From: Pavel Andrianov <andrianov@ispras.ru>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
Vladis Dronov <vdronov@redhat.com>, Insu Yun <wuninsu@gmail.com>,
Oliver Neukum <oneukum@suse.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
Vaishali Thakkar <vaishali.thakkar@oracle.com>,
ldv-project@linuxtesting.org
Subject: Re: A potential race
Date: Fri, 01 Jul 2016 19:02:06 +0400 [thread overview]
Message-ID: <577685EE.1050704@ispras.ru> (raw)
In-Reply-To: <8c161772-d2d9-0897-7f76-40caea5f0a93@xs4all.nl>
01.07.2016 19:53, Hans Verkuil пишет:
> On 07/01/2016 04:39 PM, Pavel Andrianov wrote:
>> Hi!
>>
>> There is a potential race condition between usbvision_v4l2_close and usbvision_disconnect. The possible scenario may be the following. usbvision_disconnect starts execution, assigns usbvision->remove_pending = 1, and is interrupted
>> (rescheduled) after mutex_unlock. After that usbvision_v4l2_close is executed, decrease usbvision->user-- , checks usbvision->remove_pending, executes usbvision_release and finishes. Then usbvision_disconnect continues its execution. It checks
>> usbversion->user (it is already 0) and also execute usbvision_release. Thus, release is executed twice. The same situation may
>> occur if usbvision_v4l2_close is interrupted by usbvision_disconnect. Moreover, the same problem is in usbvision_radio_close. In all these cases the check before call usbvision_release under mutex_lock protection does not solve the problem, because there may occur an open() after the check and the race takes place again. The question is: why the usbvision_release
>> is called from close() (usbvision_v4l2_close and usbvision_radio_close)? Usually release functions are called from
>> disconnect.
> Please don't use html mail, mailinglists will silently reject this.
>
> The usbvision driver is old and unloved and known to be very bad code. It needs a huge amount of work to make all this work correctly.
>
> I don't see anyone picking this up...
>
> Regards,
>
> Hans
If you know the driver, could you, please, explain me, why
usbvision_release is called from close functions (usbvision_v4l2_close
and usbvision_radio_close) and not only from disconnect? Thanks!
--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: andrianov@ispras.ru
next prev parent reply other threads:[~2016-07-01 16:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <57727001.7040606@ispras.ru>
[not found] ` <577680B3.5010901@ispras.ru>
2016-07-01 15:53 ` A potential race Hans Verkuil
2016-07-01 15:02 ` Pavel Andrianov [this message]
2016-07-01 16:17 ` Hans Verkuil
2016-07-08 13:06 ` Pavel Andrianov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577685EE.1050704@ispras.ru \
--to=andrianov@ispras.ru \
--cc=hverkuil@xs4all.nl \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=oneukum@suse.com \
--cc=vaishali.thakkar@oracle.com \
--cc=vdronov@redhat.com \
--cc=wuninsu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.