[v2] media: ov5640: fix use of destroyed mutex
Commit Message
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set
to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the
sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting
in the use of the destroyed mutex.
Fix this by calling moving the mutex_destroy() to the end of the cleanup
sequence, as there's no need to destroy the mutex as early as possible.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@vger.kernel.org
---
drivers/media/i2c/ov5640.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Benoit Parrot <bparrot@ti.com>
On 3/13/20 8:19 AM, Tomi Valkeinen wrote:
> v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set
> to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the
> sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting
> in the use of the destroyed mutex.
>
> Fix this by calling moving the mutex_destroy() to the end of the cleanup
> sequence, as there's no need to destroy the mutex as early as possible.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> Cc: stable@vger.kernel.org
> ---
> drivers/media/i2c/ov5640.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
> index 854031f0b64a..2fe4a7ac0592 100644
> --- a/drivers/media/i2c/ov5640.c
> +++ b/drivers/media/i2c/ov5640.c
> @@ -3093,8 +3093,8 @@ static int ov5640_probe(struct i2c_client *client)
> free_ctrls:
> v4l2_ctrl_handler_free(&sensor->ctrls.handler);
> entity_cleanup:
> - mutex_destroy(&sensor->lock);
> media_entity_cleanup(&sensor->sd.entity);
> + mutex_destroy(&sensor->lock);
> return ret;
> }
>
> @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client)
> struct ov5640_dev *sensor = to_ov5640_dev(sd);
>
> v4l2_async_unregister_subdev(&sensor->sd);
> - mutex_destroy(&sensor->lock);
> media_entity_cleanup(&sensor->sd.entity);
> v4l2_ctrl_handler_free(&sensor->ctrls.handler);
> + mutex_destroy(&sensor->lock);
>
> return 0;
> }
>
@@ -3093,8 +3093,8 @@ static int ov5640_probe(struct i2c_client *client)
free_ctrls:
v4l2_ctrl_handler_free(&sensor->ctrls.handler);
entity_cleanup:
- mutex_destroy(&sensor->lock);
media_entity_cleanup(&sensor->sd.entity);
+ mutex_destroy(&sensor->lock);
return ret;
}
@@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client)
struct ov5640_dev *sensor = to_ov5640_dev(sd);
v4l2_async_unregister_subdev(&sensor->sd);
- mutex_destroy(&sensor->lock);
media_entity_cleanup(&sensor->sd.entity);
v4l2_ctrl_handler_free(&sensor->ctrls.handler);
+ mutex_destroy(&sensor->lock);
return 0;
}