Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-08 15:04:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d0fef6de4f
linux-next/drivers/media/radio
History
Qiu-ji Chen ca59f9956d media: wl128x: Fix atomicity violation in fmc_send_cmd() 
Atomicity violation occurs when the fmc_send_cmd() function is executed
simultaneously with the modification of the fmdev->resp_skb value.
Consider a scenario where, after passing the validity check within the
function, a non-null fmdev->resp_skb variable is assigned a null value.
This results in an invalid fmdev->resp_skb variable passing the validity
check. As seen in the later part of the function, skb = fmdev->resp_skb;
when the invalid fmdev->resp_skb passes the check, a null pointer
dereference error may occur at line 478, evt_hdr = (void *)skb->data;

To address this issue, it is recommended to include the validity check of
fmdev->resp_skb within the locked section of the function. This
modification ensures that the value of fmdev->resp_skb does not change
during the validation process, thereby maintaining its validity.

This possible bug is found by an experimental static analysis tool
developed by our team. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations.

Fixes: e8454ff7b9 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Cc: stable@vger.kernel.org
Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-10-12 16:28:26 +02:00
..
si470x media: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-08-09 07:56:37 +02:00
si4713 media: Switch back to struct platform_driver::remove() 2024-10-12 16:28:25 +02:00
wl128x media: wl128x: Fix atomicity violation in fmc_send_cmd() 2024-10-12 16:28:26 +02:00
dsbr100.c Linux 5.2-rc4 2019-06-11 12:09:28 -04:00
Kconfig media: add HAS_IOPORT dependencies 2023-06-28 11:09:25 +02:00
lm7000.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
radio-aimslab.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
radio-aztech.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
radio-cadet.c media: media/radio: set device_caps in struct video_device 2019-06-05 08:19:12 -04:00
radio-gemtek.c media: don't do a 31 bit shift on a signed int 2019-08-26 14:11:10 -03:00
radio-isa.c media: radio-isa: use dev_name to fill in bus_info 2023-09-27 10:47:23 +02:00
radio-isa.h isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
radio-keene.c Linux 5.2-rc4 2019-06-11 12:09:28 -04:00
radio-ma901.c Linux 5.2-rc4 2019-06-11 12:09:28 -04:00
radio-maxiradio.c media: v4l: ioctl: Set bus_info in v4l_querycap() 2022-04-24 08:07:08 +01:00
radio-miropcm20.c media: radio-miropcm20: set bus_info to explicit name 2023-09-27 10:47:23 +02:00
radio-mr800.c Linux 5.2-rc4 2019-06-11 12:09:28 -04:00
radio-raremono.c media: radio-raremono: change devm_k*alloc to k*alloc 2019-06-27 07:35:24 -04:00
radio-rtrack2.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
radio-sf16fmi.c media: media/radio: make array probe_ports static const 2022-01-23 21:18:43 +01:00
radio-sf16fmr2.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
radio-shark2.c media: radio-shark2: Avoid led_names truncations 2024-04-08 13:48:19 +02:00
radio-shark.c media: radio-shark: Add endpoint checks 2023-04-20 11:43:22 +02:00
radio-si476x.c media: Switch back to struct platform_driver::remove() 2024-10-12 16:28:25 +02:00
radio-tea5764.c media: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-08-09 07:56:37 +02:00
radio-tea5777.c Linux 5.2-rc4 2019-06-11 12:09:28 -04:00
radio-tea5777.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
radio-terratec.c radio-terratec: Remove variable p 2022-10-24 19:03:54 +02:00
radio-timb.c media: Switch back to struct platform_driver::remove() 2024-10-12 16:28:25 +02:00
radio-trust.c media: remove include stdarg.h from some drivers 2019-08-26 14:01:44 -03:00
radio-typhoon.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
radio-wl1273.c media: Switch back to struct platform_driver::remove() 2024-10-12 16:28:25 +02:00
radio-zoltrix.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
saa7706h.c media: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-08-09 07:56:37 +02:00
tea575x.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tef6862.c media: Drop explicit initialization of struct i2c_device_id::driver_data to 0 2024-08-09 07:56:37 +02:00