staging: most: video: fix potential race in list iteration

There is a pattern in the loops where the lock is dropped
to call a specific function and then re-acquired.

The list can be exposed during this short gap, creating a potential
race condition. This patch fixes the problem by replacing the list
head with a local free list using list_replace_init(), instead of
using the lock/unlock pattern in the loop.

Signed-off-by: Minu Jin <s9430939@naver.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260205021620.1165137-1-s9430939@naver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/most/video/video.c b/drivers/staging/most/video/video.c
index 32f71d9a9cf78ad74aa8b9a53f40c1d52123df52..8eeae209ff1caf580b8590c33a962b48686382db 100644 (file)
--- a/drivers/staging/most/video/video.c
+++ b/drivers/staging/most/video/video.c
@@ -121,6 +121,7 @@ static int comp_vdev_close(struct file *filp)
        struct comp_fh *fh = to_comp_fh(filp);
        struct most_video_dev *mdev = fh->mdev;
        struct mbo *mbo, *tmp;
+       LIST_HEAD(free_list);
 
        /*
         * We need to put MBOs back before we call most_stop_channel()
@@ -133,13 +134,14 @@ static int comp_vdev_close(struct file *filp)
 
        spin_lock_irq(&mdev->list_lock);
        mdev->mute = true;
-       list_for_each_entry_safe(mbo, tmp, &mdev->pending_mbos, list) {
-               list_del(&mbo->list);
-               spin_unlock_irq(&mdev->list_lock);
+       list_replace_init(&mdev->pending_mbos, &free_list);
+       spin_unlock_irq(&mdev->list_lock);
+
+       list_for_each_entry_safe(mbo, tmp, &free_list, list) {
+               list_del_init(&mbo->list);
                most_put_mbo(mbo);
-               spin_lock_irq(&mdev->list_lock);
        }
-       spin_unlock_irq(&mdev->list_lock);
+
        most_stop_channel(mdev->iface, mdev->ch_idx, &comp);
        mdev->mute = false;
 
@@ -554,6 +556,7 @@ static int __init comp_init(void)
 static void __exit comp_exit(void)
 {
        struct most_video_dev *mdev, *tmp;
+       LIST_HEAD(free_list);
 
        /*
         * As the mostcore currently doesn't call disconnect_channel()
@@ -562,16 +565,15 @@ static void __exit comp_exit(void)
         * This must be fixed in core.
         */
        spin_lock_irq(&list_lock);
-       list_for_each_entry_safe(mdev, tmp, &video_devices, list) {
-               list_del(&mdev->list);
-               spin_unlock_irq(&list_lock);
+       list_replace_init(&video_devices, &free_list);
+       spin_unlock_irq(&list_lock);
 
+       list_for_each_entry_safe(mdev, tmp, &free_list, list) {
+               list_del_init(&mdev->list);
                comp_unregister_videodev(mdev);
                v4l2_device_disconnect(&mdev->v4l2_dev);
                v4l2_device_put(&mdev->v4l2_dev);
-               spin_lock_irq(&list_lock);
        }
-       spin_unlock_irq(&list_lock);
 
        most_deregister_configfs_subsys(&comp);
        most_deregister_component(&comp);