lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ab85c4e6-d3f4-5861-f998-028cdab5fe5a@xs4all.nl>
Date:   Wed, 1 Sep 2021 12:55:29 +0200
From:   Hans Verkuil <hverkuil@...all.nl>
To:     Salah Triki <salah.triki@...il.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        gregkh@...uxfoundation.org
Cc:     linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
        Cai Huoqing <caihuoqing@...du.com>
Subject: Re: [PATCH v2] usb: stkwebcam: update the reference count of the usb
 device structure

Hi Salah, Cai,

I received patches for this from both of you, but both have issues:

On 31/07/2021 18:18, Salah Triki wrote:
> Use usb_get_dev() to increment the reference count of the usb device
> structure in order to avoid releasing the structure while it is still in
> use. And use usb_put_dev() to decrement the reference count and thus,
> when it will be equal to 0 the structure will be released.
> 
> Signed-off-by: Salah Triki <salah.triki@...il.com>
> ---
> Change since v1:
> 	Modification of the description
> 
>  drivers/media/usb/stkwebcam/stk-webcam.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c
> index a45d464427c4..3b14679829ed 100644
> --- a/drivers/media/usb/stkwebcam/stk-webcam.c
> +++ b/drivers/media/usb/stkwebcam/stk-webcam.c
> @@ -1309,7 +1309,7 @@ static int stk_camera_probe(struct usb_interface *interface,
>  	init_waitqueue_head(&dev->wait_frame);
>  	dev->first_init = 1; /* webcam LED management */
>  
> -	dev->udev = udev;
> +	dev->udev = usb_get_dev(udev);
>  	dev->interface = interface;
>  	usb_get_intf(interface);

In the error path of stk_camera_probe you need to call usb_put_dev(), otherwise
the udev refcount won't go to 0.

>  
> @@ -1376,6 +1376,7 @@ static void stk_camera_disconnect(struct usb_interface *interface)
>  
>  	usb_set_intfdata(interface, NULL);
>  	unset_present(dev);
> +	usb_put_dev(interface_to_usbdev(interface));

Cai just used usb_put_dev(dev->udev) here which makes more sense.

Cai also moved this to the stk_v4l_dev_release() function, which is probably
a better place.

However, there is another bug here as well: these lines in stk_camera_disconnect()
should be moved to stk_v4l_dev_release():

        v4l2_ctrl_handler_free(&dev->hdl);
        v4l2_device_unregister(&dev->v4l2_dev);
        kfree(dev);

When the last user of the video device has closed their fh, then stk_v4l_dev_release()
is called, so any cleanup of resources/memory should happen there. Right now if you are
streaming and the webcam is disconnected (or the device forcibly unloaded), the dev
pointer is freed in disconnect, but stk_v4l_dev_release() is called later and will
reference freed memory.

I'm not sure who of the two of you will make a v3, I leave that to you to fight out :-)

Regards,

	Hans

>  
>  	wake_up_interruptible(&dev->wait_frame);
>  
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