From: Alexey Khoroshilov Date: Sat, 9 Nov 2013 21:28:43 +0000 (-0300) Subject: [media] dvb_demux: fix deadlock in dmx_section_feed_release_filter() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6633327d59067fe16128d66968cd50a10ca7a09c;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [media] dvb_demux: fix deadlock in dmx_section_feed_release_filter() dmx_section_feed_release_filter() locks dvbdmx->mutex and if the feed is still filtering, it calls feed->stop_filtering(feed). stop_filtering() is implemented by dmx_section_feed_stop_filtering() that first of all try to lock the same mutex: dvbdmx->mutex. That leads to a deadlock. It does not happen often in practice because all callers of release_filter() stop filtering by themselves. So the problem can happen in case of race condition only. The patch releases dvbdmx->mutex before call to feed->stop_filtering(feed) and reacquires the mutex after that. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c index 58de4410c525..25f3c6484610 100644 --- a/drivers/media/dvb-core/dvb_demux.c +++ b/drivers/media/dvb-core/dvb_demux.c @@ -1032,8 +1032,13 @@ static int dmx_section_feed_release_filter(struct dmx_section_feed *feed, return -EINVAL; } - if (feed->is_filtering) + if (feed->is_filtering) { + /* release dvbdmx->mutex as far as + it is acquired by stop_filtering() itself */ + mutex_unlock(&dvbdmx->mutex); feed->stop_filtering(feed); + mutex_lock(&dvbdmx->mutex); + } spin_lock_irq(&dvbdmx->lock); f = dvbdmxfeed->filter;