diff mbox

[v2] usbtv: Fix refcounting mixup

Message ID 20180515130744.19342-1-oneukum@suse.com (mailing list archive)
State New, archived
Headers show

Commit Message

Oliver Neukum May 15, 2018, 1:07 p.m. UTC
The premature free in the error path is blocked by V4L
refcounting, not USB refcounting. Thanks to
Ben Hutchings for review.

[v2] corrected attributions

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Fixes: 50e704453553 ("media: usbtv: prevent double free in error case")
CC: stable@vger.kernel.org
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
 drivers/media/usb/usbtv/usbtv-core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Hans Verkuil May 15, 2018, 2:28 p.m. UTC | #1
On 05/15/18 15:07, Oliver Neukum wrote:
> The premature free in the error path is blocked by V4L
> refcounting, not USB refcounting. Thanks to
> Ben Hutchings for review.
> 
> [v2] corrected attributions
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> Fixes: 50e704453553 ("media: usbtv: prevent double free in error case")
> CC: stable@vger.kernel.org
> Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> ---
>  drivers/media/usb/usbtv/usbtv-core.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
> index 5095c380b2c1..4a03c4d66314 100644
> --- a/drivers/media/usb/usbtv/usbtv-core.c
> +++ b/drivers/media/usb/usbtv/usbtv-core.c
> @@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interface *intf,
>  
>  usbtv_audio_fail:
>  	/* we must not free at this point */
> -	usb_get_dev(usbtv->udev);
> +	v4l2_device_get(&usbtv->v4l2_dev);

This is very confusing. I think it is much better to move the
v4l2_device_register() call from usbtv_video_init to this probe function.

The extra v4l2_device_get in the probe() can just be dropped and
usbtv_video_free() no longer needs to call v4l2_device_put().

The only place you need a v4l2_device_put() is in the disconnect()
function at the end.

Regards,

	Hans

> +	/* this will undo the v4l2_device_get() */
>  	usbtv_video_free(usbtv);
>  
>  usbtv_video_fail:
>
Oliver Neukum May 15, 2018, 3:46 p.m. UTC | #2
Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
> On 05/15/18 15:07, Oliver Neukum wrote:
> > The premature free in the error path is blocked by V4L
> > refcounting, not USB refcounting. Thanks to
> > Ben Hutchings for review.
> > 
> > [v2] corrected attributions
> > 
> > Signed-off-by: Oliver Neukum <oneukum@suse.com>
> > Fixes: 50e704453553 ("media: usbtv: prevent double free in error case")
> > CC: stable@vger.kernel.org
> > Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> > ---
> >  drivers/media/usb/usbtv/usbtv-core.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
> > index 5095c380b2c1..4a03c4d66314 100644
> > --- a/drivers/media/usb/usbtv/usbtv-core.c
> > +++ b/drivers/media/usb/usbtv/usbtv-core.c
> > @@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interface *intf,
> >  
> >  usbtv_audio_fail:
> >  	/* we must not free at this point */
> > -	usb_get_dev(usbtv->udev);
> > +	v4l2_device_get(&usbtv->v4l2_dev);
> 
> This is very confusing. I think it is much better to move the

Yes. It confused me.

> v4l2_device_register() call from usbtv_video_init to this probe function.

Yes, but it is called here. So you want to do it after registering the
audio?

	Regards
		Oliver
Hans Verkuil May 15, 2018, 4:01 p.m. UTC | #3
On 05/15/2018 05:46 PM, Oliver Neukum wrote:
> Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
>> On 05/15/18 15:07, Oliver Neukum wrote:
>>> The premature free in the error path is blocked by V4L
>>> refcounting, not USB refcounting. Thanks to
>>> Ben Hutchings for review.
>>>
>>> [v2] corrected attributions
>>>
>>> Signed-off-by: Oliver Neukum <oneukum@suse.com>
>>> Fixes: 50e704453553 ("media: usbtv: prevent double free in error case")
>>> CC: stable@vger.kernel.org
>>> Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
>>> ---
>>>  drivers/media/usb/usbtv/usbtv-core.c | 3 ++-
>>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
>>> index 5095c380b2c1..4a03c4d66314 100644
>>> --- a/drivers/media/usb/usbtv/usbtv-core.c
>>> +++ b/drivers/media/usb/usbtv/usbtv-core.c
>>> @@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interface *intf,
>>>  
>>>  usbtv_audio_fail:
>>>  	/* we must not free at this point */
>>> -	usb_get_dev(usbtv->udev);
>>> +	v4l2_device_get(&usbtv->v4l2_dev);
>>
>> This is very confusing. I think it is much better to move the
> 
> Yes. It confused me.
> 
>> v4l2_device_register() call from usbtv_video_init to this probe function.
> 
> Yes, but it is called here. So you want to do it after registering the
> audio?

