imon: fix a race condition in send_packet()
The function send_packet() has a race condition as follows:

func send_packet()
{
    // do work
    call usb_submit_urb()
    mutex_unlock()
    wait_for_event_interruptible()  <-- lock gone
    mutex_lock()
}

func vfd_write()
{
    mutex_lock()
    call send_packet()  <- prev call is not completed
    mutex_unlock()
}

When the mutex is unlocked and the function send_packet() waits for the
call to complete, vfd_write() can start another call, which leads to the
"URB submitted while active" warning in usb_submit_urb().
Fix this by removing the mutex_unlock() call in send_packet() and using
mutex_lock_interruptible().

Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e

Fixes: 21677cfc56 ("V4L/DVB: ir-core: add imon driver")
Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2022-11-25 08:00:45 +00:00
..
img-ir media: rc: img-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
keymaps media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
ati_remote.c media: ati-remote: remove private err() macro 2022-07-15 14:54:59 +01:00
bpf-lirc.c bpf: Move rcu lock management out of BPF_PROG_RUN routines 2022-04-19 09:45:47 -07:00
ene_ir.c media: rc: rename s_learning_mode() to s_wideband_receiver() 2021-07-22 08:21:53 +02:00
ene_ir.h
fintek-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
fintek-cir.h
gpio-ir-recv.c
gpio-ir-tx.c media: gpio-ir-tx: simplify wait logic 2022-05-08 07:07:16 +02:00
igorplugusb.c media: igorplugusb: use correct size pass to igorplugusb_probe() 2022-07-15 14:52:20 +01:00
iguanair.c media: iguanair: no superfluous usb_unlink_urb() 2022-06-20 10:30:33 +01:00
imon_raw.c media: imon_raw: respect DMA coherency 2022-06-20 10:30:33 +01:00
imon.c media: imon: fix a race condition in send_packet() 2022-11-25 08:00:45 +00:00
ir_toy.c media: ir_toy: free before error exiting 2022-01-24 01:35:35 +01:00
ir-hix5hd2.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-imon-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-jvc-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-mce_kbd-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-nec-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc5-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc6-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rcmm-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rx51.c media: ir-rx51: Switch to atomic PWM API 2021-11-15 08:29:29 +00:00
ir-sanyo-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sharp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sony-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-spi.c media: ir-spi: silence no spi_device_id warnings 2022-11-25 08:00:22 +00:00
ir-xmp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.h media: rc: ite-cir: replace some an EN DASH 2021-06-04 08:10:42 +02:00
Kconfig media: media/*/Kconfig: sort entries 2022-03-18 05:58:35 +01:00
lirc_dev.c media: rc: Directly use ida_free() 2022-06-20 10:30:33 +01:00
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
mceusb.c media: mceusb: set timeout to at least timeout provided 2022-09-24 07:50:42 +02:00
meson-ir-tx.c media: meson-ir-tx: remove superfluous dev_err() 2022-04-24 07:30:34 +01:00
meson-ir.c media: rc: meson-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
mtk-cir.c media: mtk-cir: simplify code 2022-01-24 01:38:32 +01:00
nuvoton-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
nuvoton-cir.h
pwm-ir-tx.c media: rc: pwm-ir-tx: Switch to atomic PWM API 2021-11-15 08:29:05 +00:00
rc-core-priv.h media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-ir-raw.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-loopback.c media: lirc: report ir receiver overflow 2022-01-28 19:32:50 +01:00
rc-main.c media: lirc: ensure lirc device receives repeats 2022-07-15 14:55:23 +01:00
redrat3.c media: redrat3: no unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
serial_ir.c media: rc: fix timeout handling after switch to microsecond durations 2021-01-11 12:58:44 +01:00
st_rc.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
streamzap.c media: streamzap: avoid unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
sunxi-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ttusbir.c media: ttusbir: avoid unnecessary usb_unlink_urb() 2022-06-20 10:30:33 +01:00
winbond-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
xbox_remote.c media: xbox_remote: xbox_remote_initialize() cannot fail 2022-06-20 10:30:33 +01:00