From: Hans Verkuil <hans.verk...@cisco.com>
The request reference count was decreased again once a reference to the
request object was taken. Postpone this until we finished using the object.
In theory I think it is possible that the request_fd can be closed by
the application from another thread. In that case when request_put is
called the whole request would be freed.
It's highly unlikely, but let's just be safe and fix this potential
race condition.
Signed-off-by: Hans Verkuil <hans.verk...@cisco.com>
Reviewed-by: Tomasz Figa <tf...@chromium.org>
---
drivers/media/v4l2-core/v4l2-ctrls.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-ctrls.c
b/drivers/media/v4l2-core/v4l2-ctrls.c
index cc266a4a6e88..95d065d54308 100644
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -3657,10 +3657,9 @@ static int try_set_ext_ctrls(struct v4l2_fh *fh,
}
obj = v4l2_ctrls_find_req_obj(hdl, req, set);
- /* Reference to the request held through obj */
- media_request_put(req);
if (IS_ERR(obj)) {
media_request_unlock_for_update(req);
+ media_request_put(req);
return PTR_ERR(obj);
}
hdl = container_of(obj, struct v4l2_ctrl_handler,
@@ -3670,8 +3669,9 @@ static int try_set_ext_ctrls(struct v4l2_fh *fh,
ret = try_set_ext_ctrls_common(fh, hdl, cs, set);
if (obj) {
- media_request_unlock_for_update(obj->req);
+ media_request_unlock_for_update(req);
media_request_object_put(obj);
+ media_request_put(req);
}
return ret;
--
2.18.0
