V4L/DVB: gspca - main: Possible race condition in queue management
authorJean-François Moine <moinejf@free.fr>
Tue, 6 Jul 2010 07:16:40 +0000 (04:16 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Mon, 2 Aug 2010 19:42:47 +0000 (16:42 -0300)
The problem may occur with SMP:
- a frame is completed at interrupt level (in gspca_frame_add with
  packet_type == LAST_PACKET,
- just after clearing the bit V4L2_BUF_FLAG_QUEUED and before setting
  the bit V4L2_BUF_FLAG_DONE, on the other processor, the application
  tries to requeue the same frame buffer,
- then, the qbuf function succeeds because ALL_FLAGS are not set.
The fix sets and resets the two flags in one instruction.

Reported-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jean-François Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/video/gspca/gspca.c

index 8e822ed..2dc7270 100644 (file)
@@ -466,8 +466,9 @@ void gspca_frame_add(struct gspca_dev *gspca_dev,
                j = gspca_dev->fr_queue[i];
                frame = &gspca_dev->frame[j];
                frame->v4l2_buf.bytesused = gspca_dev->image_len;
-               frame->v4l2_buf.flags &= ~V4L2_BUF_FLAG_QUEUED;
-               frame->v4l2_buf.flags |= V4L2_BUF_FLAG_DONE;
+               frame->v4l2_buf.flags = (frame->v4l2_buf.flags
+                                        | V4L2_BUF_FLAG_DONE)
+                                       & ~V4L2_BUF_FLAG_QUEUED;
                wake_up_interruptible(&gspca_dev->wq);  /* event = new frame */
                i = (i + 1) % gspca_dev->nframes;
                gspca_dev->fr_i = i;