Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[media] bttv: fix mutex use before init (BZ#24602)
Fix a regression where bttv driver causes oopses when loading, since it
were using some non-initialized mutexes. While it would be possible to
fix the issue, there are some other lock troubles, like to the presence of
lock code at free_btres_lock().
It is possible to fix, but the better is to just use the core-assisted
locking schema. This way, V4L2 core will serialize access to all
ioctl's/open/close/mmap/read/poll operations, avoiding to have two
processes accessing the hardware at the same time. Also, as there's just
one lock, instead of 3, there's no risk of dead locks.
The net result is a cleaner code, with just one lock.
Reported-by: Dan Carpenter <error27@gmail.com>
Reported-by: Brandon Philips<brandon@ifup.org>
Reported-by: Chris Clayton <chris2553@googlemail.com>
Reported-by: Torsten Kaiser <just.for.lkml@googlemail.com>
Tested-by: Chris Clayton <chris2553@googlemail.com>
Tested-by: Torsten Kaiser <just.for.lkml@googlemail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
authored by Mauro Carvalho Chehab and committed by Mauro Carvalho Chehab 587f0d5d a757ee22
+3
-94
drivers/media/video/bt8xx/bttv-driver.c
+3
-94
drivers/media/video/bt8xx/bttv-driver.c
···
855
855
xbits |= RESOURCE_VIDEO_READ | RESOURCE_VIDEO_STREAM;
856
856
857
857
/* is it free? */
858
-
mutex_lock(&btv->lock);
859
858
if (btv->resources & xbits) {
860
859
/* no, someone else uses it */
861
860
goto fail;
···
884
885
/* it's free, grab it */
885
886
fh->resources |= bit;
886
887
btv->resources |= bit;
887
-
mutex_unlock(&btv->lock);
888
888
return 1;
889
889
890
890
fail:
891
-
mutex_unlock(&btv->lock);
892
891
return 0;
893
892
}
894
893
···
938
941
/* trying to free ressources not allocated by us ... */
939
942
printk("bttv: BUG! (btres)\n");
940
943
}
941
-
mutex_lock(&btv->lock);
942
944
fh->resources &= ~bits;
943
945
btv->resources &= ~bits;
944
946
···
948
952
949
953
if (0 == (bits & VBI_RESOURCES))
950
954
disclaim_vbi_lines(btv);
951
-
952
-
mutex_unlock(&btv->lock);
953
955
}
954
956
955
957
/* ----------------------------------------------------------------------- */
···
1708
1714
1709
1715
/* Make sure tvnorm and vbi_end remain consistent
1710
1716
until we're done. */
1711
-
mutex_lock(&btv->lock);
1712
1717
1713
1718
norm = btv->tvnorm;
1714
1719
1715
1720
/* In this mode capturing always starts at defrect.top
1716
1721
(default VDELAY), ignoring cropping parameters. */
1717
1722
if (btv->vbi_end > bttv_tvnorms[norm].cropcap.defrect.top) {
1718
-
mutex_unlock(&btv->lock);
1719
1723
return -EINVAL;
1720
1724
}
1721
1725
1722
-
mutex_unlock(&btv->lock);
