diff options
author | Mark Salyzyn <salyzyn@google.com> | 2016-05-17 13:23:32 -0700 |
---|---|---|
committer | Winnie Hsu <whsu@nvidia.com> | 2017-05-16 12:38:21 -0700 |
commit | 44a90765971303f210e2f3017f723b59ab66e67a (patch) | |
tree | 9bad699820915e0e1cb17d219be2e84156edaaf1 | |
parent | 47f46d91bdd0ec42cf688dda09dcd187afdadffd (diff) |
tegra: camera race condition vulnerability
- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.
(Back ported from Nexus N9 project)
Bug 1832830
Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
-rw-r--r-- | drivers/media/platform/tegra/camera.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c index be541b921ec5..041c830501ef 100644 --- a/drivers/media/platform/tegra/camera.c +++ b/drivers/media/platform/tegra/camera.c @@ -878,31 +878,46 @@ static long camera_ioctl(struct file *file, break; case PCLLK_IOCTL_DEV_DEL: mutex_lock(cam_desc.d_mutex); + if (!cam->cdev) { + err = -ENODEV; + mutex_unlock(cam_desc.d_mutex); + break; + } list_del(&cam->cdev->list); - mutex_unlock(cam_desc.d_mutex); camera_remove_device(cam->cdev, true); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_DEV_FREE: err = camera_free_device(cam, arg); break; case PCLLK_IOCTL_SEQ_WR: + mutex_lock(cam_desc.d_mutex); err = camera_seq_wr(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_SEQ_RD: + mutex_lock(cam_desc.d_mutex); err = camera_seq_rd(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_PARAM_RD: /* err = camera_param_rd(cam, arg); */ break; case PCLLK_IOCTL_PWR_WR: /* This is a Guaranteed Level of Service (GLOS) call */ + mutex_lock(cam_desc.d_mutex); err = camera_dev_pwr_set(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_PWR_RD: + mutex_lock(cam_desc.d_mutex); err = camera_dev_pwr_get(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_UPDATE: + mutex_lock(cam_desc.d_mutex); err = camera_update(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_LAYOUT_WR: err = camera_layout_update(cam, arg); @@ -924,16 +939,22 @@ static long camera_ioctl(struct file *file, err = virtual_device_add(cam_desc.dev, arg); break; case PCLLK_IOCTL_32_SEQ_WR: + mutex_lock(cam_desc.d_mutex); err = camera_seq_wr(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_SEQ_RD: + mutex_lock(cam_desc.d_mutex); err = camera_seq_rd(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_PARAM_RD: /* err = camera_param_rd(cam, arg); */ break; case PCLLK_IOCTL_32_UPDATE: + mutex_lock(cam_desc.d_mutex); err = camera_update(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_LAYOUT_WR: err = camera_layout_update(cam, arg); |