diff mbox series

media: ov5640: fix use of destroyed mutex

Message ID	20200313082258.6930-1-tomi.valkeinen@ti.com (mailing list archive)
State	Superseded, archived
Delegated to:	Sakari Ailus
Headers	From: Tomi Valkeinen <tomi.valkeinen@ti.com> To: Steve Longerbeam <slongerbeam@gmail.com>, Mauro Carvalho Chehab <mchehab@kernel.org>, <linux-media@vger.kernel.org>, Benoit Parrot <bparrot@ti.com> CC: Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Tomi Valkeinen <tomi.valkeinen@ti.com>, <stable@vger.kernel.org> Subject: [PATCH] media: ov5640: fix use of destroyed mutex Date: Fri, 13 Mar 2020 10:22:58 +0200 Message-ID: <20200313082258.6930-1-tomi.valkeinen@ti.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-media-owner@vger.kernel.org Precedence: bulk
Series	media: ov5640: fix use of destroyed mutex \| media: ov5640: fix use of destroyed mutex

Commit Message

Tomi Valkeinen March 13, 2020, 8:22 a.m. UTC

  v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set
to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the
sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting
in the use of the destroyed mutex.

Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy().

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: stable@vger.kernel.org
---
 drivers/media/i2c/ov5640.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Laurent Pinchart March 13, 2020, 11:45 a.m. UTC | #1

Hi Tomi,

Thank you for the patch.

On Fri, Mar 13, 2020 at 10:22:58AM +0200, Tomi Valkeinen wrote:
> v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set
> to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the
> sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting
> in the use of the destroyed mutex.
> 
> Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy().
> 
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Cc: stable@vger.kernel.org
> ---
>  drivers/media/i2c/ov5640.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
> index 854031f0b64a..64511de4eea8 100644
> --- a/drivers/media/i2c/ov5640.c
> +++ b/drivers/media/i2c/ov5640.c
> @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client)
>  	struct ov5640_dev *sensor = to_ov5640_dev(sd);
>  
>  	v4l2_async_unregister_subdev(&sensor->sd);
> +	v4l2_ctrl_handler_free(&sensor->ctrls.handler);
>  	mutex_destroy(&sensor->lock);
>  	media_entity_cleanup(&sensor->sd.entity);
> -	v4l2_ctrl_handler_free(&sensor->ctrls.handler);

While at it, could you move the mutex after media_entity_cleanup() too,
to avoid future problems in case it gets used through that path ?

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

>  
>  	return 0;
>  }

diff mbox series

Patch

diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
index 854031f0b64a..64511de4eea8 100644
--- a/drivers/media/i2c/ov5640.c
+++ b/drivers/media/i2c/ov5640.c
@@ -3104,9 +3104,9 @@  static int ov5640_remove(struct i2c_client *client)
 	struct ov5640_dev *sensor = to_ov5640_dev(sd);
 
 	v4l2_async_unregister_subdev(&sensor->sd);
+	v4l2_ctrl_handler_free(&sensor->ctrls.handler);
 	mutex_destroy(&sensor->lock);
 	media_entity_cleanup(&sensor->sd.entity);
-	v4l2_ctrl_handler_free(&sensor->ctrls.handler);
 
 	return 0;
 }