From: Hans Verkuil hverkuil-cisco@xs4all.nl
stable inclusion from stable-v5.10.219 commit 9f6da5da3d7c73a0daca5c2bc90d3527520ee727 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ]
When cec_release() uses fh->msgs it has to take fh->lock, otherwise the list can get corrupted.
Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reported-by: Yang, Chenyuan cy54@illinois.edu Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@P... Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/media/cec/core/cec-api.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/media/cec/core/cec-api.c b/drivers/media/cec/core/cec-api.c index f922a2196b2b7..893641ebc644b 100644 --- a/drivers/media/cec/core/cec-api.c +++ b/drivers/media/cec/core/cec-api.c @@ -672,6 +672,8 @@ static int cec_release(struct inode *inode, struct file *filp) list_del(&data->xfer_list); } mutex_unlock(&adap->lock); + + mutex_lock(&fh->lock); while (!list_empty(&fh->msgs)) { struct cec_msg_entry *entry = list_first_entry(&fh->msgs, struct cec_msg_entry, list); @@ -689,6 +691,7 @@ static int cec_release(struct inode *inode, struct file *filp) kfree(entry); } } + mutex_unlock(&fh->lock); kfree(fh);
cec_put_device(devnode);