[SRU][F][PATCH 2/3] media: cec: core: avoid recursive cec_claim_log_addrs
Jacob Martin
jacob.martin at canonical.com
Fri Jan 10 21:19:34 UTC 2025
From: Hans Verkuil <hverkuil-cisco at xs4all.nl>
Keep track if cec_claim_log_addrs() is running, and return -EBUSY
if it is when calling CEC_ADAP_S_LOG_ADDRS.
This prevents a case where cec_claim_log_addrs() could be called
while it was still in progress.
Signed-off-by: Hans Verkuil <hverkuil-cisco at xs4all.nl>
Reported-by: Yang, Chenyuan <cy54 at illinois.edu>
Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/
Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)")
Signed-off-by: Mauro Carvalho Chehab <mchehab at kernel.org>
(backported from commit 47c82aac10a6954d68f29f10d9758d016e8e5af1)
[jacobmartin: drop is_enabled from struct cec_adapter context]
CVE-2024-23848
Signed-off-by: Jacob Martin <jacob.martin at canonical.com>
---
drivers/media/cec/cec-adap.c | 6 +++++-
drivers/media/cec/cec-api.c | 2 +-
include/media/cec.h | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
index cda48e58557c..c69583610a05 100644
--- a/drivers/media/cec/cec-adap.c
+++ b/drivers/media/cec/cec-adap.c
@@ -1533,9 +1533,12 @@ static int cec_config_thread_func(void *arg)
*/
static void cec_claim_log_addrs(struct cec_adapter *adap, bool block)
{
- if (WARN_ON(adap->is_configuring || adap->is_configured))
+ if (WARN_ON(adap->is_claiming_log_addrs ||
+ adap->is_configuring || adap->is_configured))
return;
+ adap->is_claiming_log_addrs = true;
+
init_completion(&adap->config_completion);
/* Ready to kick off the thread */
@@ -1549,6 +1552,7 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block)
wait_for_completion(&adap->config_completion);
mutex_lock(&adap->lock);
}
+ adap->is_claiming_log_addrs = false;
}
/* Set a new physical address and send an event notifying userspace of this.
diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c
index 90e90234f5bd..4374c9cececb 100644
--- a/drivers/media/cec/cec-api.c
+++ b/drivers/media/cec/cec-api.c
@@ -178,7 +178,7 @@ static long cec_adap_s_log_addrs(struct cec_adapter *adap, struct cec_fh *fh,
CEC_LOG_ADDRS_FL_ALLOW_RC_PASSTHRU |
CEC_LOG_ADDRS_FL_CDC_ONLY;
mutex_lock(&adap->lock);
- if (!adap->is_configuring &&
+ if (!adap->is_claiming_log_addrs && !adap->is_configuring &&
(!log_addrs.num_log_addrs || !adap->is_configured) &&
!cec_is_busy(adap, fh)) {
err = __cec_s_log_addrs(adap, &log_addrs, block);
diff --git a/include/media/cec.h b/include/media/cec.h
index 06f88f126828..bde5f0f5918c 100644
--- a/include/media/cec.h
+++ b/include/media/cec.h
@@ -203,6 +203,7 @@ struct cec_adapter {
u16 phys_addr;
bool needs_hpd;
+ bool is_claiming_log_addrs;
bool is_configuring;
bool is_configured;
bool cec_pin_is_high;
--
2.43.0
More information about the kernel-team
mailing list