From patchwork Tue Sep 6 12:08:08 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Young X-Patchwork-Id: 1126292 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p86C9X45002603 for ; Tue, 6 Sep 2011 12:09:33 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754459Ab1IFMJI (ORCPT ); Tue, 6 Sep 2011 08:09:08 -0400 Received: from mail-pz0-f42.google.com ([209.85.210.42]:33411 "EHLO mail-pz0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754444Ab1IFMJF (ORCPT ); Tue, 6 Sep 2011 08:09:05 -0400 Received: by pzk37 with SMTP id 37so10199701pzk.1 for ; Tue, 06 Sep 2011 05:09:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=h9cBRwMmzASfSJaFTxzILTbC/Z+yuRpTBYS0lBXiuGM=; b=MjiShIRGFWSyzMRJ71SGGPqb5VOXxhnmKNfRRnJ7JVoGKUcEa8H4u7xhMedZfSeq0F bgwuwOAdO8iqfoditlGc48SdmMjBcwenk6RsiOnyg9yBJOVKWV0VXv/WcsGRkSbF0IR1 9tf8zM75YyD5/vE5NkhfhTWmnJCdNsg0yQIhI= Received: by 10.68.57.68 with SMTP id g4mr1433905pbq.402.1315310945049; Tue, 06 Sep 2011 05:09:05 -0700 (PDT) Received: from darkstar ([123.115.181.0]) by mx.google.com with ESMTPS id u10sm29320840pbr.12.2011.09.06.05.08.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 06 Sep 2011 05:09:04 -0700 (PDT) Date: Tue, 6 Sep 2011 20:08:08 +0800 From: Dave Young To: Laurent Pinchart , Sitsofe Wheeler , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Guennadi Liakhovetski , Mauro Carvalho Chehab Subject: [PATCH] v4l2: uvcvideo use after free bug fix Message-ID: <20110906120808.GC2321@darkstar> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Tue, 06 Sep 2011 12:09:33 +0000 (UTC) Reported-by: Sitsofe Wheeler Signed-off-by: Dave Young Tested-by: Sitsofe Wheeler Acked-by: Laurent Pinchart Unplugging uvc video camera trigger following oops: eeepc kernel: [ 1393.500719] usb 3-2: USB disconnect, device number 4 eeepc kernel: [ 1393.504351] uvcvideo: Failed to resubmit video URB (-19). eeepc kernel: [ 1495.428853] BUG: unable to handle kernel paging request at 6b6b6bcb eeepc kernel: [ 1495.429017] IP: [] dev_get_drvdata+0x17/0x20 eeepc kernel: [ 1495.429017] *pde = 00000000 eeepc kernel: [ 1495.429017] Oops: 0000 [#1] DEBUG_PAGEALLOC eeepc kernel: [ 1495.429017] eeepc kernel: [ 1495.429017] Pid: 3476, comm: cheese Not tainted 3.1.0-rc3-00270-g7a54f5e-dirty #485 ASUSTeK Computer INC. 900/900 eeepc kernel: [ 1495.429017] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 eeepc kernel: [ 1495.429017] EIP is at dev_get_drvdata+0x17/0x20 eeepc kernel: [ 1495.429017] EAX: 6b6b6b6b EBX: eb08d870 ECX: 00000000 EDX: eb08d930 eeepc kernel: [ 1495.429017] ESI: eb08d870 EDI: eb08d870 EBP: d3249cac ESP: d3249cac eeepc kernel: [ 1495.429017] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 eeepc kernel: [ 1495.429017] Process cheese (pid: 3476, ti=d3248000 task=df46d870 task.ti=d3248000) eeepc kernel: [ 1495.429017] Stack: eeepc kernel: [ 1495.429017] d3249cb8 b03e77a1 d307b840 d3249ccc b03e77d1 d307b840 eb08d870 eb08d830 eeepc kernel: [ 1495.429017] d3249ce4 b03ed3b7 00000246 d307b840 eb08d870 d3021b80 d3249cec b03ed565 eeepc kernel: [ 1495.429017] d3249cfc b03e044d e8323d10 b06e013c d3249d18 b0355fb9 fffffffe d3249d1c eeepc kernel: [ 1495.429017] Call Trace: eeepc kernel: [ 1495.429017] [] v4l2_device_disconnect+0x11/0x30 eeepc kernel: [ 1495.429017] [] v4l2_device_unregister+0x11/0x50 eeepc kernel: [ 1495.429017] [] uvc_delete+0x37/0x110 eeepc kernel: [ 1495.429017] [] uvc_release+0x25/0x30 eeepc kernel: [ 1495.429017] [] v4l2_device_release+0x9d/0xc0 eeepc