From 54911107352dfe04b56828dd9f81fd570c1b76b0 Mon Sep 17 00:00:00 2001
From: Minu Jin <s9430939@naver.com>
Date: Thu, 5 Feb 2026 11:16:20 +0900
Subject: [PATCH] staging: most: video: fix potential race in list iteration

There is a pattern in the loops where the lock is dropped
to call a specific function and then re-acquired.

The list can be exposed during this short gap, creating a potential
race condition. This patch fixes the problem by replacing the list
head with a local free list using list_replace_init(), instead of
using the lock/unlock pattern in the loop.

Signed-off-by: Minu Jin <s9430939@naver.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260205021620.1165137-1-s9430939@naver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/most/video/video.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/most/video/video.c b/drivers/staging/most/video/video.c
index 32f71d9a9cf7..8eeae209ff1c 100644
--- a/drivers/staging/most/video/video.c
+++ b/drivers/staging/most/video/video.c
@@ -121,6 +121,7 @@ static int comp_vdev_close(struct file *filp)
 	struct comp_fh *fh = to_comp_fh(filp);
 	struct most_video_dev *mdev = fh->mdev;
 	struct mbo *mbo, *tmp;
+	LIST_HEAD(free_list);
 
 	/*
 	 * We need to put MBOs back before we call most_stop_channel()
@@ -133,13 +134,14 @@ static int comp_vdev_close(struct file *filp)
 
 	spin_lock_irq(&mdev->list_lock);
 	mdev->mute = true;
-	list_for_each_entry_safe(mbo, tmp, &mdev->pending_mbos, list) {
-		list_del(&mbo->list);
-		spin_unlock_irq(&mdev->list_lock);
-		most_put_mbo(mbo);
-		spin_lock_irq(&mdev->list_lock);
-	}
+	list_replace_init(&mdev->pending_mbos, &free_list);
 	spin_unlock_irq(&mdev->list_lock);
+
+	list_for_each_entry_safe(mbo, tmp, &free_list, list) {
+		list_del_init(&mbo->list);
+		most_put_mbo(mbo);
+	}
+
 	most_stop_channel(mdev->iface, mdev->ch_idx, &comp);
 	mdev->mute = false;
 
@@ -554,6 +556,7 @@ static int __init comp_init(void)
 static void __exit comp_exit(void)
 {
 	struct most_video_dev *mdev, *tmp;
+	LIST_HEAD(free_list);
 
 	/*
 	 * As the mostcore currently doesn't call disconnect_channel()
@@ -562,16 +565,15 @@ static void __exit comp_exit(void)
 	 * This must be fixed in core.
 	 */
 	spin_lock_irq(&list_lock);
-	list_for_each_entry_safe(mdev, tmp, &video_devices, list) {
-		list_del(&mdev->list);
-		spin_unlock_irq(&list_lock);
+	list_replace_init(&video_devices, &free_list);
+	spin_unlock_irq(&list_lock);
 
+	list_for_each_entry_safe(mdev, tmp, &free_list, list) {
+		list_del_init(&mdev->list);
 		comp_unregister_videodev(mdev);
 		v4l2_device_disconnect(&mdev->v4l2_dev);
 		v4l2_device_put(&mdev->v4l2_dev);
-		spin_lock_irq(&list_lock);
 	}
-	spin_unlock_irq(&list_lock);
 
 	most_deregister_configfs_subsys(&comp);
 	most_deregister_component(&comp);