3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverk...@xs4all.nl>
commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream.
If a filehandle is dup()ped, then it is possible to close it from one fd
and call mmap from the other. This creates a race condition in vb2_mmap
where it is using queue data that __vb2_queue_free (called from close())
is in the process of releasing.
By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
now reads consistent buffer data.
Signed-off-by: Hans Verkuil <hverk...@xs4all.nl>
Reported-by: syzbot+be93025dd45dccd89...@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil <hansv...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+sams...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
drivers/media/v4l2-core/videobuf2-core.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -2474,9 +2474,13 @@ int vb2_mmap(struct vb2_queue *q, struct
return -EINVAL;
}
}
+
+ mutex_lock(&q->mmap_lock);
+
if (vb2_fileio_is_active(q)) {
dprintk(1, "mmap: file io in progress\n");
- return -EBUSY;
+ ret = -EBUSY;
+ goto unlock;
}
/*
@@ -2484,7 +2488,7 @@ int vb2_mmap(struct vb2_queue *q, struct
*/
ret = __find_plane_by_offset(q, off, &buffer, &plane);
if (ret)
- return ret;
+ goto unlock;
vb = q->bufs[buffer];
@@ -2500,8 +2504,9 @@ int vb2_mmap(struct vb2_queue *q, struct
return -EINVAL;
}
- mutex_lock(&q->mmap_lock);
ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
+
+unlock:
mutex_unlock(&q->mmap_lock);
if (ret)
return ret;
