[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <921523bd-da2e-4ca6-b207-59668985657b@arnaud-lcm.com>
Date: Mon, 4 Aug 2025 16:46:20 +0100
From: Arnaud Lecomte <contact@...aud-lcm.com>
To: mchehab+huawei@...nel.org
Cc: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+0192952caa411a3be209@...kaller.appspotmail.com,
skhan@...uxfoundation.org
Subject: Re: [PATCH 2/2] media: dvb-usbv2: ensure safe USB transfers on
disconnect in i2c_xfer
I am forwarding this as I believe this is your correct new mail address.
Please let me know if this is incorrect, apologies in advance for any
inconvenience.
Arnaud
On 29/07/2025 18:14, Arnaud Lecomte wrote:
> Hi Mauro, I am bumping this as you may didn't had the chance to have a
> look.
> Cheers,
> Arnaud
>
> On 21/04/2025 17:31, Arnaud Lecomte wrote:
>> Previously, there was a potential race condition where a USB transfer
>> could
>> access inconsistent data if a disconnect occurred mid-transfer.
>> When this scenario happens (i.e when there is an USB disconnect during
>> the transfer), we would encounter an error related to the corruption of
>> st:
>> [ 66.967387][T10787] slab kmalloc-8k start ffff88804f5b4000
>> pointer offset 80 size 8192
>> [ 66.968252][T10787] list_del corruption. prev->next should be
>> ffffc9000d18f7e0, but was ffff88804f5b4050. (prev=ffff88804f5b4050)
>> [ 66.969443][T10787] ------------[ cut here ]------------
>> [ 66.969973][T10787] kernel BUG at lib/list_debug.c:64!
>> [ 66.970491][T10787] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
>> [ 66.971104][T10787] CPU: 0 UID: 0 PID: 10787 Comm: repro Not
>> tainted 6.15.0-rc3-00004-gcd75cc176092-dirty #28 PREEMPT(full)
>> [ 66.972204][T10787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX +
>> PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>> [ 66.973236][T10787] RIP:
>> 0010:__list_del_entry_valid_or_report+0x15c/0x190
>> [ 66.973896][T10787] Code: ca da fb fc 42 80 3c 2b 00 74 08 4c 89
>> e7 e8 fb 29 1f fd 49 8b 14 24 48 c7 c7 a0 09 a2 8c 4c 89 fe 4c 89 e1
>> e8 55 43 18 fc 90 <0f> 0b 4c 89 f7 e8 9a da fb fc 42 80 3c 2b 00 74
>> 08 4c 89 e7 e8 cb
>>
>> Signed-off-by: Arnaud Lecomte <contact@...aud-lcm.com>
>> ---
>> drivers/media/usb/dvb-usb-v2/az6007.c | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c
>> b/drivers/media/usb/dvb-usb-v2/az6007.c
>> index e8ee18010346..f6b8e29d19de 100644
>> --- a/drivers/media/usb/dvb-usb-v2/az6007.c
>> +++ b/drivers/media/usb/dvb-usb-v2/az6007.c
>> @@ -752,8 +752,13 @@ static int az6007_i2c_xfer(struct i2c_adapter
>> *adap, struct i2c_msg msgs[],
>> int length;
>> u8 req, addr;
>> - if (mutex_lock_interruptible(&st->mutex) < 0)
>> + if (!usb_trylock_device(d->udev))
>> + return -EBUSY;
>> +
>> + if (mutex_lock_interruptible(&st->mutex) < 0) {
>> + usb_unlock_device(d->udev);
>> return -EAGAIN;
>> + }
>> for (i = 0; i < num; i++) {
>> addr = msgs[i].addr << 1;
>> @@ -821,6 +826,7 @@ static int az6007_i2c_xfer(struct i2c_adapter
>> *adap, struct i2c_msg msgs[],
>> }
>> err:
>> mutex_unlock(&st->mutex);
>> + usb_unlock_device(d->udev);
>> if (ret < 0) {
>> pr_info("%s ERROR: %i\n", __func__, ret);
>> return ret;
>>
Powered by blists - more mailing lists