From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E96381F8924; Tue, 3 Dec 2024 16:15:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733242526; cv=none; b=c62szxLUoSaZwxn2n7ooxdx8u/LqeLGTQ99BSw4Gcu+axbLQGPb1FjqQVgf8uc8PQScLE6/2a9MJTW4F4niq9iJ218v1FXZafOnXGdQq6YbuUVl9ZMBv0GDj7eArb9JCpEBylnb7PccBzbhVpM+W6KRI1J3tU5GELW2vrM9vilo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733242526; c=relaxed/simple; bh=xpsVmIaWZ43OS6Z3iSxVI7Y30qTFocC/QmzXPv3OEIo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sOngTI4M+hVXTMPXsdd2qAS5c7xDjqsdApgdMk39BQlZlxDcx4KMUQKFOksu/P3KdM/DFJ9bzvEHaEyEzZwkga3YCQjAio9spU8Nk4v2DW3MiwS0J1+kDxOQXpAk9MUYLEv3vNuYfUDmfVts0Pp5k8BTQYqLvrPD//tFhvCycRM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=dlpuVYaB; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="dlpuVYaB" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EACC7C4CED6; Tue, 3 Dec 2024 16:15:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1733242525; bh=xpsVmIaWZ43OS6Z3iSxVI7Y30qTFocC/QmzXPv3OEIo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dlpuVYaB7NULTJdG6NdrEbfd2TTZRDHrvBnLdvBXJffy0EJ9QaICBV9/8mabSuevx 9Of//lv71O8E4AXki6+HzPZyacEM9mgUxpAnmy6Zo/cSiizjpG1K4s6mhXRCw7OIlD iWvHg77SNMniDRTXViM7oEmgNlirovBj9LkZgubY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Qiu-ji Chen , Hans Verkuil Subject: [PATCH 6.12 731/826] media: wl128x: Fix atomicity violation in fmc_send_cmd() Date: Tue, 3 Dec 2024 15:47:38 +0100 Message-ID: <20241203144812.281871379@linuxfoundation.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241203144743.428732212@linuxfoundation.org> References: <20241203144743.428732212@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Qiu-ji Chen commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream. Atomicity violation occurs when the fmc_send_cmd() function is executed simultaneously with the modification of the fmdev->resp_skb value. Consider a scenario where, after passing the validity check within the function, a non-null fmdev->resp_skb variable is assigned a null value. This results in an invalid fmdev->resp_skb variable passing the validity check. As seen in the later part of the function, skb = fmdev->resp_skb; when the invalid fmdev->resp_skb passes the check, a null pointer dereference error may occur at line 478, evt_hdr = (void *)skb->data; To address this issue, it is recommended to include the validity check of fmdev->resp_skb within the locked section of the function. This modification ensures that the value of fmdev->resp_skb does not change during the validation process, thereby maintaining its validity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") Cc: stable@vger.kernel.org Signed-off-by: Qiu-ji Chen Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman --- drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/media/radio/wl128x/fmdrv_common.c +++ b/drivers/media/radio/wl128x/fmdrv_common.c @@ -466,11 +466,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); return -ETIMEDOUT; } + spin_lock_irqsave(&fmdev->resp_skb_lock, flags); if (!fmdev->resp_skb) { + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); fmerr("Response SKB is missing\n"); return -EFAULT; } - spin_lock_irqsave(&fmdev->resp_skb_lock, flags); skb = fmdev->resp_skb; fmdev->resp_skb = NULL; spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags);