uvcvideo: Race on dev->state between uvc_disconnect() and uvc_v4l2_open()

From: Eugene Shatokhin
Date: Wed May 20 2015 - 10:48:48 EST

Next message: Thomas Gleixner: "Re: [Patch v2 06/14] genirq: Move field 'handler_data' from struct irq_data into struct irq_common_data"
Previous message: Ingo Molnar: "Re: [PATCH v4 0/3] Compile-time stack frame pointer validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

There is a race in uvcvideo module between uvc_disconnect() and uvc_v4l2_open() on dev->state. Checked and reproduced that with kernel 4.1-rc1.

drivers/media/usb/uvc/uvc_driver.c, uvc_disconnect():

dev->state |= UVC_DEV_DISCONNECTED;

drivers/media/usb/uvc/uvc_v4l2.c, uvc_v4l2_open():

if (stream->dev->state & UVC_DEV_DISCONNECTED)
return -ENODEV;

I checked that the race does happen by introducing a delay in uvc_disconnect() right before that assignment and armed a hardware breakpoint to detect the access to stream->dev->state from uvc_v4l2_open(). When I disconnected the webcam while Google Hangout was running, the hardware breakpoint triggered several times for that read in uvc_v4l2_open (uvc_v4l2.c:484). uvc_v4l2_open() was called in the context of GoogleTalkPlugin processes.

Not sure if the race is intentional but I guess, better to report it anyway. Nothing has crashed during my (brief) testing yet, but still.

Regards,

Eugene

--
Eugene Shatokhin, ROSA
www.rosalab.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "Re: [Patch v2 06/14] genirq: Move field 'handler_data' from struct irq_data into struct irq_common_data"
Previous message: Ingo Molnar: "Re: [PATCH v4 0/3] Compile-time stack frame pointer validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]