github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-23 22:52:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

staging: most: video: fix potential race in list iteration

Browse Source 
There is a pattern in the loops where the lock is dropped
to call a specific function and then re-acquired.

The list can be exposed during this short gap, creating a potential
race condition. This patch fixes the problem by replacing the list
head with a local free list using list_replace_init(), instead of
using the lock/unlock pattern in the loop.

Signed-off-by: Minu Jin <s9430939@naver.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260205021620.1165137-1-s9430939@naver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Minu Jin 2026-02-05 11:16:20 +09:00 committed by Greg Kroah-Hartman
parent ad3521dc9c
commit 5491110735
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
drivers/staging/most/video/video.c
View File

@ -121,6 +121,7 @@ static int comp_vdev_close(struct file *filp)
struct comp_fh *fh = to_comp_fh(filp);
struct most_video_dev *mdev = fh->mdev;
struct mbo *mbo, *tmp;
LIST_HEAD(free_list);
/*
* We need to put MBOs back before we call most_stop_channel()
@ -133,13 +134,14 @@ static int comp_vdev_close(struct file *filp)
spin_lock_irq(&mdev->list_lock);
mdev->mute = true;
list_for_each_entry_safe(mbo, tmp, &mdev->pending_mbos, list) {
list_del(&mbo->list);
spin_unlock_irq(&mdev->list_lock);
most_put_mbo(mbo);
spin_lock_irq(&mdev->list_lock);
}
list_replace_init(&mdev->pending_mbos, &free_list);
spin_unlock_irq(&mdev->list_lock);
list_for_each_entry_safe(mbo, tmp, &free_list, list) {
list_del_init(&mbo->list);
most_put_mbo(mbo);
}
most_stop_channel(mdev->iface, mdev->ch_idx, &comp);
mdev->mute = false;
@ -554,6 +556,7 @@ static int __init comp_init(void)
static void __exit comp_exit(void)
{
struct most_video_dev *mdev, *tmp;
LIST_HEAD(free_list);
/*
* As the mostcore currently doesn't call disconnect_channel()
@ -562,16 +565,15 @@ static void __exit comp_exit(void)
* This must be fixed in core.
*/
spin_lock_irq(&list_lock);
list_for_each_entry_safe(mdev, tmp, &video_devices, list) {
list_del(&mdev->list);
spin_unlock_irq(&list_lock);
list_replace_init(&video_devices, &free_list);
spin_unlock_irq(&list_lock);
list_for_each_entry_safe(mdev, tmp, &free_list, list) {
list_del_init(&mdev->list);
comp_unregister_videodev(mdev);
v4l2_device_disconnect(&mdev->v4l2_dev);
v4l2_device_put(&mdev->v4l2_dev);
spin_lock_irq(&list_lock);
}
spin_unlock_irq(&list_lock);
most_deregister_configfs_subsys(&comp);
most_deregister_component(&comp);