cx88: hold device lock during sub-driver initialization

BugLink: http://bugs.launchpad.net/bugs/793702

commit 1d6213ab995c61f7d1d81cf6cf876acf15d6e714 upstream.

cx8802_blackbird_probe makes a device node for the mpeg sub-device
before it has been added to dev->drvlist.  If the device is opened
during that time, the open succeeds but request_acquire cannot be
called, so the reference count remains zero.  Later, when the device
is closed, the reference count becomes negative --- uh oh.

Close the race by holding core->lock during probe and not releasing
until the device is in drvlist and initialization finished.
Previously the BKL prevented this race.

Reported-by: Andreas Huber <hobrom@gmx.at>
Tested-by: Andi Huber <hobrom@gmx.at>
Tested-by: Marlon de Boer <marlon@hyves.nl>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/drivers/media/video/cx88/cx88-blackbird.c b/drivers/media/video/cx88/cx88-blackbird.c
index a6f7d53..f637d34 100644 (file)
--- a/drivers/media/video/cx88/cx88-blackbird.c
+++ b/drivers/media/video/cx88/cx88-blackbird.c
@@ -1335,11 +1335,9 @@ static int cx8802_blackbird_probe(struct cx8802_driver *drv)
        blackbird_register_video(dev);
 
        /* initial device configuration: needed ? */
-       mutex_lock(&dev->core->lock);
 //     init_controls(core);
        cx88_set_tvnorm(core,core->tvnorm);
        cx88_video_mux(core,0);
-       mutex_unlock(&dev->core->lock);
 
        return 0;
 

diff --git a/drivers/media/video/cx88/cx88-mpeg.c b/drivers/media/video/cx88/cx88-mpeg.c
index 9147c16..497f26f 100644 (file)
--- a/drivers/media/video/cx88/cx88-mpeg.c
+++ b/drivers/media/video/cx88/cx88-mpeg.c
@@ -709,18 +709,17 @@ int cx8802_register_driver(struct cx8802_driver *drv)
                drv->request_release = cx8802_request_release;
                memcpy(driver, drv, sizeof(*driver));
 
+               mutex_lock(&drv->core->lock);
                err = drv->probe(driver);
                if (err == 0) {
                        i++;
-                       mutex_lock(&drv->core->lock);
                        list_add_tail(&driver->drvlist, &dev->drvlist);
-                       mutex_unlock(&drv->core->lock);
                } else {
                        printk(KERN_ERR
                               "%s/2: cx8802 probe failed, err = %d\n",
                               dev->core->name, err);
                }
-
+               mutex_unlock(&drv->core->lock);
        }
 
        return i ? 0 : -ENODEV;

diff --git a/drivers/media/video/cx88/cx88.h b/drivers/media/video/cx88/cx88.h
index e912919..93a94bf 100644 (file)
--- a/drivers/media/video/cx88/cx88.h
+++ b/drivers/media/video/cx88/cx88.h
@@ -495,13 +495,10 @@ struct cx8802_driver {
        int (*suspend)(struct pci_dev *pci_dev, pm_message_t state);
        int (*resume)(struct pci_dev *pci_dev);
 
-       /* MPEG 8802 -> mini driver - Driver probe and configuration */
-
-       /* Caller must _not_ hold core->lock */
-       int (*probe)(struct cx8802_driver *drv);
-
        /* Callers to the following functions must hold core->lock */
 
+       /* MPEG 8802 -> mini driver - Driver probe and configuration */
+       int (*probe)(struct cx8802_driver *drv);
        int (*remove)(struct cx8802_driver *drv);
 
        /* MPEG 8802 -> mini driver - Access for hardware control */