TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
69803ecf3a
twx-linux/drivers
History
Yang Ruirui 69803ecf3a [media] v4l2: uvcvideo use after free bug fix 
Unplugging uvc video camera trigger following oops:

eeepc kernel: [ 1393.500719] usb 3-2: USB disconnect, device number 4
eeepc kernel: [ 1393.504351] uvcvideo: Failed to resubmit video URB (-19).
eeepc kernel: [ 1495.428853] BUG: unable to handle kernel paging request at 6b6b6bcb
eeepc kernel: [ 1495.429017] IP: [<b0358d37>] dev_get_drvdata+0x17/0x20
eeepc kernel: [ 1495.429017] *pde = 00000000
eeepc kernel: [ 1495.429017] Oops: 0000 [#1] DEBUG_PAGEALLOC
eeepc kernel: [ 1495.429017]
eeepc kernel: [ 1495.429017] Pid: 3476, comm: cheese Not tainted 3.1.0-rc3-00270-g7a54f5e-dirty #485 ASUSTeK Computer INC. 900/900
eeepc kernel: [ 1495.429017] EIP: 0060:[<b0358d37>] EFLAGS: 00010202 CPU: 0
eeepc kernel: [ 1495.429017] EIP is at dev_get_drvdata+0x17/0x20
eeepc kernel: [ 1495.429017] EAX: 6b6b6b6b EBX: eb08d870 ECX: 00000000 EDX: eb08d930
eeepc kernel: [ 1495.429017] ESI: eb08d870 EDI: eb08d870 EBP: d3249cac ESP: d3249cac
eeepc kernel: [ 1495.429017]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
eeepc kernel: [ 1495.429017] Process cheese (pid: 3476, ti=d3248000 task=df46d870 task.ti=d3248000)
eeepc kernel: [ 1495.429017] Stack:
eeepc kernel: [ 1495.429017]  d3249cb8 b03e77a1 d307b840 d3249ccc b03e77d1 d307b840 eb08d870 eb08d830
eeepc kernel: [ 1495.429017]  d3249ce4 b03ed3b7 00000246 d307b840 eb08d870 d3021b80 d3249cec b03ed565
eeepc kernel: [ 1495.429017]  d3249cfc b03e044d e8323d10 b06e013c d3249d18 b0355fb9 fffffffe d3249d1c
eeepc kernel: [ 1495.429017] Call Trace:
eeepc kernel: [ 1495.429017]  [<b03e77a1>] v4l2_device_disconnect+0x11/0x30
eeepc kernel: [ 1495.429017]  [<b03e77d1>] v4l2_device_unregister+0x11/0x50
eeepc kernel: [ 1495.429017]  [<b03ed3b7>] uvc_delete+0x37/0x110
eeepc kernel: [ 1495.429017]  [<b03ed565>] uvc_release+0x25/0x30
eeepc kernel: [ 1495.429017]  [<b03e044d>] v4l2_device_release+0x9d/0xc0
eeepc kernel: [ 1495.429017]  [<b0355fb9>] device_release+0x19/0x90
eeepc kernel: [ 1495.429017]  [<b03adfdc>] ? usb_hcd_unlink_urb+0x7c/0x90
eeepc kernel: [ 1495.429017]  [<b026b99c>] kobject_release+0x3c/0x90
eeepc kernel: [ 1495.429017]  [<b026b960>] ? kobject_del+0x30/0x30