kernel: [ 1495.429017] [] device_release+0x19/0x90 eeepc kernel: [ 1495.429017] [] ? usb_hcd_unlink_urb+0x7c/0x90 eeepc kernel: [ 1495.429017] [] kobject_release+0x3c/0x90 eeepc kernel: [ 1495.429017] [] ? kobject_del+0x30/0x30 eeepc kernel: [ 1495.429017] [] kref_put+0x2c/0x60 eeepc kernel: [ 1495.429017] [] kobject_put+0x1d/0x50 eeepc kernel: [ 1495.429017] [] ? usb_autopm_put_interface+0x25/0x30 eeepc kernel: [ 1495.429017] [] ? uvc_v4l2_release+0x5d/0xd0 eeepc kernel: [ 1495.429017] [] put_device+0xf/0x20 eeepc kernel: [ 1495.429017] [] v4l2_release+0x56/0x60 eeepc kernel: [ 1495.429017] [] fput+0xcc/0x220 eeepc kernel: [ 1495.429017] [] filp_close+0x44/0x70 eeepc kernel: [ 1495.429017] [] put_files_struct+0x158/0x180 eeepc kernel: [ 1495.429017] [] ? put_files_struct+0x20/0x180 eeepc kernel: [ 1495.429017] [] exit_files+0x40/0x50 eeepc kernel: [ 1495.429017] [] do_exit+0x5a7/0x660 eeepc kernel: [ 1495.429017] [] ? __dequeue_signal+0x12/0x120 eeepc kernel: [ 1495.429017] [] ? _raw_spin_unlock_irq+0x22/0x30 eeepc kernel: [ 1495.429017] [] do_group_exit+0x3c/0xb0 eeepc kernel: [ 1495.429017] [] ? trace_hardirqs_on+0xb/0x10 eeepc kernel: [ 1495.429017] [] get_signal_to_deliver+0x18f/0x570 eeepc kernel: [ 1495.429017] [] do_signal+0x47/0x9e0 eeepc kernel: [ 1495.429017] [] ? _raw_spin_unlock_irq+0x22/0x30 eeepc kernel: [ 1495.429017] [] ? trace_hardirqs_on+0xb/0x10 eeepc kernel: [ 1495.429017] [] ? T.1034+0x30/0xc0 eeepc kernel: [ 1495.429017] [] ? schedule+0x29f/0x640 eeepc kernel: [ 1495.429017] [] do_notify_resume+0x38/0x40 eeepc kernel: [ 1495.429017] [] work_notifysig+0x9/0x11 eeepc kernel: [ 1495.429017] Code: e5 5d 83 f8 01 19 c0 f7 d0 83 e0 f0 c3 8d b4 26 00 00 00 00 55 85 c0 89 e5 75 09 31 c0 5d c3 90 8d 74 26 00 8b 40 04 85 c0 74 f0 <8b> 40 60 5d c3 8d 74 26 00 55 89 e5 53 89 c3 83 ec 04 8b 40 04 eeepc kernel: [ 1495.429017] EIP: [] dev_get_drvdata+0x17/0x20 SS:ESP 0068:d3249cac eeepc kernel: [ 1495.429017] CR2: 000000006b6b6bcb eeepc kernel: [ 1495.466975] uvcvideo: Failed to resubmit video URB (-27). eeepc kernel: [ 1495.467860] uvcvideo: Failed to resubmit video URB (-27). eeepc kernel: last message repeated 3 times eeepc kernel: [ 1495.512610] ---[ end trace 73ec16848794e5a5 ]--- For uvc device, dev->vdev.dev is the &intf->dev, uvc_delete code is as below: usb_put_intf(dev->intf); usb_put_dev(dev->udev); uvc_status_cleanup(dev); uvc_ctrl_cleanup_device(dev); ## the intf dev is released above, so below code will oops. if (dev->vdev.dev) v4l2_device_unregister(&dev->vdev); Fix it by get_device in v4l2_device_register and put_device in v4l2_device_disconnect --- drivers/media/video/v4l2-device.c | 2 ++ 1 file changed, 2 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/video/v4l2-device.c b/drivers/media/video/v4l2-device.c index c72856c..e6a2c3b 100644 --- a/drivers/media/video/v4l2-device.c +++ b/drivers/media/video/v4l2-device.c @@ -38,6 +38,7 @@ int v4l2_device_register(struct device *dev, struct v4l2_device *v4l2_dev) mutex_init(&v4l2_dev->ioctl_lock); v4l2_prio_init(&v4l2_dev->prio); kref_init(&v4l2_dev->ref); + get_device(dev); v4l2_dev->dev = dev; if (dev == NULL) { /* If dev == NULL, then name must be filled in by the caller */ @@ -93,6 +94,7 @@ void v4l2_device_disconnect(struct v4l2_device *v4l2_dev) if (dev_get_drvdata(v4l2_dev->dev) == v4l2_dev) dev_set_drvdata(v4l2_dev->dev, NULL); + put_device(v4l2_dev->dev); v4l2_dev->dev = NULL; } EXPORT_SYMBOL_GPL(v4l2_device_disconnect);