| Message ID | 20171004215051.13385-6-sakari.ailus@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi, On Thu, Oct 05, 2017 at 12:50:24AM +0300, Sakari Ailus wrote: > The check whether an async sub-device is bound to a notifier was performed > without list_lock held, making it possible for another process to > unbind the async sub-device before the sub-device unregistration function > proceeds to take the lock. > > Fix this by first acquiring the lock and then proceeding with the check. > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk> -- Sebastian > --- > drivers/media/v4l2-core/v4l2-async.c | 18 +++++++----------- > 1 file changed, 7 insertions(+), 11 deletions(-) > > diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c > index 4924481451ca..cde2cf2ab4b0 100644 > --- a/drivers/media/v4l2-core/v4l2-async.c > +++ b/drivers/media/v4l2-core/v4l2-async.c > @@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev); > > void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) > { > - struct v4l2_async_notifier *notifier = sd->notifier; > - > - if (!sd->asd) { > - if (!list_empty(&sd->async_list)) > - v4l2_async_cleanup(sd); > - return; > - } > - > mutex_lock(&list_lock); > > - list_add(&sd->asd->list, ¬ifier->waiting); > + if (sd->asd) { > + struct v4l2_async_notifier *notifier = sd->notifier; > > - if (notifier->unbind) > - notifier->unbind(notifier, sd, sd->asd); > + list_add(&sd->asd->list, ¬ifier->waiting); > + > + if (notifier->unbind) > + notifier->unbind(notifier, sd, sd->asd); > + } > > v4l2_async_cleanup(sd); > > -- > 2.11.0 >
On 04/10/17 23:50, Sakari Ailus wrote: > The check whether an async sub-device is bound to a notifier was performed > without list_lock held, making it possible for another process to > unbind the async sub-device before the sub-device unregistration function > proceeds to take the lock. > > Fix this by first acquiring the lock and then proceeding with the check. > > Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> > --- > drivers/media/v4l2-core/v4l2-async.c | 18 +++++++----------- > 1 file changed, 7 insertions(+), 11 deletions(-) > > diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c > index 4924481451ca..cde2cf2ab4b0 100644 > --- a/drivers/media/v4l2-core/v4l2-async.c > +++ b/drivers/media/v4l2-core/v4l2-async.c > @@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev); > > void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) > { > - struct v4l2_async_notifier *notifier = sd->notifier; > - > - if (!sd->asd) { > - if (!list_empty(&sd->async_list)) > - v4l2_async_cleanup(sd); > - return; > - } > - > mutex_lock(&list_lock); > > - list_add(&sd->asd->list, ¬ifier->waiting); > + if (sd->asd) { > + struct v4l2_async_notifier *notifier = sd->notifier; > > - if (notifier->unbind) > - notifier->unbind(notifier, sd, sd->asd); > + list_add(&sd->asd->list, ¬ifier->waiting); > + > + if (notifier->unbind) > + notifier->unbind(notifier, sd, sd->asd); > + } > > v4l2_async_cleanup(sd); > >
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c index 4924481451ca..cde2cf2ab4b0 100644 --- a/drivers/media/v4l2-core/v4l2-async.c +++ b/drivers/media/v4l2-core/v4l2-async.c @@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev); void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) { - struct v4l2_async_notifier *notifier = sd->notifier; - - if (!sd->asd) { - if (!list_empty(&sd->async_list)) - v4l2_async_cleanup(sd); - return; - } - mutex_lock(&list_lock); - list_add(&sd->asd->list, ¬ifier->waiting); + if (sd->asd) { + struct v4l2_async_notifier *notifier = sd->notifier; - if (notifier->unbind) - notifier->unbind(notifier, sd, sd->asd); + list_add(&sd->asd->list, ¬ifier->waiting); + + if (notifier->unbind) + notifier->unbind(notifier, sd, sd->asd); + } v4l2_async_cleanup(sd);
The check whether an async sub-device is bound to a notifier was performed without list_lock held, making it possible for another process to unbind the async sub-device before the sub-device unregistration function proceeds to take the lock. Fix this by first acquiring the lock and then proceeding with the check. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> --- drivers/media/v4l2-core/v4l2-async.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-)