1723
-
1724
1726
c.rect = bttv_tvnorms[norm].cropcap.defrect;
1725
1727
} else {
1726
-
mutex_lock(&btv->lock);
1727
-
1728
1728
norm = btv->tvnorm;
1729
1729
c = btv->crop[!!fh->do_crop];
1730
-
1731
-
mutex_unlock(&btv->lock);
1732
1730
1733
1731
if (width < c.min_scaled_width ||
1734
1732
width > c.max_scaled_width ||
···
1845
1859
unsigned int i;
1846
1860
int err;
1847
1861
1848
-
mutex_lock(&btv->lock);
1849
1862
err = v4l2_prio_check(&btv->prio, fh->prio);
1850
1863
if (err)
1851
1864
goto err;
···
1860
1875
set_tvnorm(btv, i);
1861
1876
1862
1877
err:
1863
-
mutex_unlock(&btv->lock);
1864
1878
1865
1879
return err;
1866
1880
}
···
1883
1899
struct bttv *btv = fh->btv;
1884
1900
int rc = 0;
1885
1901
1886
-
mutex_lock(&btv->lock);
1887
1902
if (i->index >= bttv_tvcards[btv->c.type].video_inputs) {
1888
1903
rc = -EINVAL;
1889
1904
goto err;
···
1912
1929
i->std = BTTV_NORMS;
1913
1930
1914
1931
err:
1915
-
mutex_unlock(&btv->lock);
1916
1932
1917
1933
return rc;
1918
1934
}
···
1921
1939
struct bttv_fh *fh = priv;
1922
1940
struct bttv *btv = fh->btv;
1923
1941
1924
-
mutex_lock(&btv->lock);
1925
1942
*i = btv->input;
1926
-
mutex_unlock(&btv->lock);
1927
1943
1928
1944
return 0;
1929
1945
}
···
1933
1953
1934
1954
int err;
1935
1955
1936
-
mutex_lock(&btv->lock);
1937
1956
err = v4l2_prio_check(&btv->prio, fh->prio);
1938
1957
if (unlikely(err))
1939
1958
goto err;
···
1945
1966
set_input(btv, i, btv->tvnorm);
1946
1967
1947
1968
err:
1948
-
mutex_unlock(&btv->lock);
1949
1969
return 0;
1950
1970
}
1951
1971
···
1958
1980
if (unlikely(0 != t->index))
1959
1981
return -EINVAL;
1960
1982
1961
-
mutex_lock(&btv->lock);
1962
1983
if (unlikely(btv->tuner_type == TUNER_ABSENT)) {
1963
1984
err = -EINVAL;
1964
1985
goto err;
···
1973
1996
btv->audio_mode_gpio(btv, t, 1);
1974
1997
1975
1998
err:
1976
-
mutex_unlock(&btv->lock);
1977
1999
1978
2000
return 0;
1979
2001
}
···
1983
2007
struct bttv_fh *fh = priv;
1984
2008
struct bttv *btv = fh->btv;
1985
2009
1986
-
mutex_lock(&btv->lock);
1987
2010
f->type = btv->radio_user ? V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV;
1988
2011
f->frequency = btv->freq;
1989
-
mutex_unlock(&btv->lock);
1990
2012
1991
2013
return 0;
1992
2014
}
···
1999
2025
if (unlikely(f->tuner != 0))
2000
2026
return -EINVAL;
2001
2027
2002
-
mutex_lock(&btv->lock);
2003
2028
err = v4l2_prio_check(&btv->prio, fh->prio);
2004
2029
if (unlikely(err))
2005
2030
goto err;
···
2013
2040
if (btv->has_matchbox && btv->radio_user)
2014
2041
tea5757_set_freq(btv, btv->freq);
2015
2042
err:
2016
-
mutex_unlock(&btv->lock);
2017
2043
2018
2044
return 0;
2019
2045
}
···
2145
2173
2146
2174
/* Make sure tvnorm, vbi_end and the current cropping parameters
