linux-hardened/include
Shuah Khan 90cd366bc6 [media] media: Protect enable_source and disable_source handler code paths
Drivers might try to access and run enable_source and disable_source
handlers when the driver that implements these handlers is clearing
the handlers during its unregister.

Fix the following race condition:

process 1				process 2

request video streaming			unbind au0828
v4l2 checks if tuner is free
...					...

					au0828_unregister_media_device()
...					...
					(doesn't hold graph_mutex)
					mdev->enable_source = NULL;
if (mdev && mdev->enable_source)	mdev->disable_source = NULL;
	mdev->enable_source()
(enable_source holds graph_mutex)

As shown above enable_source check is done without holding the graph_mutex.
If unbind happens to be in progress, au0828 could clear enable_source and
disable_source handlers leading to null pointer de-reference.

Fix it by protecting enable_source and disable_source set and clear and
protecting enable_source and disable_source handler access and the call
itself.

process 1				process 2

request video streaming			unbind au0828
v4l2 checks if tuner is free
...					...

					au0828_unregister_media_device()
...					...
					(hold graph_mutex while clearing)
					mdev->enable_source = NULL;
if (mdev)				mdev->disable_source = NULL;
(hold graph_mutex to check and
 call enable_source)
    if (mdev->enable_source)
	mdev->enable_source()

If graph_mutex is held to just heck for handler being null and needs to be
released before calling the handler, there will be another window for the
handlers to be cleared. Hence, enable_source and disable_source handlers
no longer hold the graph_mutex and expect callers to hold it to avoid
forcing them release the graph_mutex before calling the handlers.

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-02-03 07:39:35 -02:00
..
acpi More ACPI updates for v4.10-rc1 2016-12-22 10:19:32 -08:00
asm-generic Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
clocksource
crypto This pull contains one set of changes: a conversion of the crypto DocBook 2016-12-17 16:00:34 -08:00
drm Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
dt-bindings dt: bindings: net: use boolean dt properties for eee broken modes 2016-12-20 13:50:50 -05:00
keys
kvm clocksource: Use a plain u64 instead of cycle_t 2016-12-25 11:04:12 +01:00
linux [media] ir-rx51: port to rc-core 2017-01-30 14:25:04 -02:00
math-emu
media [media] media: Protect enable_source and disable_source handler code paths 2017-02-03 07:39:35 -02:00
memory
misc
net ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
pcmcia
ras
rdma Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
rxrpc
scsi linux: drop __bitwise__ everywhere 2016-12-16 00:13:41 +02:00
soc powerpc updates for 4.10 2016-12-16 09:26:42 -08:00
sound sound updates for 4.10-rc1 2016-12-14 11:14:28 -08:00
target Merge branch 'scsi-target-for-v4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/bvanassche/linux 2016-12-21 10:16:05 -08:00
trace Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-12-25 14:30:04 -08:00
uapi Linux 4.10-rc1 2016-12-26 14:11:35 -02:00
video
xen xen: features and fixes for 4.10 rc0 2016-12-13 16:07:55 -08:00
Kbuild