Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp381842rdb;
        Tue, 23 Jan 2024 02:39:16 -0800 (PST)
X-Google-Smtp-Source: AGHT+IG8MMnASF7nYaUCj8DleDwBF2IpQJgvveSdmbyUVZhqtKumNPfRyGnyfymQlSsHUdRn6RA9
X-Received: by 2002:a05:6214:2686:b0:686:262a:3ee8 with SMTP id gm6-20020a056214268600b00686262a3ee8mr641582qvb.85.1706006356580;
        Tue, 23 Jan 2024 02:39:16 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706006356; cv=pass;
        d=google.com; s=arc-20160816;
        b=wzghxp4jguDuU3zVDZa8GlvB3X0t4Ef+3lzA9qbaRC4kUZ36fCnXrKi9YHpoz76nRJ
         ktAAZ9WgV8kC2AReJ+Z5sc+KYrpt9KceqAQtuu3+ZyDRwns7i7gd0sEMAzXQM9+VNE8h
         jyZt9bbmaNYtmjL0cHNY0pg7waIZFjES8t8hGV+wYlENGiAh2d1bgEgiVCyk4xNK4u1O
         j9DnL1zsYi7gYd5uKo9d/HBCOS0ZlxMs5jeuj1rBwYCQOnVMk5LeQUUKB/GZ7FC/9Vzt
         6JF5sKbrlxz220aHspfuOvSaZF0S/LwO4P1iJgVBU8Vrn1d1d6iY78bIEwyBHVf/hSev
         raAA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:references:cc:to:from
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=LcE/mYxQ/EM0qU2YSD+g/AcK1wRtvCv5NtwvksaaMMU=;
        fh=UeLN0hREXRw8KwKj3He1byeTh0ii8v9HHgvMGhH8UOk=;
        b=XgiqYACjLD5dU9vx9VLVGaCgxSBLmBlNl/EO7cWV3z0Uoo0ByNvl/UCfy4GNXAeEsb
         iyn7d3TUrRkWemeuNDPstcV2CVSmpHEl/uuwzrZRUvZqWnWy5z6bFmAxQuhTYZQBPYTL
         o31IBs9sds4Li1Ap30qv+K74vkrcDNb1Uk9i8V6jbz7dYhL2sSygdUmVTbUyQ6chS/U+
         BX4MEV4otnxCp1CVjDzEtxkV9rYBEtQheUBkSoQkObKM2oVg7Dj/mH/8BJFAetHGVGeb
         OmZTU88ciM7HWhwNRd22LIkBTUVMT+5hwpOaH/hZsR/vKRREY6imkc2v2RAMae1RNBsJ
         i0EA==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl
Return-Path: <linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id g18-20020a0cdf12000000b006816df533casi7661262qvl.307.2024.01.23.02.39.16
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jan 2024 02:39:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-35108-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xs4all.nl
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 526FE1C230D0
	for <linux.lists.archive@gmail.com>; Tue, 23 Jan 2024 10:39:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id CBC995C8EB;
	Tue, 23 Jan 2024 10:39:05 +0000 (UTC)
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50A695C8E3;
	Tue, 23 Jan 2024 10:39:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706006345; cv=none; b=tzcnucRWZRvyvUG4M6Ie1xJyUDrEK7DDD0SSTp1E0S7fL0/yzgm3yTAg95xVoU0AVqAKwde6GFn3bavVVrl9ThfUN+gyXgkGhLksXQmVIhIvRHhhLcTzp/GoIn4c/FjJ9wnCc0yOVutzSFRHnO745wKeRzfT+jxlGk4u6oQMXKw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706006345; c=relaxed/simple;
	bh=ibWco0qwRsQhGlxe5LirL6XlKz9BmJx5hlGiH39HD2g=;
	h=Message-ID:Date:MIME-Version:Subject:From:To:Cc:References:
	 In-Reply-To:Content-Type; b=CBVHqis+m7oDrc+gQp51KEbDDgvcBadEQjP0jR2BXlpWYLoA2DLnSIwv+CzKM4JBPqavlZ0VSvOZvRU6cxAnYRIjnGv95Lcyjax4EFwPEX8AZBhwTQIV5K5vopBJ+WkDzCBZe6KOGgIMCOFeY5TeC/gdtSIhX4vzOaF+iqFVO7E=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23D97C433C7;
	Tue, 23 Jan 2024 10:39:02 +0000 (UTC)
Message-ID: <a67a75da-a506-48c4-ac5e-21d84cfae2e3@xs4all.nl>
Date: Tue, 23 Jan 2024 11:39:00 +0100
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [Linux Kernel Bugs] KASAN: slab-use-after-free Read in
 cec_queue_msg_fh and 4 other crashes in the cec device (`cec_ioctl`)
Content-Language: en-US, nl
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
To: "Yang, Chenyuan" <cy54@illinois.edu>,
 "linux-media@vger.kernel.org" <linux-media@vger.kernel.org>,
 "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "jani.nikula@intel.com" <jani.nikula@intel.com>,
 "syzkaller@googlegroups.com" <syzkaller@googlegroups.com>,
 "mchehab@kernel.org" <mchehab@kernel.org>, "Zhao, Zijie"
 <zijie4@illinois.edu>, "Zhang, Lingming" <lingming@illinois.edu>
References: <PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com>
 <f985d664-d907-48ed-9b3d-dc956c178b88@xs4all.nl>
 <89FAADA9-D4EC-4C27-9F8F-1D86B7416DE1@illinois.edu>
 <382c37c0-15c1-48ad-a8d0-a6bc4bd7160a@xs4all.nl>
In-Reply-To: <382c37c0-15c1-48ad-a8d0-a6bc4bd7160a@xs4all.nl>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

On 23/01/2024 09:02, Hans Verkuil wrote:
> On 22/01/2024 20:11, Yang, Chenyuan wrote:
>> Hi Hans,
>>
>> Thank you very much for providing the patch!
>>
>> After running the reproducible programs and 24-hour fuzzing, it seems that this patch could fix the issues 1, 2, 3 and 5.
> 
> Ah, that's good news.
> 
>>
>> The 4th issue, "INFO: task hung in cec_claim_log_addrs", is still triggered after applying the patch.
> 
> I'll dig a bit deeper into this one, see if I can figure out the cause.
> 
> Thank you for your help in testing this!

Can you do another testrun with this patch on top of the previous one?

Thank you!

Regards,

	Hans

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
---
diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
index 079c3b142d91..7b5dcdf775cc 100644
--- a/drivers/media/cec/core/cec-adap.c
+++ b/drivers/media/cec/core/cec-adap.c
@@ -935,7 +935,8 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg,
 	 * Release the lock and wait, retake the lock afterwards.
 	 */
 	mutex_unlock(&adap->lock);
-	wait_for_completion_killable(&data->c);
+	wait_for_completion_killable_timeout(&data->c,
+				msecs_to_jiffies(adap->xfer_timeout_ms + 1000));
 	cancel_delayed_work_sync(&data->work);
 	mutex_lock(&adap->lock);