diff options
| author | Gui-Dong Han <hanguidong02@gmail.com> | 2025-06-06 03:04:59 +0000 |
|---|---|---|
| committer | Hans Verkuil <hverkuil@xs4all.nl> | 2025-06-17 10:35:16 +0200 |
| commit | 7af160aea26c7dc9e6734d19306128cce156ec40 (patch) | |
| tree | 8e14ae9be616fd936b8f569e78386578a3409542 /tools/perf/scripts/python/stackcollapse.py | |
| parent | 42a5c1dfaaab6e48b867aa41d9d4d0a5b09b2a70 (diff) | |
| download | linux-7af160aea26c7dc9e6734d19306128cce156ec40.tar.gz linux-7af160aea26c7dc9e6734d19306128cce156ec40.zip | |
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')
0 files changed, 0 insertions, 0 deletions