[ldv-project] A potential race

[Pavel Andrianov]

  Hi!

There is a potential race condition between usbvision_v4l2_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403> 
and usbvision_disconnect 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569>. 
The possible scenario may be the following. usbvision_disconnect 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569> 
starts execution, assigns usbvision->remove_pending = 1 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1587>, 
and is interrupted (rescheduled) after mutex_unlock 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1592>. 
After that usbvision_v4l2_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403> 
is executed, decrease usbvision->user-- 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L419>, 
checks usbvision->remove_pending 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L422>, 
executes usbvision_release 
<http://lxr.free-electrons.com/ident?i=usbvision_release> and finishes. 
Then usbvision_disconnect 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569> 
continues its execution. It checks usbversion->user 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1594> 
(it is already 0) and also execute usbvision_release 
<http://lxr.free-electrons.com/ident?i=usbvision_release>. Thus, release 
is executed twice. The same situation may occur if usbvision_v4l2_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403> 
is interrupted by usbvision_disconnect 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569>. 
Moreover, the same problem is in usbvision_radio_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1135>. 
In all these cases the check before call usbvision_release 
<http://lxr.free-electrons.com/ident?i=usbvision_release> under 
mutex_lock protection does not solve the problem, because there may 
occur an open() after the check and the race takes place again. The 
question is: why the usbvision_release 
<http://lxr.free-electrons.com/ident?i=usbvision_release> is called from 
close() (usbvision_v4l2_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403> 
and usbvision_radio_close 
<http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1135>)? 
Usually release functions are called from disconnect.

-- 
Pavel Andrianov
Linux Verification Center, ISPRAS
web:http://linuxtesting.org
e-mail:andrianov at ispras.ru



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxtesting.org/pipermail/ldv-project/attachments/20160701/0f444159/attachment.html>