| Message ID | 20200313082258.6930-1-tomi.valkeinen@ti.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: ov5640: fix use of destroyed mutex | expand |
Hi Tomi, Thank you for the patch. On Fri, Mar 13, 2020 at 10:22:58AM +0200, Tomi Valkeinen wrote: > v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set > to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the > sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting > in the use of the destroyed mutex. > > Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy(). > > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> > Cc: stable@vger.kernel.org > --- > drivers/media/i2c/ov5640.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c > index 854031f0b64a..64511de4eea8 100644 > --- a/drivers/media/i2c/ov5640.c > +++ b/drivers/media/i2c/ov5640.c > @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) > struct ov5640_dev *sensor = to_ov5640_dev(sd); > > v4l2_async_unregister_subdev(&sensor->sd); > + v4l2_ctrl_handler_free(&sensor->ctrls.handler); > mutex_destroy(&sensor->lock); > media_entity_cleanup(&sensor->sd.entity); > - v4l2_ctrl_handler_free(&sensor->ctrls.handler); While at it, could you move the mutex after media_entity_cleanup() too, to avoid future problems in case it gets used through that path ? Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > return 0; > }
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..64511de4eea8 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd); v4l2_async_unregister_subdev(&sensor->sd); + v4l2_ctrl_handler_free(&sensor->ctrls.handler); mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); - v4l2_ctrl_handler_free(&sensor->ctrls.handler); return 0; }
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex. Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy(). Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Cc: stable@vger.kernel.org --- drivers/media/i2c/ov5640.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)