2147
2175
remain consistent until we're done. */
2148
-
mutex_lock(&btv->lock);
2149
2176
2150
2177
b = &bttv_tvnorms[btv->tvnorm].cropcap.bounds;
2151
2178
···
2222
2251
rc = 0; /* success */
2223
2252
2224
2253
fail:
2225
-
mutex_unlock(&btv->lock);
2226
2254
2227
2255
return rc;
2228
2256
}
···
2253
2283
if (V4L2_FIELD_ANY == field) {
2254
2284
__s32 height2;
2255
2285
2256
-
mutex_lock(&fh->btv->lock);
2257
2286
height2 = fh->btv->crop[!!fh->do_crop].rect.height >> 1;
2258
-
mutex_unlock(&fh->btv->lock);
2259
2287
field = (win->w.height > height2)
2260
2288
? V4L2_FIELD_INTERLACED
2261
2289
: V4L2_FIELD_TOP;
···
2329
2361
}
2330
2362
}
2331
2363
2332
-
mutex_lock(&fh->cap.vb_lock);
2333
2364
/* clip against screen */
2334
2365
if (NULL != btv->fbuf.base)
2335
2366
n = btcx_screen_clips(btv->fbuf.fmt.width, btv->fbuf.fmt.height,
···
2380
2413
bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new);
2381
2414
retval = bttv_switch_overlay(btv,fh,new);
2382
2415
}
2383
-
mutex_unlock(&fh->cap.vb_lock);
2384
2416
return retval;
2385
2417
}
2386
2418
···
2493
2527
if (V4L2_FIELD_ANY == field) {
2494
2528
__s32 height2;
2495
2529
2496
-
mutex_lock(&btv->lock);
2497
2530
height2 = btv->crop[!!fh->do_crop].rect.height >> 1;
2498
-
mutex_unlock(&btv->lock);
2499
2531
field = (f->fmt.pix.height > height2)
2500
2532
? V4L2_FIELD_INTERLACED
2501
2533
: V4L2_FIELD_BOTTOM;
···
2579
2615
fmt = format_by_fourcc(f->fmt.pix.pixelformat);
2580
2616
2581
2617
/* update our state informations */
2582
-
mutex_lock(&fh->cap.vb_lock);
2583
2618
fh->fmt = fmt;
2584
2619
fh->cap.field = f->fmt.pix.field;
2585
2620
fh->cap.last = V4L2_FIELD_NONE;
···
2587
2624
btv->init.fmt = fmt;
2588
2625
btv->init.width = f->fmt.pix.width;
2589
2626
btv->init.height = f->fmt.pix.height;
2590
-
mutex_unlock(&fh->cap.vb_lock);
2591
2627
2592
2628
return 0;
2593
2629
}
···
2612
2650
unsigned int i;
2613
2651
struct bttv_fh *fh = priv;
2614
2652
2615
-
mutex_lock(&fh->cap.vb_lock);
2616
2653
retval = __videobuf_mmap_setup(&fh->cap, gbuffers, gbufsize,
2617
2654
V4L2_MEMORY_MMAP);
2618
2655
if (retval < 0) {
2619
-
mutex_unlock(&fh->cap.vb_lock);
2620
2656
return retval;
2621
2657
}
2622
2658
···
2626
2666
for (i = 0; i < gbuffers; i++)
2627
2667
mbuf->offsets[i] = i * gbufsize;
2628
2668
2629
-
mutex_unlock(&fh->cap.vb_lock);
2630
2669
return 0;
2631
2670
}
2632
2671
#endif
···
2735
2776
int retval = 0;
2736
2777
2737
2778
if (on) {
2738
-
mutex_lock(&fh->cap.vb_lock);
2739
2779
/* verify args */
2740
2780
if (unlikely(!btv->fbuf.base)) {
2741
-
mutex_unlock(&fh->cap.vb_lock);
2742
2781
return -EINVAL;
2743
2782
}
2744
2783
if (unlikely(!fh->ov.setup_ok)) {
···
2745
2788
