media: uvcvideo: Fix deadlock during uvc_probe

Desnes Nunes · Desnes Nunes · commit f8a4dc50a3d4 · 2025-03-19T21:24:08.000-03:00
JIRA: https://issues.redhat.com/browse/RHEL-78828 CVE: CVE-2024-58059 commit a67f75c Author: Ricardo Ribalda <ribalda@chromium.org> Date: Tue, 22 Oct 2024 08:30:30 +0000 CVE: CVE-2024-58059 If uvc_probe() fails, it can end up calling uvc_status_unregister() before uvc_status_init() is called. Fix this by checking if dev->status is NULL or not in uvc_status_unregister(). Reported-by: syzbot+9446d5e0d25571e6a212@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-media/20241020160249.GD7770@pendragon.ideasonboard.com/T/#m506744621d72a2ace5dd2ab64055be9898112dbd Fixes: c5fe3ed ("media: uvcvideo: Avoid race condition during unregister") Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Link: https://lore.kernel.org/r/20241022-race-unreg-v1-1-2212f364d9de@chromium.org Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Desnes Nunes <desnesn@redhat.com>
diff --git a/drivers/media/usb/uvc/uvc_status.c b/drivers/media/usb/uvc/uvc_status.c
@@ -294,6 +294,9 @@ int uvc_status_init(struct uvc_device *dev)
 
 void uvc_status_unregister(struct uvc_device *dev)
 {
+	if (!dev->status)
+		return;
+
 	uvc_status_suspend(dev);
 	uvc_input_unregister(dev);
 }

Original file line number	Diff line number	Diff line change
`@@ -294,6 +294,9 @@ int uvc_status_init(struct uvc_device *dev)`
`294`	`294`
`295`	`295`	`void uvc_status_unregister(struct uvc_device *dev)`
`296`	`296`	`{`
	`297`	`+ if (!dev->status)`
	`298`	`+ return;`
	`299`	`+`
`297`	`300`	`uvc_status_suspend(dev);`
`298`	`301`	`uvc_input_unregister(dev);`
`299`	`302`	`}`