On Tue Oct 22 08:30:30 2024 +0000, Ricardo Ribalda wrote:
> If uvc_probe() fails, it can end up calling uvc_status_unregister() before
> uvc_status_init() is called.
>
> Fix this by checking if dev->status is NULL or not in
> uvc_status_unregister().
>
> Reported-by: syzbot+9446d5e0d25571e6a...@syzkaller.appspotmail.com
> Closes:
> https://lore.kernel.org/linux-media/20241020160249.gd7...@pendragon.ideasonboard.com/T/#m506744621d72a2ace5dd2ab64055be9898112dbd
> Fixes: c5fe3ed618f9 ("media: uvcvideo: Avoid race condition during
> unregister")
> Signed-off-by: Ricardo Ribalda <riba...@chromium.org>
> Reviewed-by: Laurent Pinchart <laurent.pinch...@ideasonboard.com>
> Link:
> https://lore.kernel.org/r/20241022-race-unreg-v1-1-2212f364d...@chromium.org
> Signed-off-by: Laurent Pinchart <laurent.pinch...@ideasonboard.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+hua...@kernel.org>
Patch committed.
Thanks,
Mauro Carvalho Chehab
drivers/media/usb/uvc/uvc_status.c | 3 +++
1 file changed, 3 insertions(+)
---
diff --git a/drivers/media/usb/uvc/uvc_status.c
b/drivers/media/usb/uvc/uvc_status.c
index d269d163b579..ee01dce4b783 100644
--- a/drivers/media/usb/uvc/uvc_status.c
+++ b/drivers/media/usb/uvc/uvc_status.c
@@ -295,6 +295,9 @@ int uvc_status_init(struct uvc_device *dev)
void uvc_status_unregister(struct uvc_device *dev)
{
+ if (!dev->status)
+ return;
+
uvc_status_suspend(dev);
uvc_input_unregister(dev);
}
