On 04/10/17 23:50, Sakari Ailus wrote:
> The check whether an async sub-device is bound to a notifier was performed
> without list_lock held, making it possible for another process to
> unbind the async sub-device before the sub-device unregistration function
> proceeds to take the lock.
>
> Fix this by first acquiring the lock and then proceeding with the check.
>
> Signed-off-by: Sakari Ailus <sakari.ai...@linux.intel.com>
Acked-by: Hans Verkuil <hans.verk...@cisco.com>
> ---
> drivers/media/v4l2-core/v4l2-async.c | 18 +++++++-----------
> 1 file changed, 7 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-async.c
> b/drivers/media/v4l2-core/v4l2-async.c
> index 4924481451ca..cde2cf2ab4b0 100644
> --- a/drivers/media/v4l2-core/v4l2-async.c
> +++ b/drivers/media/v4l2-core/v4l2-async.c
> @@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev);
>
> void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
> {
> - struct v4l2_async_notifier *notifier = sd->notifier;
> -
> - if (!sd->asd) {
> - if (!list_empty(&sd->async_list))
> - v4l2_async_cleanup(sd);
> - return;
> - }
> -
> mutex_lock(&list_lock);
>
> - list_add(&sd->asd->list, ¬ifier->waiting);
> + if (sd->asd) {
> + struct v4l2_async_notifier *notifier = sd->notifier;
>
> - if (notifier->unbind)
> - notifier->unbind(notifier, sd, sd->asd);
> + list_add(&sd->asd->list, ¬ifier->waiting);
> +
> + if (notifier->unbind)
> + notifier->unbind(notifier, sd, sd->asd);
> + }
>
> v4l2_async_cleanup(sd);
>
>
