diff options
| author | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2017-08-30 13:18:04 -0400 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@s-opensource.com> | 2017-10-31 13:51:45 -0400 |
| commit | b6ee3f0dcf43dc3e8dbbe9be9c4e728c8d52f1ba (patch) | |
| tree | 4171a3b2634b8238b12188cd55fd629157efaeb6 /drivers/media/v4l2-core | |
| parent | bce9e317cec9c4ffff3dde1170c0ad70f5e690c8 (diff) | |
media: v4l: async: Move async subdev notifier operations to a separate structure
The async subdev notifier .bound(), .unbind() and .complete() operations
are function pointers stored directly in the v4l2_async_subdev
structure. As the structure isn't immutable, this creates a potential
security risk as the function pointers are mutable.
To fix this, move the function pointers to a new
v4l2_async_subdev_operations structure that can be made const in
drivers.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/v4l2-core')
| -rw-r--r-- | drivers/media/v4l2-core/v4l2-async.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c index 46aebfc75e43..9d6fc5f25619 100644 --- a/drivers/media/v4l2-core/v4l2-async.c +++ b/drivers/media/v4l2-core/v4l2-async.c @@ -102,16 +102,16 @@ static int v4l2_async_match_notify(struct v4l2_async_notifier *notifier, { int ret; - if (notifier->bound) { - ret = notifier->bound(notifier, sd, asd); + if (notifier->ops->bound) { + ret = notifier->ops->bound(notifier, sd, asd); if (ret < 0) return ret; } ret = v4l2_device_register_subdev(notifier->v4l2_dev, sd); if (ret < 0) { - if (notifier->unbind) - notifier->unbind(notifier, sd, asd); + if (notifier->ops->unbind) + notifier->ops->unbind(notifier, sd, asd); return ret; } @@ -140,9 +140,8 @@ static void v4l2_async_notifier_unbind_all_subdevs( struct v4l2_subdev *sd, *tmp; list_for_each_entry_safe(sd, tmp, ¬ifier->done, async_list) { - if (notifier->unbind) - notifier->unbind(notifier, sd, sd->asd); - + if (notifier->ops->unbind) + notifier->ops->unbind(notifier, sd, sd->asd); v4l2_async_cleanup(sd); list_move(&sd->async_list, &subdev_list); @@ -199,8 +198,8 @@ int v4l2_async_notifier_register(struct v4l2_device *v4l2_dev, } } - if (list_empty(¬ifier->waiting) && notifier->complete) { - ret = notifier->complete(notifier); + if (list_empty(¬ifier->waiting) && notifier->ops->complete) { + ret = notifier->ops->complete(notifier); if (ret) goto err_complete; } @@ -297,10 +296,10 @@ int v4l2_async_register_subdev(struct v4l2_subdev *sd) if (ret) goto err_unlock; - if (!list_empty(¬ifier->waiting) || !notifier->complete) + if (!list_empty(¬ifier->waiting) || !notifier->ops->complete) goto out_unlock; - ret = notifier->complete(notifier); + ret = notifier->ops->complete(notifier); if (ret) goto err_cleanup; @@ -316,9 +315,8 @@ out_unlock: return 0; err_cleanup: - if (notifier->unbind) - notifier->unbind(notifier, sd, sd->asd); - + if (notifier->ops->unbind) + notifier->ops->unbind(notifier, sd, sd->asd); v4l2_async_cleanup(sd); err_unlock: @@ -337,8 +335,8 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) list_add(&sd->asd->list, ¬ifier->waiting); - if (notifier->unbind) - notifier->unbind(notifier, sd, sd->asd); + if (notifier->ops->unbind) + notifier->ops->unbind(notifier, sd, sd->asd); } v4l2_async_cleanup(sd); |