}
2746
2789
if (retval)
2747
2790
return retval;
2748
-
mutex_unlock(&fh->cap.vb_lock);
2749
2791
}
2750
2792
2751
2793
if (!check_alloc_btres_lock(btv, fh, RESOURCE_OVERLAY))
2752
2794
return -EBUSY;
2753
2795
2754
-
mutex_lock(&fh->cap.vb_lock);
2755
2796
if (on) {
2756
2797
fh->ov.tvnorm = btv->tvnorm;
2757
2798
new = videobuf_sg_alloc(sizeof(*new));
···
2761
2806
2762
2807
/* switch over */
2763
2808
retval = bttv_switch_overlay(btv, fh, new);
2764
-
mutex_unlock(&fh->cap.vb_lock);
2765
2809
return retval;
2766
2810
}
2767
2811
···
2799
2845
}
2800
2846
2801
2847
/* ok, accept it */
2802
-
mutex_lock(&fh->cap.vb_lock);
2803
2848
btv->fbuf.base = fb->base;
2804
2849
btv->fbuf.fmt.width = fb->fmt.width;
2805
2850
btv->fbuf.fmt.height = fb->fmt.height;
···
2830
2877
retval = bttv_switch_overlay(btv, fh, new);
2831
2878
}
2832
2879
}
2833
-
mutex_unlock(&fh->cap.vb_lock);
2834
2880
return retval;
2835
2881
}
2836
2882
···
2908
2956
c->id >= V4L2_CID_PRIVATE_LASTP1))
2909
2957
return -EINVAL;
2910
2958
2911
-
mutex_lock(&btv->lock);
2912
2959
if (!btv->volume_gpio && (c->id == V4L2_CID_AUDIO_VOLUME))
2913
2960
*c = no_ctl;
2914
2961
else {
···
2915
2964
2916
2965
*c = (NULL != ctrl) ? *ctrl : no_ctl;
2917
2966
}
2918
-
mutex_unlock(&btv->lock);
2919
2967
2920
2968
return 0;
2921
2969
}
···
2925
2975
struct bttv_fh *fh = f;
2926
2976
struct bttv *btv = fh->btv;
2927
2977
2928
-
mutex_lock(&btv->lock);
2929
2978
v4l2_video_std_frame_period(bttv_tvnorms[btv->tvnorm].v4l2_id,
2930
2979
&parm->parm.capture.timeperframe);
2931
-
mutex_unlock(&btv->lock);
2932
2980
2933
2981
return 0;
2934
2982
}
···
2942
2994
if (0 != t->index)
2943
2995
return -EINVAL;
2944
2996
2945
-
mutex_lock(&btv->lock);
2946
2997
t->rxsubchans = V4L2_TUNER_SUB_MONO;
2947
2998
bttv_call_all(btv, tuner, g_tuner, t);
2948
2999
strcpy(t->name, "Television");
···
2953
3006
if (btv->audio_mode_gpio)
2954
3007
btv->audio_mode_gpio(btv, t, 0);
2955
3008
2956
-
mutex_unlock(&btv->lock);
2957
3009
return 0;
2958
3010
}
2959
3011
···
2961
3015
struct bttv_fh *fh = f;
2962
3016
struct bttv *btv = fh->btv;
2963
3017
2964
-
mutex_lock(&btv->lock);
2965
3018
*p = v4l2_prio_max(&btv->prio);
2966
-
mutex_unlock(&btv->lock);
2967
3019
2968
3020
return 0;
2969
3021
}
···
2973
3029
struct bttv *btv = fh->btv;
2974
3030
int rc;
2975
3031
2976
-
mutex_lock(&btv->lock);
2977
3032
rc = v4l2_prio_change(&btv->prio, &fh->prio, prio);
2978
-
mutex_unlock(&btv->lock);
2979
3033
2980
3034
return rc;
2981
3035
}
···
2988
3046
cap->type != V4L2_BUF_TYPE_VIDEO_OVERLAY)
2989
3047
return -EINVAL;
2990
3048
2991
-
mutex_lock(&btv->lock);
2992
3049
*cap = bttv_tvnorms[btv->tvnorm].cropcap;
2993
-
mutex_unlock(&btv->lock);
