Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp717933imm; Sat, 26 May 2018 09:21:45 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr3L+nCmdFTxqqZYTCqgJSM+Afx9oEOA90BfXZJWM0nQ+kwfL+BLPQMVWx0jifr8uuVSjKy X-Received: by 2002:a17:902:10c:: with SMTP id 12-v6mr7078076plb.252.1527351704967; Sat, 26 May 2018 09:21:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527351704; cv=none; d=google.com; s=arc-20160816; b=nwFj9HugK8CszFP52nEuTp9ZdSvAGLoZP8Bqs350ES/MqTvpBRw9YXEzKoSW+dyfaT r/B+DX5VFMe7hE+fA8VK0DGyiRjMZsE9B2YiZxNKBkQ2N/x07TbI8xj9LblrRRUFm+KF O270chxs/mbrwxryAkskLNi0L8EcAQV8Bhni379Lzaw5dXkJMVzX6h4twU2RMJu5Gc73 Je5V534cmoisznBnhbZoF7YRjEsH9KZSYzkW1dGiI9stwTRhyAXRh9j5lcCLEpHnJ04v WlunVV640fwKeXWEJnLN6hevNMJ+VQY/QpB1an227MZesK1pWGfFppUMqEBFQ/Ja/wRJ MlqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature:arc-authentication-results; bh=UzgV8ufyudRrW14pp6RBO5qd7jU/0h6acOgy4cq3uk8=; b=u02cEGMjA/nXewHgel7qOhqHdHuQcCPIO+PBDSFDsFbydc5tOS3RpxtElKaK1Vnhdc mBGBHI8y/Zm3JPPEyv8ItUL/iJcE8vLrb6Hos8yrAUb95Pa6+7X1Uqe4fX9rGVwNw3+N 4RTOa+AsBVWmVpg6lYAuDfpnoAuTBRNUw/pSVgzBhjWgTg8xLx/LhQRAuCU0UuwHvel7 RrbyScR6cBDl+tSB3WqSWCNEYqcmR8kHGNy//2UaB9cilRXrSq4IY3ZzToraXPtGlO1E t+qCCReo0G5G7K7vgBX2WG5c9f9PsFHwi/SLCUu/uyZ7R0+p5IN41Mnfo64XnImZsAvC 9iAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=k2njdcij; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j73-v6si26736517pfa.297.2018.05.26.09.21.30; Sat, 26 May 2018 09:21:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=k2njdcij; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032051AbeEZQVO (ORCPT + 99 others); Sat, 26 May 2018 12:21:14 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:40766 "EHLO perceval.ideasonboard.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031885AbeEZQVM (ORCPT ); Sat, 26 May 2018 12:21:12 -0400 Received: from avalon.localnet (unknown [IPv6:2001:14ba:21f5:5b00:2e86:4862:ef6a:2804]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 23AC85D; Sat, 26 May 2018 18:21:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1527351671; bh=OowlRqfonMdNfTPl5tUveopc+TR2GHixkp86RZ8Ddoo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k2njdcijOtdALOhDaG3SIfOifS5OTA5U+lbhNCjrNXNVi+KJ9KnBt18v45Ri5u8d2 9RqP+1l5Ihnf3oD2F+qB7ThtgwJ3EaDXDuenNk18kGn9bua31S3Hl6OREE0W2hp5uk IrQhx9xKxd8hbNaD40DKsIej3w8kNyhYjPJW0wQc= From: Laurent Pinchart To: David Fries Cc: linux-kernel@vger.kernel.org, Guennadi Liakhovetski , Mauro Carvalho Chehab , stable@vger.kernel.org Subject: Re: [PATCH 1/1] media: uvc_driver: fix USB Camera ref leak denial of service Date: Sat, 26 May 2018 19:21:11 +0300 Message-ID: <3294600.sHRg43ppdH@avalon> Organization: Ideas on Board Oy In-Reply-To: <20180526155046.GA3327@spacedout.fries.net> References: <20180526155046.GA3327@spacedout.fries.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi David, Thank you for the patch. On Saturday, 26 May 2018 18:50:46 EEST David Fries wrote: > Commit 9d15cd958c17 ("media: uvcvideo: Convert from using an atomic > variable to a reference count") > didn't take into account that while the old counter was initialized to > 0 (no stream open), kref_init starts with a reference of 1. The > reference count on unplug no longer reaches 0, uvc_delete isn't > called, and evdev doesn't release /dev/input/event*. Plug and unplug > enough times and it runs out of device minors preventing any new input > device and the use of newly plugged in USB video cameras until the > system is rebooted. > > Signed-off-by: David Fries > Cc: Guennadi Liakhovetski > Cc: Laurent Pinchart > Cc: Mauro Carvalho Chehab > Cc: stable@vger.kernel.org Philipp Zabel has already posted a similar patch, see https:// patchwork.linuxtv.org/patch/49770/ Mauro, This is a serious issue so I'd like to get the patch merged in v4.18, but it could be argued that it's getting late for that, especially given that the bug has been there since v4.14. Would you be OK merging this in v4.18 ? If so could you pick https://patchwork.linuxtv.org/patch/49770/ up, or would you like me to send a pull request ? > --- > drivers/media/usb/uvc/uvc_driver.c | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/drivers/media/usb/uvc/uvc_driver.c > b/drivers/media/usb/uvc/uvc_driver.c index 2469b49..3cbdc87 100644 > --- a/drivers/media/usb/uvc/uvc_driver.c > +++ b/drivers/media/usb/uvc/uvc_driver.c > @@ -1871,13 +1871,6 @@ static void uvc_unregister_video(struct uvc_device > *dev) { > struct uvc_streaming *stream; > > - /* Unregistering all video devices might result in uvc_delete() being > - * called from inside the loop if there's no open file handle. To avoid > - * that, increment the refcount before iterating over the streams and > - * decrement it when done. > - */ > - kref_get(&dev->ref); > - > list_for_each_entry(stream, &dev->streams, list) { > if (!video_is_registered(&stream->vdev)) > continue; > @@ -1888,6 +1881,10 @@ static void uvc_unregister_video(struct uvc_device > *dev) uvc_debugfs_cleanup_stream(stream); > } > > + /* Release the reference implicit in kref_init from uvc_probe, > + * the UVC device won't be deleted until the last file descriptor > + * is also closed. > + */ > kref_put(&dev->ref, uvc_delete); > } -- Regards, Laurent Pinchart