From: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx> commit 55a6c6b2be3d6670bf5772364d8208bd8dc17da4 upstream. Pad format can be accessed from user space. Serialise access to it. Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver") Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx> Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx> Reviewed-by: Bingbu Cao <bingbu.cao@xxxxxxxxx> Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx # v4.16 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/media/pci/intel/ipu3/ipu3-cio2.c | 11 +++++++++++ drivers/media/pci/intel/ipu3/ipu3-cio2.h | 1 + 2 files changed, 12 insertions(+) --- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c +++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c @@ -1245,11 +1245,15 @@ static int cio2_subdev_get_fmt(struct v4 { struct cio2_queue *q = container_of(sd, struct cio2_queue, subdev); + mutex_lock(&q->subdev_lock); + if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) fmt->format = *v4l2_subdev_get_try_format(sd, cfg, fmt->pad); else fmt->format = q->subdev_fmt; + mutex_unlock(&q->subdev_lock); + return 0; } @@ -1273,6 +1277,8 @@ static int cio2_subdev_set_fmt(struct v4 if (fmt->pad == CIO2_PAD_SOURCE) return cio2_subdev_get_fmt(sd, cfg, fmt); + mutex_lock(&q->subdev_lock); + if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) { *v4l2_subdev_get_try_format(sd, cfg, fmt->pad) = fmt->format; } else { @@ -1283,6 +1289,8 @@ static int cio2_subdev_set_fmt(struct v4 fmt->format = q->subdev_fmt; } + mutex_unlock(&q->subdev_lock); + return 0; } @@ -1541,6 +1549,7 @@ static int cio2_queue_init(struct cio2_d /* Initialize miscellaneous variables */ mutex_init(&q->lock); + mutex_init(&q->subdev_lock); /* Initialize formats to default values */ fmt = &q->subdev_fmt; @@ -1659,6 +1668,7 @@ fail_vdev_media_entity: fail_subdev_media_entity: cio2_fbpt_exit(q, &cio2->pci_dev->dev); fail_fbpt: + mutex_destroy(&q->subdev_lock); mutex_destroy(&q->lock); return r; @@ -1672,6 +1682,7 @@ static void cio2_queue_exit(struct cio2_ v4l2_device_unregister_subdev(&q->subdev); media_entity_cleanup(&q->subdev.entity); cio2_fbpt_exit(q, &cio2->pci_dev->dev); + mutex_destroy(&q->subdev_lock); mutex_destroy(&q->lock); } --- a/drivers/media/pci/intel/ipu3/ipu3-cio2.h +++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.h @@ -332,6 +332,7 @@ struct cio2_queue { /* Subdev, /dev/v4l-subdevX */ struct v4l2_subdev subdev; + struct mutex subdev_lock; /* Serialise acces to subdev_fmt field */ struct media_pad subdev_pads[CIO2_PADS]; struct v4l2_mbus_framefmt subdev_fmt; atomic_t frame_sequence;