V4L/DVB (6268): V4L: Fix a lock inversion in generic videobuf code

videobuf_qbuf takes q->lock, and then calls
q->ops->buf_prepare which by design in all drivers calls
videobuf_iolock which calls videobuf_dma_init_user and this
takes current->mm->mmap_sem

on the other hand if user calls mumap from other thread, sys_munmap
takes current->mm->mmap_sem and videobuf_vm_close takes q->lock

Since this can occur only for V4L2_MEMORY_MMAP buffers, take
current->mm->mmap_sem in qbuf, before q->lock, and don't take
current->mm->mmap_sem videobuf_dma_init_user for those buffers

Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
http://thread.gmane.org/gmane.comp.video.video4linux/34978/focus=34981
Reviewed-by: Ricardo Cerqueira <v4l@cerqueira.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

1 files changed, 7 insertions, 0 deletions

diff --git a/drivers/media/video/videobuf-core.c b/drivers/media/video/videobuf-core.c
index 3bd06bb633a7..a27e114cacef 100644
--- a/drivers/media/video/videobuf-core.c
+++ b/drivers/media/video/videobuf-core.c
@@ -349,6 +349,9 @@ int videobuf_qbuf(struct videobuf_queue *q,
 
 	MAGIC_CHECK(q->int_ops->magic,MAGIC_QTYPE_OPS);
 
+	if (b->memory == V4L2_MEMORY_MMAP)
+		down_read(&current->mm->mmap_sem);
+
 	mutex_lock(&q->lock);
 	retval = -EBUSY;
 	if (q->reading) {
@@ -434,6 +437,10 @@ int videobuf_qbuf(struct videobuf_queue *q,
 
  done:
 	mutex_unlock(&q->lock);
+
+	if (b->memory == V4L2_MEMORY_MMAP)
+		up_read(&current->mm->mmap_sem);
+
 	return retval;
 }