Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755908AbYGITxq (ORCPT ); Wed, 9 Jul 2008 15:53:46 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755074AbYGITxa (ORCPT ); Wed, 9 Jul 2008 15:53:30 -0400 Received: from qmta09.emeryville.ca.mail.comcast.net ([76.96.30.96]:47577 "EHLO QMTA09.emeryville.ca.mail.comcast.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754762AbYGITx3 (ORCPT ); Wed, 9 Jul 2008 15:53:29 -0400 X-Authority-Analysis: v=1.0 c=1 a=fmkApugzUIIA:10 a=kpXAE35kjxYA:10 a=GJPMjpJTlsuecQNlq0UA:9 a=H4b-8a9W12fmFzzUvBZkI9m4DmwA:4 a=JTUSPwgBgNAA:10 a=oCUJXWGl-OwA:10 To: Laurent Pinchart Cc: Romano Giannetti , linux-kernel@vger.kernel.org, linux-uvc-devel@berlios.de Subject: Re: Linux 2.6.26-rc9 circular lock with uvcvideo on resume from hibernation X-Message-Flag: Warning: May contain useful information X-Priority: 1 X-MSMail-Priority: High References: <1215426867.5113.8.camel@pern> <878wwdbnjn.fsf@shaolin.home.digitalvampire.org> <200807092129.03679.laurent.pinchart@skynet.be> From: Roland Dreier Date: Wed, 09 Jul 2008 12:53:26 -0700 In-Reply-To: <200807092129.03679.laurent.pinchart@skynet.be> (Laurent Pinchart's message of "Wed, 9 Jul 2008 21:29:03 +0200") Message-ID: <87mykq96mh.fsf@shaolin.home.digitalvampire.org> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.21 (linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2089 Lines: 45 > uvc_disconnect() | uvc_v4l2_open() > ... | > mutex_lock(&uvc_driver.open_mutex); | > dev->state |= UVC_DEV_DISCONNECTED; | > mutex_unlock(&uvc_driver.open_mutex); | > | > | mutex_lock(&uvc_driver.open_mutex); > | vdev = video_devdata(file); > | video = video_get_drvdata(vdev); > | > kref_put(&dev->kref, uvc_delete); | > | > | if (video->dev->state...) > > kref_put() in uvc_disconnect() will call uvc_delete(), which will in turn free > the video structure. uvc_v4l2_open() will then dereference freed memory when > testing the device state. I don't believe this is correct. I tried to explain it in my changelog by saying "uvc_delete() does uvc_unregister_video() (and hence video_unregister_device(), which is synchronized with videodev_lock) as its first thing, so there is no risk of use-after-free in uvc_v4l2_open()." In other words, the first thing uvc_delete() does is call uvc_unregister_video(), which will video_unregister_device(). Since this needs to take videodev_lock, it will wait until uvc_v4l2_open() returns (which it will do, since state is now UVC_DEV_DISCONNECTED). So the video struct will not be freed until after uvc_v4l2_open() returns. As far as I can see there is no use-after-free. - R. -- Roland Dreier GPG Key: 1024D/E0EEFAC0 Fingerprint: A89F B5E9 C185 F34D BD50 4009 37E2 25CC E0EE FAC0 Sending >500KB attachments is forbidden by the Geneva Convention. Your country may be at risk if you fail to comply. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/