<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi!<br>
<div class="moz-forward-container"> <br>
There is a potential race condition between <a
moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403">usbvision_v4l2_close</a>
and <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569">usbvision_disconnect</a>.
The possible scenario may be the following. <a
moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569">usbvision_disconnect</a>
starts execution, assigns <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1587">usbvision->remove_pending
= 1</a>, and is interrupted (rescheduled) after <a
moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1592">mutex_unlock</a>.
After that <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403">usbvision_v4l2_close</a>
is executed, decrease <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L419">usbvision->user--</a>,
checks <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L422">usbvision->remove_pending</a>,
executes <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/ident?i=usbvision_release">usbvision_release</a>
and finishes. Then <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569">usbvision_disconnect</a>
continues its execution. It checks <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1594">usbversion->user</a>
(it is already 0) and also execute <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/ident?i=usbvision_release">usbvision_release</a>.
Thus, release is executed twice. The same situation may occur if <a
moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403">usbvision_v4l2_close</a>
is interrupted by <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1569">usbvision_disconnect</a>.
Moreover, the same problem is in <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1135">usbvision_radio_close</a>.
In all these cases the check before call <a
moz-do-not-send="true"
href="http://lxr.free-electrons.com/ident?i=usbvision_release">usbvision_release</a>
under mutex_lock protection does not solve the problem, because
there may occur an open() after the check and the race takes place
again. The question is: why the <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/ident?i=usbvision_release">usbvision_release</a>
is called from close() (<a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L403">usbvision_v4l2_close</a>
and <a moz-do-not-send="true"
href="http://lxr.free-electrons.com/source/drivers/media/usb/usbvision/usbvision-video.c#L1135">usbvision_radio_close</a>)?
Usually release functions are called from disconnect.<br>
<br>
<pre class="moz-signature" cols="72">--
Pavel Andrianov
Linux Verification Center, ISPRAS
web: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://linuxtesting.org">http://linuxtesting.org</a>
e-mail: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:andrianov@ispras.ru">andrianov@ispras.ru</a></pre>
<br>
</div>
<br>
</body>
</html>