From: Frederik Deweerdt <frederik.deweerdt@xprog.eu>
To: "Tomas M." <tmezzadra@gmail.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
laurent.pinchart@ideasonboard.com, hverkuil@xs4all.nl,
mchehab@redhat.com
Subject: [patch] Avoid NULL deref in v4l2_device_release (was Re: kernel OOPS when releasing usb webcam (random))
Date: Tue, 18 Oct 2011 02:19:09 +0200 [thread overview]
Message-ID: <20111018001909.GA29706@gambetta> (raw)
In-Reply-To: <4E9CB0C2.3030902@gmail.com>
[Adding relevant people to CCs]
Hi Tomas,
On Mon, Oct 17, 2011 at 07:48:34PM -0300, Tomas M. wrote:
> im getting the following null pointer dereference from time to time
> when releasing a usb camera.
>
[...]
> BUG: unable to handle kernel NULL pointer dereference at 0000006c
> IP: [<f90be6c2>] v4l2_device_release+0xa2/0xf0 [videodev]
> *pde = 00000000
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in: fuse arc4 rt73usb rt2x00usb rt2x00lib mac80211
> cfg80211 rfkill gspca_zc3xx gspca_main videodev joydev
> snd_hda_codec_si3054 sg 8139too snd_hda_codec_realtek firewire_ohci
> firewire_core mmc_core snd_hda_intel snd_hda_codec snd_hwdep snd_pcm
> snd_timer snd soundcore mii crc_itu_t snd_page_alloc iTCO_wdt
> iTCO_vendor_support i2c_i801 evdev psmouse thermal battery serio_raw
> ac cpufreq_ondemand acpi_cpufreq freq_table processor mperf usbhid
> hid ext3 jbd mbcache sd_mod sr_mod cdrom pata_acpi uhci_hcd ata_piix
> ehci_hcd libata scsi_mod usbcore [last unloaded: sdhci]
>
> Pid: 171, comm: khubd Not tainted 3.1.0-rc9 #66 Everex Systems, Inc.
> Everex StepNote Series/Everex StepNote Series
> EIP: 0060:[<f90be6c2>] EFLAGS: 00010292 CPU: 0
> EIP is at v4l2_device_release+0xa2/0xf0 [videodev]
> EAX: 00000000 EBX: f5636004 ECX: 00000000 EDX: 00000000
> ESI: f5636000 EDI: 00000000 EBP: f563600c ESP: f5627e38
> DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> Process khubd (pid: 171, ti=f5626000 task=f554dc00 task.ti=f5626000)
> Stack:
> ef000480 c1433780 f5474b00 c12343f8 f54e7e1c 00000000 c114737a f563600c
> f5636028 c114605d f5636028 c1146020 f91512d4 00000000 c114737a f54e7e1c
> f54e7e00 f81623f4 f56d4000 f54e7e1c f91512d4 f56d4064 00000001 c12373b7
> Call Trace:
> [<c12343f8>] ? device_release+0x18/0x80
> [<c114737a>] ? kref_put+0x2a/0x60
> [<c114605d>] ? kobject_release+0x3d/0xa0
> [<c1146020>] ? kobject_del+0x30/0x30
> [<c114737a>] ? kref_put+0x2a/0x60
> [<f81623f4>] ? usb_unbind_interface+0x34/0x130 [usbcore]
> [<c12373b7>] ? __device_release_driver+0x57/0xb0
> [<c123742d>] ? device_release_driver+0x1d/0x30
> [<c1236fc2>] ? bus_remove_device+0x72/0x90
> [<c12350bf>] ? device_del+0xdf/0x150
> [<f8160591>] ? usb_disable_device+0x81/0x180 [usbcore]
> [<f8159b3b>] ? usb_disconnect+0x8b/0x110 [usbcore]
> [<f815b76c>] ? hub_thread+0x97c/0x1180 [usbcore]
> [<c102d80b>] ? pick_next_task_fair+0x8b/0xe0
> [<c1052600>] ? abort_exclusive_wait+0x90/0x90
> [<f815adf0>] ? usb_remote_wakeup+0x40/0x40 [usbcore]
> [<c1052029>] ? kthread+0x69/0x70
> [<c1051fc0>] ? kthread_worker_fn+0x150/0x150
> [<c130d8be>] ? kernel_thread_helper+0x6/0xd
> Code: 83 94 01 00 00 c7 83 60 01 00 00 00 00 00 00 0f b7 93 9c 01 00
> 00 c1 e0 05 f0 0f b3 90 c0 e7 0c f9 b8 20 e1 0c f9 e8 4e cf 24 c8
> <8b> 57 6c 89 f0 85 d2 74 25 ff 93 c8 01 00 00 85 ff 74 21 89 f8
> EIP: [<f90be6c2>] v4l2_device_release+0xa2/0xf0 [videodev] SS:ESP
> 0068:f5627e38
> CR2: 000000000000006c
> ---[ end trace 39522f0f1757c8f8 ]---
The trace hints at a v4l2 being NULL in a newly introduced
v4l2_dev->release check. Attached patch below.
Regards,
Frederik
[media] v4l: Avoid NULL pointer dereference
8280b662df96f4172c4972b14a4aec0daf272b8f introduced a potential NULL
deref in the case v4l2_dev is NULL.
Reported-by: Tomas M. <tmezzadra@gmail.com>
Signed-off-by: Frederik Deweerdt <frederik.deweerdt@xprog.eu>
diff --git a/drivers/media/video/v4l2-dev.c b/drivers/media/video/v4l2-dev.c
index d721565..5c0fa64 100644
--- a/drivers/media/video/v4l2-dev.c
+++ b/drivers/media/video/v4l2-dev.c
@@ -181,7 +181,7 @@ static void v4l2_device_release(struct device *cd)
* TODO: In the long run all drivers that use v4l2_device should use the
* v4l2_device release callback. This check will then be unnecessary.
*/
- if (v4l2_dev->release == NULL)
+ if (v4l2_dev != NULL && v4l2_dev->release == NULL)
v4l2_dev = NULL;
/* Release video_device and perform other
next prev parent reply other threads:[~2011-10-18 0:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-17 22:48 kernel OOPS when releasing usb webcam (random) Tomas M.
2011-10-18 0:05 ` David Rientjes
2011-10-18 8:40 ` Antonio Ospite
2011-10-18 20:39 ` David Rientjes
2011-10-19 20:21 ` David Rientjes
2011-10-20 3:40 ` Mauro Carvalho Chehab
2011-10-18 0:19 ` Frederik Deweerdt [this message]
2011-10-18 15:37 ` [patch] Avoid NULL deref in v4l2_device_release (was Re: kernel OOPS when releasing usb webcam (random)) Tomas M.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111018001909.GA29706@gambetta \
--to=frederik.deweerdt@xprog.eu \
--cc=hverkuil@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@redhat.com \
--cc=tmezzadra@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox