tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

media: mxl111sf: change mutex_init() location

Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized
mutex. The problem was in wrong mutex_init() location.

Previous mutex_init(&state->msg_lock) call was in ->init() function, but
dvb_usbv2_init() has this order of calls:

dvb_usbv2_init()
dvb_usbv2_adapter_init()
dvb_usbv2_adapter_frontend_init()
props->frontend_attach()

props->init()

Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()
internally we need to initialize state->msg_lock before
frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*
devices, which will simply initiaize mutex.

Reported-and-tested-by: syzbot+5ca0bf339f13c4243001@syzkaller.appspotmail.com

Fixes: 8572211842af ("[media] mxl111sf: convert to new DVB USB")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Pavel Skripkin and committed by
Mauro Carvalho Chehab 44870a9e dccdd92b

+14 -2
+14 -2
drivers/media/usb/dvb-usb-v2/mxl111sf.c
··· 931 931 .len = sizeof(eeprom), .buf = eeprom }, 932 932 }; 933 933 934 - mutex_init(&state->msg_lock); 935 - 936 934 ret = get_chip_info(state); 937 935 if (mxl_fail(ret)) 938 936 pr_err("failed to get chip info during probe"); ··· 1072 1074 return 0; 1073 1075 } 1074 1076 1077 + static int mxl111sf_probe(struct dvb_usb_device *dev) 1078 + { 1079 + struct mxl111sf_state *state = d_to_priv(dev); 1080 + 1081 + mutex_init(&state->msg_lock); 1082 + return 0; 1083 + } 1084 + 1075 1085 static struct dvb_usb_device_properties mxl111sf_props_dvbt = { 1076 1086 .driver_name = KBUILD_MODNAME, 1077 1087 .owner = THIS_MODULE, ··· 1089 1083 .generic_bulk_ctrl_endpoint = 0x02, 1090 1084 .generic_bulk_ctrl_endpoint_response = 0x81, 1091 1085 1086 + .probe = mxl111sf_probe, 1092 1087 .i2c_algo = &mxl111sf_i2c_algo, 1093 1088 .frontend_attach = mxl111sf_frontend_attach_dvbt, 1094 1089 .tuner_attach = mxl111sf_attach_tuner, ··· 1131 1124 .generic_bulk_ctrl_endpoint = 0x02, 1132 1125 .generic_bulk_ctrl_endpoint_response = 0x81, 1133 1126 1127 + .probe = mxl111sf_probe, 1134 1128 .i2c_algo = &mxl111sf_i2c_algo, 1135 1129 .frontend_attach = mxl111sf_frontend_attach_atsc, 1136 1130 .tuner_attach = mxl111sf_attach_tuner, ··· 1173 1165 .generic_bulk_ctrl_endpoint = 0x02, 1174 1166 .generic_bulk_ctrl_endpoint_response = 0x81, 1175 1167 1168 + .probe = mxl111sf_probe, 1176 1169 .i2c_algo = &mxl111sf_i2c_algo, 1177 1170 .frontend_attach = mxl111sf_frontend_attach_mh, 1178 1171 .tuner_attach = mxl111sf_attach_tuner, ··· 1242 1233 .generic_bulk_ctrl_endpoint = 0x02, 1243 1234 .generic_bulk_ctrl_endpoint_response = 0x81, 1244 1235 1236 + .probe = mxl111sf_probe, 1245 1237 .i2c_algo = &mxl111sf_i2c_algo, 1246 1238 .frontend_attach = mxl111sf_frontend_attach_atsc_mh, 1247 1239 .tuner_attach = mxl111sf_attach_tuner, ··· 1321 1311 .generic_bulk_ctrl_endpoint = 0x02, 1322 1312 .generic_bulk_ctrl_endpoint_response = 0x81, 1323 1313 1314 + .probe = mxl111sf_probe, 1324 1315 .i2c_algo = &mxl111sf_i2c_algo, 1325 1316 .frontend_attach = mxl111sf_frontend_attach_mercury, 1326 1317 .tuner_attach = mxl111sf_attach_tuner, ··· 1392 1381 .generic_bulk_ctrl_endpoint = 0x02, 1393 1382 .generic_bulk_ctrl_endpoint_response = 0x81, 1394 1383 1384 + .probe = mxl111sf_probe, 1395 1385 .i2c_algo = &mxl111sf_i2c_algo, 1396 1386 .frontend_attach = mxl111sf_frontend_attach_mercury_mh, 1397 1387 .tuner_attach = mxl111sf_attach_tuner,