media: v4l2-ctrls: improve media_request_(un)lock_for_update

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The request reference count was decreased again once a reference to the
request object was taken. Postpone this until we finished using the object.

In theory I think it is possible that the request_fd can be closed by
the application from another thread. In that case when request_put is
called the whole request would be freed.

It's highly unlikely, but let's just be safe and fix this potential
race condition.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

authored by

Hans Verkuil and committed by

Mauro Carvalho Chehab 7 years ago ffda0b4c ca6c1633

+3 -3

1 changed file

expand all

drivers

media

v4l2-core

v4l2-ctrls.c

+3 -3

drivers/media/v4l2-core/v4l2-ctrls.c

··· 3657 3657 } 3658 3658 3659 3659 obj = v4l2_ctrls_find_req_obj(hdl, req, set); 3660 - /* Reference to the request held through obj */ 3661 - media_request_put(req); 3662 3660 if (IS_ERR(obj)) { 3663 3661 media_request_unlock_for_update(req); 3662 + media_request_put(req); 3664 3663 return PTR_ERR(obj); 3665 3664 } 3666 3665 hdl = container_of(obj, struct v4l2_ctrl_handler, ··· 3669 3670 ret = try_set_ext_ctrls_common(fh, hdl, cs, set); 3670 3671 3671 3672 if (obj) { 3672 - media_request_unlock_for_update(obj->req); 3673 + media_request_unlock_for_update(req); 3673 3674 media_request_object_put(obj); 3675 + media_request_put(req); 3674 3676 } 3675 3677 3676 3678 return ret;