patches/0289-media-v4l-async-Correctly-serialise-async-sub-device.patch - pub/scm/linux/kernel/git/ltsi/ltsi-kernel - Git at Google

 From 5b1369c3e7b25db8d31afb042ab8b30810a20dfa Mon Sep 17 00:00:00 2001
 From: Sakari Ailus <sakari.ailus@linux.intel.com>
 Date: Tue, 3 Oct 2017 02:26:32 -0400
 Subject: [PATCH 0289/1795] media: v4l: async: Correctly serialise async
  sub-device unregistration
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 The check whether an async sub-device is bound to a notifier was performed
 without list_lock held, making it possible for another process to
 unbind the async sub-device before the sub-device unregistration function
 proceeds to take the lock.

 Fix this by first acquiring the lock and then proceeding with the check.

 Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
 Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
 Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
 Acked-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
 Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
 (cherry picked from commit 7fc4fdb9e1bd821c0bd39543d233ac5246aef2de)
 Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
 Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
 ---
  drivers/media/v4l2-core/v4l2-async.c | 18 +++++++-----------
  1 file changed, 7 insertions(+), 11 deletions(-)

 diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
 index e36d6274a692..cd0a716a3a45 100644
 --- a/drivers/media/v4l2-core/v4l2-async.c
 +++ b/drivers/media/v4l2-core/v4l2-async.c
 @@ -329,20 +329,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev);

  void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
  {
 -	struct v4l2_async_notifier *notifier = sd->notifier;
 -
 -	if (!sd->asd) {
 -		if (!list_empty(&sd->async_list))
 -			v4l2_async_cleanup(sd);
 -		return;
 -	}
 -
  	mutex_lock(&list_lock);

 -	list_add(&sd->asd->list, &notifier->waiting);
 +	if (sd->asd) {
 +		struct v4l2_async_notifier *notifier = sd->notifier;

 -	if (notifier->unbind)
 -		notifier->unbind(notifier, sd, sd->asd);
 +		list_add(&sd->asd->list, &notifier->waiting);
 +
 +		if (notifier->unbind)
 +			notifier->unbind(notifier, sd, sd->asd);
 +	}

  	v4l2_async_cleanup(sd);

 --
 2.19.0
	From 5b1369c3e7b25db8d31afb042ab8b30810a20dfa Mon Sep 17 00:00:00 2001
	From: Sakari Ailus <sakari.ailus@linux.intel.com>
	Date: Tue, 3 Oct 2017 02:26:32 -0400
	Subject: [PATCH 0289/1795] media: v4l: async: Correctly serialise async
	sub-device unregistration
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	The check whether an async sub-device is bound to a notifier was performed
	without list_lock held, making it possible for another process to
	unbind the async sub-device before the sub-device unregistration function
	proceeds to take the lock.

	Fix this by first acquiring the lock and then proceeding with the check.

	Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
	Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
	Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
	Acked-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
	Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
	(cherry picked from commit 7fc4fdb9e1bd821c0bd39543d233ac5246aef2de)
	Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
	Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
	---
	drivers/media/v4l2-core/v4l2-async.c \| 18 +++++++-----------
	1 file changed, 7 insertions(+), 11 deletions(-)

	diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
	index e36d6274a692..cd0a716a3a45 100644
	--- a/drivers/media/v4l2-core/v4l2-async.c
	+++ b/drivers/media/v4l2-core/v4l2-async.c
	@@ -329,20 +329,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev);

	void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
	{
	- struct v4l2_async_notifier *notifier = sd->notifier;
	-
	- if (!sd->asd) {
	- if (!list_empty(&sd->async_list))
	- v4l2_async_cleanup(sd);
	- return;
	- }
	-
	mutex_lock(&list_lock);

	- list_add(&sd->asd->list, &notifier->waiting);
	+ if (sd->asd) {
	+ struct v4l2_async_notifier *notifier = sd->notifier;

	- if (notifier->unbind)
	- notifier->unbind(notifier, sd, sd->asd);
	+ list_add(&sd->asd->list, &notifier->waiting);
	+
	+ if (notifier->unbind)
	+ notifier->unbind(notifier, sd, sd->asd);
	+ }

	v4l2_async_cleanup(sd);

	--
	2.19.0