eeepc kernel: [ 1495.429017]  [<b026ca4c>] kref_put+0x2c/0x60
eeepc kernel: [ 1495.429017]  [<b026b88d>] kobject_put+0x1d/0x50
eeepc kernel: [ 1495.429017]  [<b03b2385>] ? usb_autopm_put_interface+0x25/0x30
eeepc kernel: [ 1495.429017]  [<b03f0e5d>] ? uvc_v4l2_release+0x5d/0xd0
eeepc kernel: [ 1495.429017]  [<b0355d2f>] put_device+0xf/0x20
eeepc kernel: [ 1495.429017]  [<b03dfa96>] v4l2_release+0x56/0x60
eeepc kernel: [ 1495.429017]  [<b019c8dc>] fput+0xcc/0x220
eeepc kernel: [ 1495.429017]  [<b01990f4>] filp_close+0x44/0x70
eeepc kernel: [ 1495.429017]  [<b012b238>] put_files_struct+0x158/0x180
eeepc kernel: [ 1495.429017]  [<b012b100>] ? put_files_struct+0x20/0x180
eeepc kernel: [ 1495.429017]  [<b012b2a0>] exit_files+0x40/0x50
eeepc kernel: [ 1495.429017]  [<b012b9e7>] do_exit+0x5a7/0x660
eeepc kernel: [ 1495.429017]  [<b0135f72>] ? __dequeue_signal+0x12/0x120
eeepc kernel: [ 1495.429017]  [<b055edf2>] ? _raw_spin_unlock_irq+0x22/0x30
eeepc kernel: [ 1495.429017]  [<b012badc>] do_group_exit+0x3c/0xb0
eeepc kernel: [ 1495.429017]  [<b015792b>] ? trace_hardirqs_on+0xb/0x10
eeepc kernel: [ 1495.429017]  [<b013755f>] get_signal_to_deliver+0x18f/0x570
eeepc kernel: [ 1495.429017]  [<b01020f7>] do_signal+0x47/0x9e0
eeepc kernel: [ 1495.429017]  [<b055edf2>] ? _raw_spin_unlock_irq+0x22/0x30
eeepc kernel: [ 1495.429017]  [<b015792b>] ? trace_hardirqs_on+0xb/0x10
eeepc kernel: [ 1495.429017]  [<b0123300>] ? T.1034+0x30/0xc0
eeepc kernel: [ 1495.429017]  [<b055c45f>] ? schedule+0x29f/0x640
eeepc kernel: [ 1495.429017]  [<b0102ac8>] do_notify_resume+0x38/0x40
eeepc kernel: [ 1495.429017]  [<b055f154>] work_notifysig+0x9/0x11
eeepc kernel: [ 1495.429017] Code: e5 5d 83 f8 01 19 c0 f7 d0 83 e0 f0 c3 8d b4 26 00 00 00 00 55 85 c0 89 e5 75 09 31 c0 5d c3 90 8d 74 26 00 8b 40 04 85 c0 74 f0 <8b> 40 60 5d c3 8d 74 26 00 55 89 e5 53 89 c3 83 ec 04 8b 40 04
eeepc kernel: [ 1495.429017] EIP: [<b0358d37>] dev_get_drvdata+0x17/0x20 SS:ESP 0068:d3249cac
eeepc kernel: [ 1495.429017] CR2: 000000006b6b6bcb
eeepc kernel: [ 1495.466975] uvcvideo: Failed to resubmit video URB (-27).
eeepc kernel: [ 1495.467860] uvcvideo: Failed to resubmit video URB (-27).
eeepc kernel: last message repeated 3 times
eeepc kernel: [ 1495.512610] ---[ end trace 73ec16848794e5a5 ]---

