media: vivid: fix the racy dev->radio_tx_rds_owner

There is a race over dev->radio_tx_rds_owner between the two functions
mentioned below:

Thread-1                Thread-2
vivid_fop_release()     vivid_radio_rx_read()
mutex_unlock(&dev->mutex)
                        mutex_lock_interruptible(&dev->mutex)
                        ...
                        dev->radio_rx_rds_owner = file->private_data;
...
if (file->private_data == dev->radio_rx_rds_owner) {
        dev->radio_tx_rds_last_block = 0;
        dev->radio_tx_rds_owner = NULL;
}

This race can be fixed by only releasing the lock after vivid_fop_release()
finishes the checks.

Signed-off-by: Sishuai Gong <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>

Author: Sishuai Gong

drivers/media/test-drivers/vivid/vivid-core.c

@@ -628,7 +628,6 @@ static int vivid_fop_release(struct file *file)
 		v4l2_info(&dev->v4l2_dev, "reconnect\n");
 		vivid_reconnect(dev);
 	}
-	mutex_unlock(&dev->mutex);
 	if (file->private_data == dev->radio_rx_rds_owner) {
 		dev->radio_rx_rds_last_block = 0;
 		dev->radio_rx_rds_owner = NULL;
@@ -637,6 +636,7 @@ static int vivid_fop_release(struct file *file)
 		dev->radio_tx_rds_last_block = 0;
 		dev->radio_tx_rds_owner = NULL;
 	}
+	mutex_unlock(&dev->mutex);
 	if (vdev->queue)
 		return vb2_fop_release(file);
 	return v4l2_fh_release(file);