korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-28 22:54:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
60965c6a19
linux/drivers/media/rc
History
Tetsuo Handa db264d4c66 media: imon: reorganize serialization 
Since usb_register_dev() from imon_init_display() from imon_probe() holds
minor_rwsem while display_open() which holds driver_lock and ictx->lock is
called with minor_rwsem held from usb_open(), holding driver_lock or
ictx->lock when calling usb_register_dev() causes circular locking
dependency problem.

Since usb_deregister_dev() from imon_disconnect() holds minor_rwsem while
display_open() which holds driver_lock is called with minor_rwsem held,
holding driver_lock when calling usb_deregister_dev() also causes circular
locking dependency problem.

Sean Young explained that the problem is there are imon devices which have
two usb interfaces, even though it is one device. The probe and disconnect
function of both usb interfaces can run concurrently.

Alan Stern responded that the driver and USB cores guarantee that when an
interface is probed, both the interface and its USB device are locked.
Ditto for when the disconnect callback gets run. So concurrent probing/
disconnection of multiple interfaces on the same device is not possible.

Therefore, we don't need locks for handling race between imon_probe() and
imon_disconnect(). But we still need to handle race between display_open()
/vfd_write()/lcd_write()/display_close() and imon_disconnect(), for
disconnect event can happen while file descriptors are in use.

Since "struct file"->private_data is set by display_open(), vfd_write()/
lcd_write()/display_close() can assume that "struct file"->private_data
is not NULL even after usb_set_intfdata(interface, NULL) was called.

Replace insufficiently held driver_lock with refcount_t based management.
Add a boolean flag for recording whether imon_disconnect() was already
called. Use RCU for accessing this boolean flag and refcount_t.

Since the boolean flag for imon_disconnect() is shared, disconnect event
on either intf0 or intf1 affects both interfaces. But I assume that this
change does not matter, for usually disconnect event would not happen
while interfaces are in use.

Link: https://syzkaller.appspot.com/bug?extid=c558267ad910fc494497

Reported-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+c558267ad910fc494497@syzkaller.appspotmail.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2022-05-13 11:23:38 +02:00
..
img-ir media: rc: img-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
keymaps media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
ati_remote.c media: ati_remote: sanity check for both endpoints 2020-09-27 11:24:07 +02:00
bpf-lirc.c bpf: Allow to specify user-provided bpf_cookie for BPF perf links 2021-08-17 00:45:07 +02:00
ene_ir.c media: rc: rename s_learning_mode() to s_wideband_receiver() 2021-07-22 08:21:53 +02:00
ene_ir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fintek-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
fintek-cir.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
gpio-ir-recv.c media: rc: gpio-ir-recv: add QoS support for cpuidle system 2020-09-27 11:27:23 +02:00
gpio-ir-tx.c media: gpio-ir-tx: simplify wait logic 2022-05-08 07:07:16 +02:00
igorplugusb.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
iguanair.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
imon_raw.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
imon.c media: imon: reorganize serialization 2022-05-13 11:23:38 +02:00
ir_toy.c media: ir_toy: free before error exiting 2022-01-24 01:35:35 +01:00
ir-hix5hd2.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-imon-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-jvc-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-mce_kbd-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-nec-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc5-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc6-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rcmm-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rx51.c media: ir-rx51: Switch to atomic PWM API 2021-11-15 08:29:29 +00:00
ir-sanyo-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sharp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sony-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-spi.c media: rc: ir-spi: Drop empty spi_driver remove callback 2021-11-15 08:28:30 +00:00
ir-xmp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.h media: rc: ite-cir: replace some an EN DASH 2021-06-04 08:10:42 +02:00
Kconfig media: media/*/Kconfig: sort entries 2022-03-18 05:58:35 +01:00
lirc_dev.c media: lirc: report ir receiver overflow 2022-01-28 19:32:50 +01:00
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
mceusb.c media: mceusb: fix control-message timeouts 2021-11-19 06:03:51 +00:00
meson-ir-tx.c media: meson-ir-tx: remove superfluous dev_err() 2022-04-24 07:30:34 +01:00
meson-ir.c media: rc: meson-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
mtk-cir.c media: mtk-cir: simplify code 2022-01-24 01:38:32 +01:00
nuvoton-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
nuvoton-cir.h media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
pwm-ir-tx.c media: rc: pwm-ir-tx: Switch to atomic PWM API 2021-11-15 08:29:05 +00:00
rc-core-priv.h media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-ir-raw.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-loopback.c media: lirc: report ir receiver overflow 2022-01-28 19:32:50 +01:00
rc-main.c media: rc: rc-main.c: deleted the repeated word 2021-07-12 14:26:23 +02:00
redrat3.c media: redrat3: fix control-message timeouts 2021-11-19 06:04:16 +00:00
serial_ir.c media: rc: fix timeout handling after switch to microsecond durations 2021-01-11 12:58:44 +01:00
st_rc.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
streamzap.c media: streamzap: remove redundant gap calculations 2021-12-14 15:09:13 +01:00
sunxi-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ttusbir.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
winbond-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
xbox_remote.c media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00