2994
3050
2995
3051
return 0;
2996
3052
}
···
3006
3066
inconsistent with fh->width or fh->height and apps
3007
3067
do not expect a change here. */
3008
3068
3009
-
mutex_lock(&btv->lock);
3010
3069
crop->c = btv->crop[!!fh->do_crop].rect;
3011
-
mutex_unlock(&btv->lock);
3012
3070
3013
3071
return 0;
3014
3072
}
···
3030
3092
/* Make sure tvnorm, vbi_end and the current cropping
3031
3093
parameters remain consistent until we're done. Note
3032
3094
read() may change vbi_end in check_alloc_btres_lock(). */
3033
-
mutex_lock(&btv->lock);
3034
3095
retval = v4l2_prio_check(&btv->prio, fh->prio);
3035
3096
if (0 != retval) {
3036
-
mutex_unlock(&btv->lock);
3037
3097
return retval;
3038
3098
}
3039
3099
3040
3100
retval = -EBUSY;
3041
3101
3042
3102
if (locked_btres(fh->btv, VIDEO_RESOURCES)) {
3043
-
mutex_unlock(&btv->lock);
3044
3103
return retval;
3045
3104
}
3046
3105
···
3049
3114
3050
3115
b_top = max(b->top, btv->vbi_end);
3051
3116
if (b_top + 32 >= b_bottom) {
3052
-
mutex_unlock(&btv->lock);
3053
3117
return retval;
3054
3118
}
3055
3119
···
3071
3137
3072
3138
btv->crop[1] = c;
3073
3139
3074
-
mutex_unlock(&btv->lock);
3075
-
3076
3140
fh->do_crop = 1;
3077
-
3078
-
mutex_lock(&fh->cap.vb_lock);
3079
3141
3080
3142
if (fh->width < c.min_scaled_width) {
3081
3143
fh->width = c.min_scaled_width;
···
3088
3158
fh->height = c.max_scaled_height;
3089
3159
btv->init.height = c.max_scaled_height;
3090
3160
}
3091
-
3092
-
mutex_unlock(&fh->cap.vb_lock);
3093
3161
3094
3162
return 0;
3095
3163
}
···
3156
3228
return videobuf_poll_stream(file, &fh->vbi, wait);
3157
3229
}
3158
3230
3159
-
mutex_lock(&fh->cap.vb_lock);
3160
3231
if (check_btres(fh,RESOURCE_VIDEO_STREAM)) {
3161
3232
/* streaming capture */
3162
3233
if (list_empty(&fh->cap.stream))
···
3190
3263
else
3191
3264
rc = 0;
3192
3265
err:
3193
-
mutex_unlock(&fh->cap.vb_lock);
3194
3266
return rc;
3195
3267
}
3196
3268
···
3229
3303
* Let's first copy btv->init at fh, holding cap.vb_lock, and then work
3230
3304
* with the rest of init, holding btv->lock.
3231
3305
*/
3232
-
mutex_lock(&fh->cap.vb_lock);
3233
3306
*fh = btv->init;
3234
-
mutex_unlock(&fh->cap.vb_lock);
3235
3307
3236
3308
fh->type = type;
3237
3309
fh->ov.setup_ok = 0;
3238
3310
3239
-
mutex_lock(&btv->lock);
3240
3311
v4l2_prio_open(&btv->prio, &fh->prio);
3241
3312
3242
3313
videobuf_queue_sg_init(&fh->cap, &bttv_video_qops,
···
3241
3318
V4L2_BUF_TYPE_VIDEO_CAPTURE,
3242
3319
V4L2_FIELD_INTERLACED,
3243
3320
sizeof(struct bttv_buffer),
3244
-
fh, NULL);
3321
+
fh, &btv->lock);
3245
3322
videobuf_queue_sg_init(&fh->vbi, &bttv_vbi_qops,
3246
3323
&btv->c.pci->dev, &btv->s_lock,
3247
3324
V4L2_BUF_TYPE_VBI_CAPTURE,
3248
