From 02bbcb9d863df10b5a4b91ba5b4c76eaf1340883 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Moine?= Date: Tue, 6 Jul 2010 04:16:40 -0300 Subject: [PATCH] V4L/DVB: gspca - main: Possible race condition in queue management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The problem may occur with SMP: - a frame is completed at interrupt level (in gspca_frame_add with packet_type == LAST_PACKET, - just after clearing the bit V4L2_BUF_FLAG_QUEUED and before setting the bit V4L2_BUF_FLAG_DONE, on the other processor, the application tries to requeue the same frame buffer, - then, the qbuf function succeeds because ALL_FLAGS are not set. The fix sets and resets the two flags in one instruction. Reported-by: Hans de Goede Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/gspca/gspca.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/media/video/gspca/gspca.c b/drivers/media/video/gspca/gspca.c index 8e822ed4435f..2dc7270722f3 100644 --- a/drivers/media/video/gspca/gspca.c +++ b/drivers/media/video/gspca/gspca.c @@ -466,8 +466,9 @@ void gspca_frame_add(struct gspca_dev *gspca_dev, j = gspca_dev->fr_queue[i]; frame = &gspca_dev->frame[j]; frame->v4l2_buf.bytesused = gspca_dev->image_len; - frame->v4l2_buf.flags &= ~V4L2_BUF_FLAG_QUEUED; - frame->v4l2_buf.flags |= V4L2_BUF_FLAG_DONE; + frame->v4l2_buf.flags = (frame->v4l2_buf.flags + | V4L2_BUF_FLAG_DONE) + & ~V4L2_BUF_FLAG_QUEUED; wake_up_interruptible(&gspca_dev->wq); /* event = new frame */ i = (i + 1) % gspca_dev->nframes; gspca_dev->fr_i = i;