[media] v4l: vb2: Fix race condition in _vb2_fop_release

The function releases the queue if the file being released is the queue
owner. The check reads the queue->owner field without taking the queue
lock, creating a race condition with functions that set the queue owner,
such as vb2_ioctl_reqbufs() for instance.

Fix this by moving the queue->owner check within the mutex protected
section.

Signed-off-by: Laurent Pinchart <[email protected]>
Acked-by: Hans Verkuil <[email protected]>
Acked-by: Sylwester Nawrocki <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 2685670b20ecc5c5ea0bacdb2cca1eeb42d8feed..d09a8916e94005180f0f6beaf0ff53d7b2e932a4 100644 (file)
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -3389,14 +3389,14 @@ int _vb2_fop_release(struct file *file, struct mutex *lock)
 {
        struct video_device *vdev = video_devdata(file);
 
+       if (lock)
+               mutex_lock(lock);
        if (file->private_data == vdev->queue->owner) {
-               if (lock)
-                       mutex_lock(lock);
                vb2_queue_release(vdev->queue);
                vdev->queue->owner = NULL;
-               if (lock)
-                       mutex_unlock(lock);
        }
+       if (lock)
+               mutex_unlock(lock);
        return v4l2_fh_release(file);
 }
 EXPORT_SYMBOL_GPL(_vb2_fop_release);