From a3dbff6eecad72333bae656681331aab27adee4d Mon Sep 17 00:00:00 2001 From: Jia-Ju Bai Date: Thu, 1 Jun 2017 04:17:51 -0300 Subject: [PATCH] [media] cx18: Fix a sleep-in-atomic bug in snd_cx18_pcm_hw_free The driver may sleep under a spin lock, and the function call path is: snd_cx18_pcm_hw_free (acquire the lock by spin_lock_irqsave) vfree --> may sleep To fix it, the "substream->runtime->dma_area" is passed to a temporary value, and mark it NULL when holding the lock. The memory is freed by vfree through the temporary value outside the lock holding. Signed-off-by: Jia-Ju Bai [hans.verkuil@cisco.com: removed unnecessary 'if (dma_area)'] Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/pci/cx18/cx18-alsa-pcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/pci/cx18/cx18-alsa-pcm.c b/drivers/media/pci/cx18/cx18-alsa-pcm.c index 205a98da877c..f68ee57a9ae2 100644 --- a/drivers/media/pci/cx18/cx18-alsa-pcm.c +++ b/drivers/media/pci/cx18/cx18-alsa-pcm.c @@ -257,14 +257,16 @@ static int snd_cx18_pcm_hw_free(struct snd_pcm_substream *substream) { struct snd_cx18_card *cxsc = snd_pcm_substream_chip(substream); unsigned long flags; + unsigned char *dma_area = NULL; spin_lock_irqsave(&cxsc->slock, flags); if (substream->runtime->dma_area) { dprintk("freeing pcm capture region\n"); - vfree(substream->runtime->dma_area); + dma_area = substream->runtime->dma_area; substream->runtime->dma_area = NULL; } spin_unlock_irqrestore(&cxsc->slock, flags); + vfree(dma_area); return 0; }