create_bufs and remove_bufs ioctl calls manipulate queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Simply forbid those calls when fileio is active to protect internal queue state between subsequent read/write calls.

CC: stable@vger.kernel.org Fixes: 2d86401c2cbf ("[media] V4L: vb2: add support for buffers of different sizes on a single queue") Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com --- drivers/media/common/videobuf2/videobuf2-v4l2.c | 10 ++++++++++ 1 file changed, 10 insertions(+)

diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..f4104d5971dd 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -751,6 +751,11 @@ int vb2_create_bufs(struct vb2_queue *q, struct v4l2_create_buffers *create) int ret = vb2_verify_memory_type(q, create->memory, f->type); unsigned i;

+ if (vb2_fileio_is_active(q)) { + dprintk(q, 1, "file io in progress\n"); + return -EBUSY; + } + create->index = vb2_get_num_buffers(q); vb2_set_flags_and_caps(q, create->memory, &create->flags, &create->capabilities, &create->max_num_buffers); @@ -1010,6 +1015,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, if (vb2_queue_is_busy(vdev->queue, file)) return -EBUSY;

+ if (vb2_fileio_is_active(vdev->queue)) { + dprintk(vdev->queue, 1, "file io in progress\n"); + return -EBUSY; + } + return vb2_core_remove_bufs(vdev->queue, d->index, d->count); } EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs);