107 lines
3.7 KiB
Diff
107 lines
3.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: "Yew, Chang Ching" <chang.ching.yew@intel.com>
|
|
Date: Wed, 31 Jul 2019 10:10:28 +0800
|
|
Subject: [PATCH] media: ici: Add mutex for function
|
|
ici_isys_frame_buf_stream_cancel
|
|
|
|
There's a race in ici_isys_frame_buf_stream_cancel function to
|
|
mislead bufsafe traversed with invalid item
|
|
|
|
745 void ici_isys_frame_buf_stream_cancel(struct
|
|
746 ici_isys_stream
|
|
747 *as)
|
|
748 {
|
|
...
|
|
758 spin_unlock_irqrestore(&buf_list->lock, flags);
|
|
759 dev_dbg(&buf_list->strm_dev->dev, "buf: %p\n", buf);
|
|
760 if (as->strm_dev.virt_dev_id < 0)
|
|
761 unmap_buf(buf);
|
|
762 else
|
|
763 unmap_buf_virt(buf);
|
|
764 spin_lock_irqsave(&buf_list->lock, flags);
|
|
|
|
The mutex is lock this critical section which could not be locked
|
|
with spinlock
|
|
|
|
Tracked-On: OAM-84267
|
|
Tracked-On: PKT-2253
|
|
Signed-off-by: Yew, Chang Ching <chang.ching.yew@intel.com>
|
|
---
|
|
drivers/media/pci/intel/ici/ici-isys-frame-buf.c | 2 ++
|
|
drivers/media/pci/intel/ici/ici-isys-stream.c | 13 +++++++++----
|
|
drivers/media/pci/intel/ici/ici-isys-stream.h | 1 +
|
|
3 files changed, 12 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/drivers/media/pci/intel/ici/ici-isys-frame-buf.c b/drivers/media/pci/intel/ici/ici-isys-frame-buf.c
|
|
index 20efc28c3..1a14e4c94 100644
|
|
--- a/drivers/media/pci/intel/ici/ici-isys-frame-buf.c
|
|
+++ b/drivers/media/pci/intel/ici/ici-isys-frame-buf.c
|
|
@@ -854,6 +854,7 @@ void ici_isys_frame_buf_stream_cancel(struct
|
|
struct ici_frame_buf_wrapper *bufsafe;
|
|
unsigned long flags = 0;
|
|
|
|
+ mutex_lock(&as->stream_cancel_mutex);
|
|
spin_lock_irqsave(&buf_list->lock, flags);
|
|
list_for_each_entry_safe(buf, bufsafe,
|
|
&buf_list->getbuf_list, node) {
|
|
@@ -892,6 +893,7 @@ void ici_isys_frame_buf_stream_cancel(struct
|
|
spin_lock_irqsave(&buf_list->short_packet_queue_lock, flags);
|
|
}
|
|
spin_unlock_irqrestore(&buf_list->short_packet_queue_lock, flags);
|
|
+ mutex_unlock(&as->stream_cancel_mutex);
|
|
}
|
|
|
|
int ici_isys_frame_buf_add_next(
|
|
diff --git a/drivers/media/pci/intel/ici/ici-isys-stream.c b/drivers/media/pci/intel/ici/ici-isys-stream.c
|
|
index b2090b173..b1224facd 100644
|
|
--- a/drivers/media/pci/intel/ici/ici-isys-stream.c
|
|
+++ b/drivers/media/pci/intel/ici/ici-isys-stream.c
|
|
@@ -1377,6 +1377,7 @@ int ici_isys_stream_init(
|
|
char name[ICI_MAX_NODE_NAME];
|
|
|
|
mutex_init(&as->mutex);
|
|
+ mutex_init(&as->stream_cancel_mutex);
|
|
init_completion(&as->ip.stream_open_completion);
|
|
init_completion(&as->ip.stream_close_completion);
|
|
init_completion(&as->ip.stream_start_completion);
|
|
@@ -1444,16 +1445,20 @@ int ici_isys_stream_init(
|
|
//intel_ipu4_isys_framebuf_cleanup(&as->buf_list);
|
|
out_init_fail:
|
|
mutex_destroy(&as->mutex);
|
|
+ mutex_destroy(&as->stream_cancel_mutex);
|
|
|
|
return rval;
|
|
}
|
|
|
|
void ici_isys_stream_cleanup(struct ici_isys_stream *as)
|
|
{
|
|
- list_del(&as->node.node_entry);
|
|
- stream_device_unregister(&as->strm_dev);
|
|
- node_pads_cleanup(&as->asd->node);
|
|
- mutex_destroy(&as->mutex);
|
|
+ if (as != NULL) {
|
|
+ list_del(&as->node.node_entry);
|
|
+ stream_device_unregister(&as->strm_dev);
|
|
+ node_pads_cleanup(&as->asd->node);
|
|
+ mutex_destroy(&as->mutex);
|
|
+ mutex_destroy(&as->stream_cancel_mutex);
|
|
+ }
|
|
}
|
|
|
|
#endif //ICI_ENABLED
|
|
diff --git a/drivers/media/pci/intel/ici/ici-isys-stream.h b/drivers/media/pci/intel/ici/ici-isys-stream.h
|
|
index 457b123a6..ac30a43d8 100644
|
|
--- a/drivers/media/pci/intel/ici/ici-isys-stream.h
|
|
+++ b/drivers/media/pci/intel/ici/ici-isys-stream.h
|
|
@@ -30,6 +30,7 @@ struct ici_isys_pixelformat {
|
|
struct ici_isys_stream {
|
|
/* Serialise access to other fields in the struct. */
|
|
struct mutex mutex;
|
|
+ struct mutex stream_cancel_mutex;
|
|
struct node_pad pad;
|
|
struct ici_isys_node node;
|
|
struct ici_stream_device strm_dev;
|
|
--
|
|
https://clearlinux.org
|
|
|