The check whether an async sub-device is bound to a notifier was performed
without list_lock held, making it possible for another process to
unbind the async sub-device before the sub-device unregistration function
proceeds to take the lock.
Fix this by first acquiring the lock and then proceeding with the check.
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Reviewed-by: Sebastian Reichel <sebastian.reichel@xxxxxxxxxxxxxxx>
Acked-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
---
drivers/media/v4l2-core/v4l2-async.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 4924481451ca..cde2cf2ab4b0 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev);
void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
{
- struct v4l2_async_notifier *notifier = sd->notifier;
-
- if (!sd->asd) {
- if (!list_empty(&sd->async_list))
- v4l2_async_cleanup(sd);
- return;
- }
-
mutex_lock(&list_lock);
- list_add(&sd->asd->list, ¬ifier->waiting);
+ if (sd->asd) {
+ struct v4l2_async_notifier *notifier = sd->notifier;
- if (notifier->unbind)
- notifier->unbind(notifier, sd, sd->asd);
+ list_add(&sd->asd->list, ¬ifier->waiting);
+
+ if (notifier->unbind)
+ notifier->unbind(notifier, sd, sd->asd);
+ }
v4l2_async_cleanup(sd);
--
2.11.0
