linux/include/media
Shuah Khan 90cd366bc6 [media] media: Protect enable_source and disable_source handler code paths
Drivers might try to access and run enable_source and disable_source
handlers when the driver that implements these handlers is clearing
the handlers during its unregister.

Fix the following race condition:

process 1				process 2

request video streaming			unbind au0828
v4l2 checks if tuner is free
...					...

					au0828_unregister_media_device()
...					...
					(doesn't hold graph_mutex)
					mdev->enable_source = NULL;
if (mdev && mdev->enable_source)	mdev->disable_source = NULL;
	mdev->enable_source()
(enable_source holds graph_mutex)

As shown above enable_source check is done without holding the graph_mutex.
If unbind happens to be in progress, au0828 could clear enable_source and
disable_source handlers leading to null pointer de-reference.

Fix it by protecting enable_source and disable_source set and clear and
protecting enable_source and disable_source handler access and the call
itself.

process 1				process 2

request video streaming			unbind au0828
v4l2 checks if tuner is free
...					...

					au0828_unregister_media_device()
...					...
					(hold graph_mutex while clearing)
					mdev->enable_source = NULL;
if (mdev)				mdev->disable_source = NULL;
(hold graph_mutex to check and
 call enable_source)
    if (mdev->enable_source)
	mdev->enable_source()

If graph_mutex is held to just heck for handler being null and needs to be
released before calling the handler, there will be another window for the
handlers to be cleared. Hence, enable_source and disable_source handlers
no longer hold the graph_mutex and expect callers to hold it to avoid
forcing them release the graph_mutex before calling the handlers.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-02-03 07:39:35 -02:00
..
blackfin [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
davinci [media] davinci: vpif_capture: remove hard-coded I2C adapter id 2017-01-31 07:59:12 -02:00
drv-intf [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
i2c [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
cec-edid.h [media] cec-edid: add module for EDID CEC helper functions 2016-06-28 09:45:51 -03:00
cec.h [media] cec: pass parent device in register(), not allocate() 2016-11-29 12:07:17 -02:00
i2c-addr.h
lirc_dev.h [media] doc-rst: Fix issues with RC documentation 2016-07-17 14:02:43 -03:00
lirc.h [media] bz#75751: Move internal header file lirc.h to uapi/ 2015-11-17 06:47:43 -02:00
media-device.h [media] media: Protect enable_source and disable_source handler code paths 2017-02-03 07:39:35 -02:00
media-devnode.h [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
media-entity.h [media] media: Rename graph and pipeline structs and functions 2017-01-27 16:13:24 -02:00
rc-core.h [media] rc-core: add support for IR raw transmitters 2017-01-30 14:14:12 -02:00
rc-map.h [media] rc/keymaps: add a keytable for the GeekBox remote control 2017-01-31 07:27:50 -02:00
rcar-fcp.h [media] v4l: rcar-fcp: Don't force users to check for disabled FCP support 2016-09-09 11:29:57 -03:00
soc_camera.h [media] v4l2: remove g/s_crop from video ops 2016-08-24 09:46:09 -03:00
tuner-types.h [media] doc-rst: Fix conversion for v4l2 core functions 2016-07-17 14:02:43 -03:00
tuner.h [media] v4l2-mc.h: move tuner PAD definitions to this new header 2016-02-01 07:19:44 -02:00
tveeprom.h [media] doc-rst: Fix conversion for v4l2 core functions 2016-07-17 14:02:43 -03:00
v4l2-async.h [media] v4l2-async: document the remaining stuff 2016-07-23 08:04:21 -03:00
v4l2-clk.h [media] v4l2-clk: add new definition: V4L2_CLK_NAME_SIZE 2015-11-17 15:19:11 -02:00
v4l2-common.h [media] v4l2-common: add a debug macro to be used with dev_foo() 2016-11-18 10:04:58 -02:00
v4l2-ctrls.h [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
v4l2-dev.h [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
v4l2-device.h [media] v4l2-device.h: fix some doc tags 2016-09-09 09:41:12 -03:00
v4l2-dv-timings.h [media] v4l2-dv-timings: add helpers for vic and pixelaspect ratio 2016-11-16 15:20:03 -02:00
v4l2-event.h [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
v4l2-fh.h [media] media: Drop FSF's postal address from the source code files 2017-01-27 11:38:09 -02:00
v4l2-flash-led-class.h [media] v4l2-flash-led-class.h: document v4l2_flash_ops 2016-09-09 10:19:35 -03:00
v4l2-image-sizes.h [media] media: v4l2-image-sizes.h: correct the SVGA height definition 2014-12-04 13:56:56 -02:00
v4l2-ioctl.h [media] v4l2-ioctl.h: document the remaining functions 2016-09-09 09:38:36 -03:00
v4l2-mc.h [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
v4l2-mediabus.h [media] v4l2-mediabus: Add to DocBook 2015-08-22 09:05:55 -03:00
v4l2-mem2mem.h [media] v4l: Document that m2m devices have a file handle specific context 2016-11-16 13:29:44 -02:00
v4l2-of.h [media] v4l2-of: fix compiler errors if CONFIG_OF is undefined 2015-04-28 08:33:45 -03:00
v4l2-rect.h [media] v4l2-rect.h: new header with struct v4l2_rect helper functions 2016-04-20 16:11:33 -03:00
v4l2-subdev.h [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
v4l2-tpg-colors.h [media] tpg: Export the tpg code from vivid as a module 2016-04-20 16:14:39 -03:00
v4l2-tpg.h [media] vivid: Add support for HSV encoding 2016-10-21 15:54:16 -02:00
videobuf2-core.h [media] get rid of a number of problems at the cross references 2016-09-22 10:00:23 -03:00
videobuf2-dma-contig.h dma-mapping: use unsigned long for dma_attrs 2016-08-04 08:50:07 -04:00
videobuf2-dma-sg.h [media] vb2: replace void *alloc_ctxs by struct device *alloc_devs 2016-07-08 14:45:07 -03:00
videobuf2-dvb.h [media] add media controller support to videobuf2-dvb 2016-02-10 07:23:41 -02:00
videobuf2-memops.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf2-v4l2.h [media] videobuf2-v4l2: document two helper functions 2016-09-09 10:19:06 -03:00
videobuf2-vmalloc.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf-core.h treewide: fix typos in comment blocks 2015-08-07 14:46:24 +02:00
videobuf-dma-contig.h [media] videobuf-dma-contig: remove support for cached mem 2013-04-25 09:50:19 -03:00
videobuf-dma-sg.h [media] videobuf: make unused exported functions static 2015-01-27 10:01:33 -02:00
videobuf-dvb.h [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
videobuf-vmalloc.h V4L/DVB: videobuf: add ext_lock argument to the queue init functions 2010-10-21 01:06:14 -02:00
vsp1.h [media] v4l: vsp1: Fix tri-planar format support through DRM API 2016-09-09 11:32:19 -03:00