From: Jia-Ju Bai Date: Thu, 1 Jun 2017 07:17:51 +0000 (-0300) Subject: [media] cx18: Fix a sleep-in-atomic bug in snd_cx18_pcm_hw_free X-Git-Tag: v4.13-rc1~141^2~203 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a3dbff6eecad72333bae656681331aab27adee4d;p=users%2Fgriffoul%2Flinux.git [media] cx18: Fix a sleep-in-atomic bug in snd_cx18_pcm_hw_free The driver may sleep under a spin lock, and the function call path is: snd_cx18_pcm_hw_free (acquire the lock by spin_lock_irqsave) vfree --> may sleep To fix it, the "substream->runtime->dma_area" is passed to a temporary value, and mark it NULL when holding the lock. The memory is freed by vfree through the temporary value outside the lock holding. Signed-off-by: Jia-Ju Bai [hans.verkuil@cisco.com: removed unnecessary 'if (dma_area)'] Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/pci/cx18/cx18-alsa-pcm.c b/drivers/media/pci/cx18/cx18-alsa-pcm.c index 205a98da877c..f68ee57a9ae2 100644 --- a/drivers/media/pci/cx18/cx18-alsa-pcm.c +++ b/drivers/media/pci/cx18/cx18-alsa-pcm.c @@ -257,14 +257,16 @@ static int snd_cx18_pcm_hw_free(struct snd_pcm_substream *substream) { struct snd_cx18_card *cxsc = snd_pcm_substream_chip(substream); unsigned long flags; + unsigned char *dma_area = NULL; spin_lock_irqsave(&cxsc->slock, flags); if (substream->runtime->dma_area) { dprintk("freeing pcm capture region\n"); - vfree(substream->runtime->dma_area); + dma_area = substream->runtime->dma_area; substream->runtime->dma_area = NULL; } spin_unlock_irqrestore(&cxsc->slock, flags); + vfree(dma_area); return 0; }