From: Sishuai Gong <sishuai.system@gmail.com>
Date: Thu, 10 Aug 2023 00:53:48 +0000 (-0400)
Subject: media: vivid: fix the racy dev->radio_tx_rds_owner
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=54921a8f31d81ee13bdce9c3b488cbc34c74740d;p=linux.git

media: vivid: fix the racy dev->radio_tx_rds_owner

There is a race over dev->radio_tx_rds_owner between the two functions
mentioned below:

Thread-1                Thread-2
vivid_fop_release()     vivid_radio_rx_read()
mutex_unlock(&dev->mutex)
                        mutex_lock_interruptible(&dev->mutex)
                        ...
                        dev->radio_rx_rds_owner = file->private_data;
...
if (file->private_data == dev->radio_rx_rds_owner) {
        dev->radio_tx_rds_last_block = 0;
        dev->radio_tx_rds_owner = NULL;
}

This race can be fixed by only releasing the lock after vivid_fop_release()
finishes the checks.

Signed-off-by: Sishuai Gong <sishuai.system@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
---

diff --git a/drivers/media/test-drivers/vivid/vivid-core.c b/drivers/media/test-drivers/vivid/vivid-core.c
index c2167ccfd222b..e95bdccfc18e9 100644
--- a/drivers/media/test-drivers/vivid/vivid-core.c
+++ b/drivers/media/test-drivers/vivid/vivid-core.c
@@ -628,7 +628,6 @@ static int vivid_fop_release(struct file *file)
 		v4l2_info(&dev->v4l2_dev, "reconnect\n");
 		vivid_reconnect(dev);
 	}
-	mutex_unlock(&dev->mutex);
 	if (file->private_data == dev->radio_rx_rds_owner) {
 		dev->radio_rx_rds_last_block = 0;
 		dev->radio_rx_rds_owner = NULL;
@@ -637,6 +636,7 @@ static int vivid_fop_release(struct file *file)
 		dev->radio_tx_rds_last_block = 0;
 		dev->radio_tx_rds_owner = NULL;
 	}
+	mutex_unlock(&dev->mutex);
 	if (vdev->queue)
 		return vb2_fop_release(file);
 	return v4l2_fh_release(file);