media: v4l: async: Correctly serialise async sub-device unregistration

The check whether an async sub-device is bound to a notifier was performed
without list_lock held, making it possible for another process to
unbind the async sub-device before the sub-device unregistration function
proceeds to take the lock.

Fix this by first acquiring the lock and then proceeding with the check.

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 4924481451ca65599a321d4c6ea71b620715b511..cde2cf2ab4b0da4129962e20040c96dffc57b632 100644 (file)
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -298,20 +298,16 @@ EXPORT_SYMBOL(v4l2_async_register_subdev);
 
 void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
 {
-       struct v4l2_async_notifier *notifier = sd->notifier;
-
-       if (!sd->asd) {
-               if (!list_empty(&sd->async_list))
-                       v4l2_async_cleanup(sd);
-               return;
-       }
-
        mutex_lock(&list_lock);
 
-       list_add(&sd->asd->list, &notifier->waiting);
+       if (sd->asd) {
+               struct v4l2_async_notifier *notifier = sd->notifier;
 
-       if (notifier->unbind)
-               notifier->unbind(notifier, sd, sd->asd);
+               list_add(&sd->asd->list, &notifier->waiting);
+
+               if (notifier->unbind)
+                       notifier->unbind(notifier, sd, sd->asd);
+       }
 
        v4l2_async_cleanup(sd);