diff mbox series

[1/2] media: rc: uevent sysfs file races with rc_register_device()

Message ID 20200808123123.1804-1-sean@mess.org
State New
Headers show
Series [1/2] media: rc: uevent sysfs file races with rc_register_device() | expand

Commit Message

Sean Young Aug. 8, 2020, 12:31 p.m. UTC 
Only report uevent file contents if device still exists, else we might
read freed memory.

Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com
Cc: Hillf Danton <hdanton@sina.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/media/rc/rc-main.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index 7b53066d9d07..503ae4f3dec3 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1612,6 +1612,12 @@  static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
 {
 	struct rc_dev *dev = to_rc_dev(device);
 
+	mutex_lock(&dev->lock);
+	if (!dev->registered) {
+		mutex_unlock(&dev->lock);
+		return -ENODEV;
+	}
+
 	if (dev->rc_map.name)
 		ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
 	if (dev->driver_name)
@@ -1619,6 +1625,8 @@  static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
 	if (dev->device_name)
 		ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name);
 
+	mutex_unlock(&dev->lock);
+
 	return 0;
 }
 
@@ -2011,14 +2019,14 @@  void rc_unregister_device(struct rc_dev *dev)
 	del_timer_sync(&dev->timer_keyup);
 	del_timer_sync(&dev->timer_repeat);
 
-	rc_free_rx_device(dev);
-
 	mutex_lock(&dev->lock);
 	if (dev->users && dev->close)
 		dev->close(dev);
 	dev->registered = false;
 	mutex_unlock(&dev->lock);
 
+	rc_free_rx_device(dev);
+
 	/*
 	 * lirc device should be freed with dev->registered = false, so
 	 * that userspace polling will get notified.