forked from luck/tmp_suning_uos_patched
df4a3e7f88
There's a race condition between the list_del_init in the v4l2_ctrl_request_complete, and the list_add_tail in the v4l2_ctrl_request_queue, since they can be called in different thread and the requests_queued list is not protected by a lock. This can lead to that the v4l2_ctrl_handler is still in the requests_queued list while the request_is_queued is already set to false, which would cause use-after-free if the v4l2_ctrl_handler is later released. Fix this by locking the ->lock of main_hdl (which is the owner of the requests_queued list) when doing list operations on the ->requests_queued list. Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
tuner-core.c | ||
v4l2-async.c | ||
v4l2-clk.c | ||
v4l2-common.c | ||
v4l2-compat-ioctl32.c | ||
v4l2-ctrls.c | ||
v4l2-dev.c | ||
v4l2-device.c | ||
v4l2-dv-timings.c | ||
v4l2-event.c | ||
v4l2-fh.c | ||
v4l2-flash-led-class.c | ||
v4l2-fwnode.c | ||
v4l2-i2c.c | ||
v4l2-ioctl.c | ||
v4l2-mc.c | ||
v4l2-mem2mem.c | ||
v4l2-spi.c | ||
v4l2-subdev.c | ||
v4l2-trace.c | ||
videobuf-core.c | ||
videobuf-dma-contig.c | ||
videobuf-dma-sg.c | ||
videobuf-vmalloc.c |