v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex.
Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy().
Signed-off-by: Tomi Valkeinen tomi.valkeinen@ti.com Cc: stable@vger.kernel.org --- drivers/media/i2c/ov5640.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..64511de4eea8 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd);
v4l2_async_unregister_subdev(&sensor->sd); + v4l2_ctrl_handler_free(&sensor->ctrls.handler); mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); - v4l2_ctrl_handler_free(&sensor->ctrls.handler);
return 0; }
Hi Tomi,
Thank you for the patch.
On Fri, Mar 13, 2020 at 10:22:58AM +0200, Tomi Valkeinen wrote:
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex.
Fix this by calling v4l2_ctrl_handler_free() before mutex_destroy().
Signed-off-by: Tomi Valkeinen tomi.valkeinen@ti.com Cc: stable@vger.kernel.org
drivers/media/i2c/ov5640.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..64511de4eea8 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd); v4l2_async_unregister_subdev(&sensor->sd);
- v4l2_ctrl_handler_free(&sensor->ctrls.handler); mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity);
- v4l2_ctrl_handler_free(&sensor->ctrls.handler);
While at it, could you move the mutex after media_entity_cleanup() too, to avoid future problems in case it gets used through that path ?
Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com
return 0; }
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex.
Fix this by calling moving the mutex_destroy() to the end of the cleanup sequence, as there's no need to destroy the mutex as early as possible.
Signed-off-by: Tomi Valkeinen tomi.valkeinen@ti.com Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Cc: stable@vger.kernel.org --- drivers/media/i2c/ov5640.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..2fe4a7ac0592 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3093,8 +3093,8 @@ static int ov5640_probe(struct i2c_client *client) free_ctrls: v4l2_ctrl_handler_free(&sensor->ctrls.handler); entity_cleanup: - mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); + mutex_destroy(&sensor->lock); return ret; }
@@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd);
v4l2_async_unregister_subdev(&sensor->sd); - mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); v4l2_ctrl_handler_free(&sensor->ctrls.handler); + mutex_destroy(&sensor->lock);
return 0; }
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.5.9, v5.4.25, v4.19.109, v4.14.173, v4.9.216, v4.4.216.
v5.5.9: Build OK! v5.4.25: Build OK! v4.19.109: Build OK! v4.14.173: Build OK! v4.9.216: Failed to apply! Possible dependencies: 19a81c1426c1 ("[media] add Omnivision OV5640 sensor driver") 34aa88790bad ("[media] ov2640: convert from soc-camera to a standard subdev sensor driver") 6713c88fd047 ("[media] media: i2c: soc_camera: constify v4l2_subdev_* structures") 9823f003b96c ("[media] ov2640: fix colorspace handling") 9cae97221aab ("[media] media: Add a driver for the ov5645 camera sensor")
v4.4.216: Failed to apply! Possible dependencies: 10d5509c8d50 ("[media] v4l2: remove g/s_crop from video ops") 163c9bca101c ("[media] tuner.h: rename TUNER_PAD_IF_OUTPUT to TUNER_PAD_OUTPUT") 19a81c1426c1 ("[media] add Omnivision OV5640 sensor driver") 21c29de1d090 ("[media] v4l2-subdev.h: Improve documentation") 32fdc0e1a87c ("[media] uapi/media.h: Fix entity namespace") 34aa88790bad ("[media] ov2640: convert from soc-camera to a standard subdev sensor driver") 684ffa2d5538 ("[media] doc-rst: split media_drivers.rst into one file per API type") 6aad127d37b6 ("[media] v4l2-mc.h: move tuner PAD definitions to this new header") 8211b187ec64 ("[media] dvbdev: add support for interfaces") 89cb3ddbe7cc ("[media] doc-rst: Fix conversion for v4l2 core functions") 8df00a15817e ("[media] media: rename the function that create pad links") 9823f003b96c ("[media] ov2640: fix colorspace handling") 9cae97221aab ("[media] media: Add a driver for the ov5645 camera sensor") a0cce2a05756 ("[media] dvbdev: create links on devices with multiple frontends") d26a5d4350fd ("[media] doc-rst: Convert media API to rst") dd3a46bbbe1d ("[media] tvp5150: Add g_mbus_config subdev operation support") df2f94e563ed ("[media] dvb: modify core to implement interfaces/entities at MC new gen")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
Reviewed-by: Benoit Parrot bparrot@ti.com
On 3/13/20 8:19 AM, Tomi Valkeinen wrote:
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex.
Fix this by calling moving the mutex_destroy() to the end of the cleanup sequence, as there's no need to destroy the mutex as early as possible.
Signed-off-by: Tomi Valkeinen tomi.valkeinen@ti.com Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Cc: stable@vger.kernel.org
drivers/media/i2c/ov5640.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..2fe4a7ac0592 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3093,8 +3093,8 @@ static int ov5640_probe(struct i2c_client *client) free_ctrls: v4l2_ctrl_handler_free(&sensor->ctrls.handler); entity_cleanup:
- mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity);
- mutex_destroy(&sensor->lock); return ret;
} @@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd); v4l2_async_unregister_subdev(&sensor->sd);
- mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); v4l2_ctrl_handler_free(&sensor->ctrls.handler);
- mutex_destroy(&sensor->lock);
return 0; }
v4l2_ctrl_handler_free() uses hdl->lock, which in ov5640 driver is set to sensor's own sensor->lock. In ov5640_remove(), the driver destroys the sensor->lock first, and then calls v4l2_ctrl_handler_free(), resulting in the use of the destroyed mutex.
Fix this by calling moving the mutex_destroy() to the end of the cleanup sequence, as there's no need to destroy the mutex as early as possible.
Signed-off-by: Tomi Valkeinen tomi.valkeinen@ti.com Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Cc: stable@vger.kernel.org # v4.14+ Reviewed-by: Benoit Parrot bparrot@ti.com ---
Added reviewed-by from Benoit Added stable version
drivers/media/i2c/ov5640.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c index 854031f0b64a..2fe4a7ac0592 100644 --- a/drivers/media/i2c/ov5640.c +++ b/drivers/media/i2c/ov5640.c @@ -3093,8 +3093,8 @@ static int ov5640_probe(struct i2c_client *client) free_ctrls: v4l2_ctrl_handler_free(&sensor->ctrls.handler); entity_cleanup: - mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); + mutex_destroy(&sensor->lock); return ret; }
@@ -3104,9 +3104,9 @@ static int ov5640_remove(struct i2c_client *client) struct ov5640_dev *sensor = to_ov5640_dev(sd);
v4l2_async_unregister_subdev(&sensor->sd); - mutex_destroy(&sensor->lock); media_entity_cleanup(&sensor->sd.entity); v4l2_ctrl_handler_free(&sensor->ctrls.handler); + mutex_destroy(&sensor->lock);
return 0; }
linux-stable-mirror@lists.linaro.org
-
Benoit Parrot -
Laurent Pinchart -
Sasha Levin -
Tomi Valkeinen