diff options
author | Laurent Pinchart <laurent.pinchart@skynet.be> | 2008-07-11 18:32:15 -0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@infradead.org> | 2008-07-20 06:19:31 -0400 |
commit | a9e285856112e5e721b6a341d15437a164128b30 (patch) | |
tree | 23b1dab5ebf87625e037eb0d6d09dc7a5d7add1c | |
parent | 6f80e1b4cda7e184e369c84a8b388882b0233d53 (diff) |
V4L/DVB (8257): uvcvideo: Fix possible AB-BA deadlock with videodev_lock and open_mutex
The uvcvideo driver's uvc_v4l2_open() method is called from videodev's
video_open() function, which means it is called with the videodev_lock
mutex held. uvc_v4l2_open() then takes uvc_driver.open_mutex to check
dev->state and avoid racing against a device disconnect, which means
that open_mutex must nest inside videodev_lock.
However uvc_disconnect() takes the open_mutex around setting
dev->state and also around putting its device reference. However, if
uvc_disconnect() ends up dropping the last reference, it will call
uvc_delete(), which calls into the videodev code to unregister its
device, and this will end up taking videodev_lock. This opens a
(unlikely in practice) window for an AB-BA deadlock and also causes a
lockdep warning because of the lock misordering.
Fortunately there is no apparent reason to hold open_mutex when doing
kref_put() in uvc_disconnect(): if uvc_v4l2_open() runs before the
state is set to UVC_DEV_DISCONNECTED, then it will take another
reference to the device and kref_put() won't call uvc_delete; if
uvc_v4l2_open() runs after the state is set, it will run before
uvc_delete(), see the state, and return immediately -- uvc_delete()
does uvc_unregister_video() (and hence video_unregister_device(),
which is synchronized with videodev_lock) as its first thing, so there
is no risk of use-after-free in uvc_v4l2_open().
Bug diagnosed based on a lockdep warning reported by Romano Giannetti
<romano@dea.icai.upcomillas.es>.
Signed-off-by: Roland Dreier <roland@digitalvampire.org>
Signed-off-by: Laurent Pinchart <laurent.pinchart@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
-rw-r--r-- | drivers/media/video/uvc/uvc_driver.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c index 4deb04bc2a73..f2b2983fe062 100644 --- a/drivers/media/video/uvc/uvc_driver.c +++ b/drivers/media/video/uvc/uvc_driver.c | |||
@@ -1633,13 +1633,16 @@ static void uvc_disconnect(struct usb_interface *intf) | |||
1633 | * reference to the uvc_device instance after uvc_v4l2_open() received | 1633 | * reference to the uvc_device instance after uvc_v4l2_open() received |
1634 | * the pointer to the device (video_devdata) but before it got the | 1634 | * the pointer to the device (video_devdata) but before it got the |
1635 | * chance to increase the reference count (kref_get). | 1635 | * chance to increase the reference count (kref_get). |
1636 | * | ||
1637 | * Note that the reference can't be released with the lock held, | ||
1638 | * otherwise a AB-BA deadlock can occur with videodev_lock that | ||
1639 | * videodev acquires in videodev_open() and video_unregister_device(). | ||
1636 | */ | 1640 | */ |
1637 | mutex_lock(&uvc_driver.open_mutex); | 1641 | mutex_lock(&uvc_driver.open_mutex); |
1638 | |||
1639 | dev->state |= UVC_DEV_DISCONNECTED; | 1642 | dev->state |= UVC_DEV_DISCONNECTED; |
1640 | kref_put(&dev->kref, uvc_delete); | ||
1641 | |||
1642 | mutex_unlock(&uvc_driver.open_mutex); | 1643 | mutex_unlock(&uvc_driver.open_mutex); |
1644 | |||
1645 | kref_put(&dev->kref, uvc_delete); | ||
1643 | } | 1646 | } |
1644 | 1647 | ||
1645 | static int uvc_suspend(struct usb_interface *intf, pm_message_t message) | 1648 | static int uvc_suspend(struct usb_interface *intf, pm_message_t message) |