lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240616235844.GO4782@pendragon.ideasonboard.com>
Date: Mon, 17 Jun 2024 02:58:44 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Tomasz Figa <tfiga@...omium.org>
Cc: Ricardo Ribalda <ribalda@...omium.org>,
	Mauro Carvalho Chehab <mchehab@...nel.org>,
	Guenter Roeck <linux@...ck-us.net>,
	Max Staudt <mstaudt@...omium.org>,
	Alan Stern <stern@...land.harvard.edu>,
	Hans Verkuil <hverkuil-cisco@...all.nl>,
	linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
	Sean Paul <seanpaul@...omium.org>,
	Sakari Ailus <sakari.ailus@...ux.intel.com>
Subject: Re: [PATCH v4 1/4] media: uvcvideo: stop stream during unregister

Hi Tomasz,

On Thu, Jun 06, 2024 at 06:57:50PM +0900, Tomasz Figa wrote:
> On Wed, Mar 27, 2024 at 5:24 PM Ricardo Ribalda wrote:
> >
> > uvc_unregister_video() can be called asynchronously from
> > uvc_disconnect(). If the device is still streaming when that happens, a
> > plethora of race conditions can happen.
> >
> > Make sure that the device has stopped streaming before exiting this
> > function.
> >
> > If the user still holds handles to the driver's file descriptors, any
> > ioctl will return -ENODEV from the v4l2 core.
> >
> > This change make uvc more consistent with the rest of the v4l2 drivers
> > using the vb2_fop_* and vb2_ioctl_* helpers.
> >
> > Suggested-by: Hans Verkuil <hverkuil-cisco@...all.nl>
> > Signed-off-by: Ricardo Ribalda <ribalda@...omium.org>
> > ---
> >  drivers/media/usb/uvc/uvc_driver.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> 
> First of all, thanks for the patch. I have a question about the
> problem being fixed here.
> 
> Could you point out a specific race condition example that could
> happen without this change?
> From what I see in __video_do_ioctl((), no ioctls would be executed
> anymore after the video node is unregistered.
> Since the device is not present either, what asynchronous code paths
> could be still triggered?

I believe the issue is that some ioctls can be in progress while the
device is unregistered. I'll let Ricardo confirm.

I've tried to explain multiple times before that this should be handled
in the V4L2 core, ideally with fixes in the cdev core too, as this issue
affects all cdev drivers. I've pointed to related patches that have been
posted for the cdev core. They need to be wrapped in V4L2 functions to
make them easier to use for drivers. If we don't want to depend on those
cdev changes, we can implement the "wrappers" with fixes limited to
V4L2 until the cdev changes get merged (assuming someone would resurect
them).

> [1] https://elixir.bootlin.com/linux/latest/source/drivers/media/v4l2-core/v4l2-ioctl.c#L3023
> 
> > diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
> > index bbd90123a4e76..17fc945c8deb6 100644
> > --- a/drivers/media/usb/uvc/uvc_driver.c
> > +++ b/drivers/media/usb/uvc/uvc_driver.c
> > @@ -1911,8 +1911,19 @@ static void uvc_unregister_video(struct uvc_device *dev)
> >                 if (!video_is_registered(&stream->vdev))
> >                         continue;
> >
> > +               /*
> > +                * Serialize other access to the stream.
> > +                */
> > +               mutex_lock(&stream->mutex);
> > +               uvc_queue_streamoff(&stream->queue, stream->type);
> >                 video_unregister_device(&stream->vdev);
> >                 video_unregister_device(&stream->meta.vdev);
> > +               mutex_unlock(&stream->mutex);
> > +
> > +               /*
> > +                * Now the vdev is not streaming and all the ioctls will
> > +                * return -ENODEV
> > +                */
> >
> >                 uvc_debugfs_cleanup_stream(stream);
> >         }

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