3325
V4L2_FIELD_SEQ_TB,
3249
3326
sizeof(struct bttv_buffer),
3250
-
fh, NULL);
3327
+
fh, &btv->lock);
3251
3328
set_tvnorm(btv,btv->tvnorm);
3252
3329
set_input(btv, btv->input, btv->tvnorm);
3253
3330
···
3270
3347
bttv_vbi_fmt_reset(&fh->vbi_fmt, btv->tvnorm);
3271
3348
3272
3349
bttv_field_count(btv);
3273
-
mutex_unlock(&btv->lock);
3274
3350
return 0;
3275
3351
}
3276
3352
···
3278
3356
struct bttv_fh *fh = file->private_data;
3279
3357
struct bttv *btv = fh->btv;
3280
3358
3281
-
mutex_lock(&btv->lock);
3282
3359
/* turn off overlay */
3283
3360
if (check_btres(fh, RESOURCE_OVERLAY))
3284
3361
bttv_switch_overlay(btv,fh,NULL);
···
3307
3386
* videobuf uses cap.vb_lock - we should avoid holding btv->lock,
3308
3387
* otherwise we may have dead lock conditions
3309
3388
*/
3310
-
mutex_unlock(&btv->lock);
3311
3389
videobuf_mmap_free(&fh->cap);
3312
3390
videobuf_mmap_free(&fh->vbi);
3313
-
mutex_lock(&btv->lock);
3314
3391
v4l2_prio_close(&btv->prio, fh->prio);
3315
3392
file->private_data = NULL;
3316
3393
kfree(fh);
···
3318
3399
3319
3400
if (!btv->users)
3320
3401
audio_mute(btv, 1);
3321
-
mutex_unlock(&btv->lock);
3322
3402
3323
3403
return 0;
3324
3404
}
···
3421
3503
if (unlikely(!fh))
3422
3504
return -ENOMEM;
3423
3505
file->private_data = fh;
3424
-
mutex_lock(&fh->cap.vb_lock);
3425
3506
*fh = btv->init;
3426
-
mutex_unlock(&fh->cap.vb_lock);
3427
3507
3428
-
mutex_lock(&btv->lock);
3429
3508
v4l2_prio_open(&btv->prio, &fh->prio);
3430
3509
3431
3510
btv->radio_user++;
···
3430
3515
bttv_call_all(btv, tuner, s_radio);
3431
3516
audio_input(btv,TVAUDIO_INPUT_RADIO);
3432
3517
3433
-
mutex_unlock(&btv->lock);
3434
3518
return 0;
3435
3519
}
3436
3520
···
3439
3525
struct bttv *btv = fh->btv;
3440
3526
struct rds_command cmd;
3441
3527
3442
-
mutex_lock(&btv->lock);
3443
3528
v4l2_prio_close(&btv->prio, fh->prio);
3444
3529
file->private_data = NULL;
3445
3530
kfree(fh);
···
3446
3533
btv->radio_user--;
3447
3534
3448
3535
bttv_call_all(btv, core, ioctl, RDS_CMD_CLOSE, &cmd);
3449
-
mutex_unlock(&btv->lock);
3450
3536
3451
3537
return 0;
3452
3538
}
···
3474
3562
return -EINVAL;
3475
3563
if (0 != t->index)
3476
3564
return -EINVAL;
3477
-
mutex_lock(&btv->lock);
3478
3565
strcpy(t->name, "Radio");
3479
3566
t->type = V4L2_TUNER_RADIO;
3480
3567
···
3481
3570
3482
3571
if (btv->audio_mode_gpio)
3483
3572
btv->audio_mode_gpio(btv, t, 0);
3484
-
3485
-
mutex_unlock(&btv->lock);
3486
3573
3487
3574
return 0;
3488
3575
}
···
3602
3693
.open = radio_open,
3603
3694
.read = radio_read,
3604
3695
.release = radio_release,
3605
-
.ioctl = video_ioctl2,
3696
+
.unlocked_ioctl = video_ioctl2,
3606
3697
.poll = radio_poll,
3607
3698
};
3608
3699