Message-ID: <555C9EC9.40303@rosalab.ru>
Date: Wed, 20 May 2015 17:48:41 +0300
From: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
Organization: ROSA
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
CC: Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
        LKML <linux-kernel@vger.kernel.org>
Subject: uvcvideo: Race on dev->state between uvc_disconnect() and uvc_v4l2_open()
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1258
Lines: 38

Hi,

There is a race in uvcvideo module between uvc_disconnect() and 
uvc_v4l2_open() on dev->state. Checked and reproduced that with kernel 
4.1-rc1.

drivers/media/usb/uvc/uvc_driver.c, uvc_disconnect():

	dev->state |= UVC_DEV_DISCONNECTED;

drivers/media/usb/uvc/uvc_v4l2.c, uvc_v4l2_open():

	if (stream->dev->state & UVC_DEV_DISCONNECTED)
		return -ENODEV;

I checked that the race does happen by introducing a delay in 
uvc_disconnect() right before that assignment and armed a hardware 
breakpoint to detect the access to stream->dev->state from 
uvc_v4l2_open(). When I disconnected the webcam while Google Hangout was 
running, the hardware breakpoint triggered several times for that read 
in uvc_v4l2_open (uvc_v4l2.c:484). uvc_v4l2_open() was called in the 
context of GoogleTalkPlugin processes.

Not sure if the race is intentional but I guess, better to report it 
anyway. Nothing has crashed during my (brief) testing yet, but still.

Regards,

Eugene

-- 
Eugene Shatokhin, ROSA
www.rosalab.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/