From: Hans Verkuil hverkuil-cisco@xs4all.nl
stable inclusion from stable-v4.19.316 commit 896dfd4d74f84c854d3a24d889e54a44329d313e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ]
Do not check for !data->completed, just always call cancel_delayed_work_sync(). This fixes a small race condition.
Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reported-by: Yang, Chenyuan cy54@illinois.edu Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@P... Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work") Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/media/cec/cec-adap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index ba7e976bf6dc9..a9b8c6636e50c 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -863,8 +863,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, */ mutex_unlock(&adap->lock); wait_for_completion_killable(&data->c); - if (!data->completed) - cancel_delayed_work_sync(&data->work); + cancel_delayed_work_sync(&data->work); mutex_lock(&adap->lock);
/* Cancel the transmit if it was interrupted */