diff options
| author | Hans Verkuil <hverkuil-cisco@xs4all.nl> | 2023-06-12 15:58:37 +0200 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@kernel.org> | 2023-08-10 07:58:32 +0200 |
| commit | da53c36ddd3f118a525a04faa8c47ca471e6c467 (patch) | |
| tree | 749b96a20331befc34c2747cc78ad6f16b51fe65 /include/media | |
| parent | 99939beaefca29ca105900afaf81e6e9e591d2ef (diff) | |
media: cec: core: add adap_nb_transmit_canceled() callback
A potential deadlock was found by Zheng Zhang with a local syzkaller
instance.
The problem is that when a non-blocking CEC transmit is canceled by calling
cec_data_cancel, that in turn can call the high-level received() driver
callback, which can call cec_transmit_msg() to transmit a new message.
The cec_data_cancel() function is called with the adap->lock mutex held,
and cec_transmit_msg() tries to take that same lock.
The root cause is that the received() callback can either be used to pass
on a received message (and then adap->lock is not held), or to report a
canceled transmit (and then adap->lock is held).
This is confusing, so create a new low-level adap_nb_transmit_canceled
callback that reports back that a non-blocking transmit was canceled.
And the received() callback is only called when a message is received,
as was the case before commit f9d0ecbf56f4 ("media: cec: correctly pass
on reply results") complicated matters.
Reported-by: Zheng Zhang <zheng.zhang@email.ucr.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: f9d0ecbf56f4 ("media: cec: correctly pass on reply results")
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Diffstat (limited to 'include/media')
| -rw-r--r-- | include/media/cec.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/include/media/cec.h b/include/media/cec.h index abee41ae02d0..6556cc161dc0 100644 --- a/include/media/cec.h +++ b/include/media/cec.h @@ -121,14 +121,16 @@ struct cec_adap_ops { void (*adap_configured)(struct cec_adapter *adap, bool configured); int (*adap_transmit)(struct cec_adapter *adap, u8 attempts, u32 signal_free_time, struct cec_msg *msg); + void (*adap_nb_transmit_canceled)(struct cec_adapter *adap, + const struct cec_msg *msg); void (*adap_status)(struct cec_adapter *adap, struct seq_file *file); void (*adap_free)(struct cec_adapter *adap); - /* Error injection callbacks */ + /* Error injection callbacks, called without adap->lock held */ int (*error_inj_show)(struct cec_adapter *adap, struct seq_file *sf); bool (*error_inj_parse_line)(struct cec_adapter *adap, char *line); - /* High-level CEC message callback */ + /* High-level CEC message callback, called without adap->lock held */ int (*received)(struct cec_adapter *adap, struct cec_msg *msg); }; |