From 5553436c218b889be3bc3a4fb344d4443aa054f4 Mon Sep 17 00:00:00 2001
From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Date: Wed, 22 Nov 2017 14:55:32 +0530
Subject: [PATCH] msm: camera: Synchronize v4l2 subscribe and unsubscribe event
 in camera.c

If same event is unsubscribed before v4l2_event_subscribe returned,
Then function v4l2_event_subscribe have possibility use-after-free.

Serialize msm_subscribe_event and msm_unsubscribe_event to
prevent parallel invocation of v4l2_event_subscribe and
v4l2_event_unsubscribe.

Change-Id: Ia28cfb9d46550d58221f157337a1468f524753e3
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
---
 drivers/media/platform/msm/camera_v2/camera/camera.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/platform/msm/camera_v2/camera/camera.c b/drivers/media/platform/msm/camera_v2/camera/camera.c
index aeeb5cae3096..ccdd4622c120 100644
--- a/drivers/media/platform/msm/camera_v2/camera/camera.c
+++ b/drivers/media/platform/msm/camera_v2/camera/camera.c
@@ -459,7 +459,9 @@ static int camera_v4l2_subscribe_event(struct v4l2_fh *fh,
 	int rc = 0;
 	struct camera_v4l2_private *sp = fh_to_private(fh);
 
+	mutex_lock(&sp->lock);
 	rc = v4l2_event_subscribe(&sp->fh, sub, 5, NULL);
+	mutex_unlock(&sp->lock);
 
 	return rc;
 }
@@ -470,7 +472,9 @@ static int camera_v4l2_unsubscribe_event(struct v4l2_fh *fh,
 	int rc = 0;
 	struct camera_v4l2_private *sp = fh_to_private(fh);
 
+	mutex_lock(&sp->lock);
 	rc = v4l2_event_unsubscribe(&sp->fh, sub);
+	mutex_unlock(&sp->lock);
 
 	return rc;
 }