mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-04 01:24:12 +08:00
d65842f712
Calling VIDIOC_DQBUF can release the core serialization lock pointed to by vb2_queue->lock if it has to wait for a new buffer to arrive. However, if userspace dup()ped the video device filehandle, then it is possible to read or call DQBUF from two filehandles at the same time. It is also possible to call REQBUFS from one filehandle while the other is waiting for a buffer. This will remove all the buffers and reallocate new ones. Removing all the buffers isn't the problem here (that's already handled correctly by DQBUF), but the reallocating part is: DQBUF isn't aware that the buffers have changed. This is fixed by setting a flag whenever the lock is released while waiting for a buffer to arrive. And checking the flag where needed so we can return -EBUSY. Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Reported-by: Syzbot <syzbot+4180ff9ca6810b06c1e9@syzkaller.appspotmail.com> Reviewed-by: Tomasz Figa <tfiga@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> |
||
|---|---|---|
| .. | ||
| cec | ||
| common | ||
| dvb-core | ||
| dvb-frontends | ||
| firewire | ||
| i2c | ||
| mmc | ||
| pci | ||
| platform | ||
| radio | ||
| rc | ||
| spi | ||
| tuners | ||
| usb | ||
| v4l2-core | ||
| Kconfig | ||
| Makefile | ||
| media-dev-allocator.c | ||
| media-device.c | ||
| media-devnode.c | ||
| media-entity.c | ||
| media-request.c | ||