diff options
author | Hans Verkuil <hverkuil@xs4all.nl> | 2018-11-13 09:06:46 -0500 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab+samsung@kernel.org> | 2018-11-23 05:54:22 -0500 |
commit | cd26d1c4d1bc947b56ae404998ae2276df7b39b7 (patch) | |
tree | ad9e1dc8c7f642dd9f7c34ba0d8f0136ae9429c1 /drivers/media/i2c/adv7604.c | |
parent | 2e84eb9affac43eeaf834992888b72426a8cd442 (diff) | |
download | linux-cd26d1c4d1bc947b56ae404998ae2276df7b39b7.tar.bz2 |
media: vb2: vb2_mmap: move lock up
If a filehandle is dup()ped, then it is possible to close it from one fd
and call mmap from the other. This creates a race condition in vb2_mmap
where it is using queue data that __vb2_queue_free (called from close())
is in the process of releasing.
By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
now reads consistent buffer data.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Diffstat (limited to 'drivers/media/i2c/adv7604.c')
0 files changed, 0 insertions, 0 deletions