For uvc device, dev->vdev.dev is the &intf->dev,
uvc_delete code is as below:
	usb_put_intf(dev->intf);
	usb_put_dev(dev->udev);

	uvc_status_cleanup(dev);
	uvc_ctrl_cleanup_device(dev);

	if (dev->vdev.dev)
		v4l2_device_unregister(&dev->vdev);

Fix it by get_device in v4l2_device_register and put_device in v4l2_device_disconnect

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2011-09-21 16:52:52 -03:00
..
accessibility
acpi Merge branch 'battery' into release 2011-08-05 22:16:42 -04:00
amba
ata drivers/ata/sata_dwc_460ex.c: add missing kfree 2011-08-18 23:58:11 -04:00
atm
auxdisplay
base Merge branch 'for-linus' of git://opensource.wolfsonmicro.com/regmap 2011-09-08 16:47:52 -07:00
bcma bcma: add uevent to the bus, to autoload drivers 2011-08-22 14:21:41 -04:00
block Merge branch 'stable/for-jens' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus 2011-08-09 20:43:26 +02:00
bluetooth Bluetooth: Add Toshiba laptops AR30XX device ID 2011-08-11 19:50:26 -03:00
cdrom drivers/cdrom/cdrom.c: relax check on dvd manufacturer value 2011-08-02 12:43:50 +02:00
char drivers/char/msm_smd_pkt.c: don't use IS_ERR() 2011-08-25 16:25:33 -07:00
clk
clocksource Merge branch 'common/core' into sh-latest 2011-08-08 16:33:54 +09:00
connector proc_fork_connector: a lockless ->real_parent usage is not safe 2011-07-28 18:26:32 -07:00
cpufreq
cpuidle cpuidle: stop depending on pm_idle 2011-08-03 19:06:37 -04:00
crypto n2_crypto: Attach on Niagara-T3. 2011-07-28 01:30:07 -07:00
dca
dio
dma dmaengine/ste_dma40: fix memory leak due to prepared descriptors 2011-09-05 17:08:26 +05:30
edac i7core_edac: fixed typo in error count calculation 2011-08-18 14:07:15 -07:00
eisa eisa/pci_eisa.c: fix BUG introduced by 005bdad7b80 2011-08-04 06:32:51 -10:00
firewire Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2011-08-27 09:32:08 -07:00
firmware firmware: fix google/gsmi.c build warning 2011-08-08 13:53:49 -07:00
gpio Merge branch 'gpio/next' of git://git.secretlab.ca/git/linux-2.6 2011-08-01 06:13:48 -10:00
gpu drm: Remove duplicate "return" statement 2011-09-09 09:11:44 +01:00
hid Merge branches 'upstream-fixes' and 'magicmouse' into for-linus 2011-09-07 13:53:17 +02:00
hwmon hwmon: (ucd9000/ucd9200) Optimize array walk 2011-09-06 08:56:07 -07:00
hwspinlock
i2c i2c-tegra: fix possible race condition after tx 2011-09-07 00:13:40 +01:00
ide drivers/ide/cy82c693.c: Add missing pci_dev_put 2011-08-04 01:30:34 -07:00
idle
ieee802154
infiniband Merge branches 'ipoib' and 'iser' into for-next 2011-08-17 10:57:43 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2011-08-24 09:19:03 -07:00
iommu iommu/amd: Don't take domain->lock recursivly 2011-09-02 14:19:50 +02:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2011-07-28 05:58:19 -07:00
leds drivers/leds/leds-bd2802.c: bd2802_unregister_led_classdev() should unregister all registered leds 2011-08-25 16:25:35 -07:00
lguest
macintosh
mca
md md: Fix handling for devices from 2TB to 4TB in 0.90 metadata. 2011-09-10 17:21:28 +10:00
media [media] v4l2: uvcvideo use after free bug fix 2011-09-21 16:52:52 -03:00
memstick
message Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2011-07-30 08:36:02 -10:00
mfd mfd: Fix mismatch in twl4030 mutex lock-unlock 2011-07-31 23:28:27 +02:00
misc Merge branch 'driver-core-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6 2011-08-26 13:05:09 -07:00
mmc mmc: sdhci-s3c: Fix mmc card I/O problem 2011-08-31 16:25:52 -04:00
mtd UBI: do not link debug messages when debugging is disabled 2011-08-19 19:02:27 +03:00
net NET: am79c961: fix race in link status code 2011-09-05 08:58:29 +01:00
nfc
nubus
of Revert "dt: add of_alias_scan and of_alias_get_id" 2011-08-04 11:26:24 +01:00
oprofile
parisc
parport
pci PCI: Remove MRRS modification from MPS setting code 2011-09-09 19:49:58 -07:00
pcmcia Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6 2011-07-31 06:23:08 -10:00
platform acer-wmi: support Lenovo ideapad S205 wifi switch 2011-08-05 15:21:52 -04:00
pnp
power s3c-adc-battery: Fix compilation error due to missing header (module.h) 2011-08-19 21:01:46 +04:00
pps
ps3
ptp
rapidio rapidio: fix use of non-compatible registers 2011-08-25 16:25:34 -07:00
regulator Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6 2011-08-01 14:05:46 -10:00
rtc Merge branch 'timers-fixes-for-linus' of git://tesla.tglx.de/git/linux-2.6-tip 2011-09-07 13:03:48 -07:00
s390 [S390] memory hotplug: only unassign assigned increments 2011-08-24 17:15:24 +02:00
sbus
scsi scsi: qla4xxx driver depends on NET 2011-09-10 17:31:31 -07:00
sfi
sh Merge branch 'common/core' into sh-latest 2011-08-08 16:33:54 +09:00
sn
spi spi/pl022: remove function cannot exit 2011-08-02 14:54:11 +01:00
ssb
staging [media] tm6000: Enable fast USB quirk on Cinergy Hybrid 2011-09-21 15:59:30 -03:00
target target: Convert acl_node_lock to be IRQ-disabling 2011-08-22 19:28:36 +00:00
tc
telephony
thermal thermal: make THERMAL_HWMON implementation fully internal 2011-08-02 14:51:57 -04:00
tty Merge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-3.x 2011-08-29 13:34:48 -07:00
uio
usb USB: ftdi_sio: add Calao reference board support 2011-08-25 09:44:50 -07:00
uwb
vhost
video backlight: Declare backlight_types[] const 2011-09-10 14:00:02 -07:00
virt
virtio
vlynq
w1 MAINTAINERS: Evgeniy has moved 2011-08-25 16:25:33 -07:00
watchdog watchdog: Cleanup WATCHDOG_CORE help text 2011-08-02 08:23:07 +00:00
xen xen: self-balloon needs module.h 2011-08-16 07:23:34 -07:00
zorro
Kconfig
Makefile