LinuxTV Patchwork uvc: fix access to uninitialized fields on probe error

login
register
mail settings
Submitter Oliver Neukum
Date April 30, 2019, 12:28 p.m.
Message ID <20190430122814.24986-1-oneukum@suse.com>
Download mbox | patch
Permalink /patch/55951/
State New
Delegated to: Laurent Pinchart
Headers show

Comments

Oliver Neukum - April 30, 2019, 12:28 p.m.
We need to check whether this work we are canceling actually is
initialized.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com
---
 drivers/media/usb/uvc/uvc_ctrl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Laurent Pinchart - May 2, 2019, 11:43 a.m.
Hi Oliver,

Thank you for the patch.

On Tue, Apr 30, 2019 at 02:28:14PM +0200, Oliver Neukum wrote:
> We need to check whether this work we are canceling actually is
> initialized.

I think we should add

Fixes: e5225c820c05 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives")

> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> Reported-by: syzbot+2e1ef9188251d9cc7944@syzkaller.appspotmail.com
> ---
>  drivers/media/usb/uvc/uvc_ctrl.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
> index 14cff91b7aea..2b510c56cf91 100644
> --- a/drivers/media/usb/uvc/uvc_ctrl.c
> +++ b/drivers/media/usb/uvc/uvc_ctrl.c
> @@ -2350,7 +2350,9 @@ void uvc_ctrl_cleanup_device(struct uvc_device *dev)
>  	struct uvc_entity *entity;
>  	unsigned int i;
>  
> -	cancel_work_sync(&dev->async_ctrl.work);
> +	/* can be uninitialized if we are aborting on probe error */

Let's capitalise the comment and end it with a period to match the rest
of the driver. With these small issues fixed,

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

If you agree with the changes there's no need to resubmit, I'll fix when
applying.

> +	if (dev->async_ctrl.work.func)
> +		cancel_work_sync(&dev->async_ctrl.work);
>  
>  	/* Free controls and control mappings for all entities. */
>  	list_for_each_entry(entity, &dev->entities, list) {
Oliver Neukum - May 6, 2019, 10:36 a.m.
On Do, 2019-05-02 at 14:43 +0300, Laurent Pinchart wrote:
> Let's capitalise the comment and end it with a period to match the rest
> of the driver. With these small issues fixed,
> 
> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Hi,

thank you. I agree with them.

	Regards
		Oliver

Patch

diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
index 14cff91b7aea..2b510c56cf91 100644
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2350,7 +2350,9 @@  void uvc_ctrl_cleanup_device(struct uvc_device *dev)
 	struct uvc_entity *entity;
 	unsigned int i;
 
-	cancel_work_sync(&dev->async_ctrl.work);
+	/* can be uninitialized if we are aborting on probe error */
+	if (dev->async_ctrl.work.func)
+		cancel_work_sync(&dev->async_ctrl.work);
 
 	/* Free controls and control mappings for all entities. */
 	list_for_each_entry(entity, &dev->entities, list) {

Privacy Policy