lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160616184353.GB3727@swift.blarg.de>
Date:	Thu, 16 Jun 2016 20:43:53 +0200
From:	Max Kellermann <max@...mpel.org>
To:	Shuah Khan <shuahkh@....samsung.com>
Cc:	linux-media@...r.kernel.org, mchehab@....samsung.com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in
 _destroy()

On 2016/06/16 18:24, Shuah Khan <shuahkh@....samsung.com> wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > media_gobj_destroy() may be called twice on one instance - once by
> > media_device_unregister() and again by dvb_media_device_free().  The
> > function media_remove_intf_links() establishes and documents the
> > convention that mdev==NULL means that the object is not registered,
> > but nobody ever NULLs this variable.  So this patch really implements
> > this behavior, and adds another mdev==NULL check to
> > media_gobj_destroy() to protect against double removal.
> 
> Are you seeing null pointer dereference on gobj->mdev? In any case,
> we have to look at if there is a missing mutex hold that creates a
> race between media_device_unregister() and dvb_media_device_free()
> 
> I don't this patch will solve the race condition.

I think we misunderstand.  This is not about a race condition.  And
the problem cannot be a NULL pointer dereference.

That's because nobody NULLs the pointer!

Pointer NULLing is what my patch adds, and AFTER my patch, there may
be NULL pointer dereferences (if there are more previously existing
bugs, which we should fix as well).  I added this NULL assignment
because there are NULL checks - and if nobody NULLs the pointer, that
check doesn't make any sense!

Max

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