No, before. It's a global data structure, so this can be done before the
call to usbtv_video_init() as part of the top-level initialization of the
driver.

Regards,

	Hans
Oliver Neukum May 16, 2018, 9:23 a.m. UTC | #4
Am Dienstag, den 15.05.2018, 18:01 +0200 schrieb Hans Verkuil:
> On 05/15/2018 05:46 PM, Oliver Neukum wrote:
> > Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
> > > On 05/15/18 15:07, Oliver Neukum wrote:

> > > >  usbtv_audio_fail:
> > > >  	/* we must not free at this point */
> > > > -	usb_get_dev(usbtv->udev);
> > > > +	v4l2_device_get(&usbtv->v4l2_dev);
> > > 
> > > This is very confusing. I think it is much better to move the
> > 
> > Yes. It confused me.
> > 
> > > v4l2_device_register() call from usbtv_video_init to this probe function.
> > 
> > Yes, but it is called here. So you want to do it after registering the
> > audio?
> 
> No, before. It's a global data structure, so this can be done before the
> call to usbtv_video_init() as part of the top-level initialization of the
> driver.

Eh, but we cannot create a V4L device before the first device
is connected and we must certainly create multiple V4L devices if
multiple physical devices are connected.

Maybe I am dense. Please elaborate.
It seem to me that the driver is confusing because it uses
multiple refcounts.

	Regards
		Oliver
Hans Verkuil May 16, 2018, 10:27 a.m. UTC | #5
On 05/16/18 11:23, Oliver Neukum wrote:
> Am Dienstag, den 15.05.2018, 18:01 +0200 schrieb Hans Verkuil:
>> On 05/15/2018 05:46 PM, Oliver Neukum wrote:
>>> Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
>>>> On 05/15/18 15:07, Oliver Neukum wrote:
> 
>>>>>  usbtv_audio_fail:
>>>>>  	/* we must not free at this point */
>>>>> -	usb_get_dev(usbtv->udev);
>>>>> +	v4l2_device_get(&usbtv->v4l2_dev);
>>>>
>>>> This is very confusing. I think it is much better to move the
>>>
>>> Yes. It confused me.
>>>
>>>> v4l2_device_register() call from usbtv_video_init to this probe function.
>>>
>>> Yes, but it is called here. So you want to do it after registering the
>>> audio?
>>
>> No, before. It's a global data structure, so this can be done before the
>> call to usbtv_video_init() as part of the top-level initialization of the
>> driver.
> 
> Eh, but we cannot create a V4L device before the first device
> is connected and we must certainly create multiple V4L devices if
> multiple physical devices are connected.

v4l2_device_register is a terrible name. It does not create devices
or register with anything, it just initializes a root data structure. I have
proposed renaming this to v4l2_root_init() in the past, but people didn't
want a big rename action.

BTW, with 'global data structure' I meant a data structure in struct usbtv.
All I meant to say is that v4l2_device_register should be called in probe(),
not in usbtv_video_init().

Regards,

	Hans

> 
> Maybe I am dense. Please elaborate.
> It seem to me that the driver is confusing because it uses
> multiple refcounts.
> 
> 	Regards
> 		Oliver
>
Oliver Neukum Sept. 16, 2020, 1:47 p.m. UTC | #6
Am Mittwoch, den 16.05.2018, 12:27 +0200 schrieb Hans Verkuil:
> On 05/16/18 11:23, Oliver Neukum wrote:
> > Am Dienstag, den 15.05.2018, 18:01 +0200 schrieb Hans Verkuil:
> > > On 05/15/2018 05:46 PM, Oliver Neukum wrote:
> > > > Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
> > > > > On 05/15/18 15:07, Oliver Neukum wrote:

> > Eh, but we cannot create a V4L device before the first device
> > is connected and we must certainly create multiple V4L devices if
> > multiple physical devices are connected.
> 
> v4l2_device_register is a terrible name. It does not create devices
> or register with anything, it just initializes a root data structure. I have
> proposed renaming this to v4l2_root_init() in the past, but people didn't
> want a big rename action.
> 
> BTW, with 'global data structure' I meant a data structure in struct usbtv.
> All I meant to say is that v4l2_device_register should be called in probe(),
> not in usbtv_video_init().

Hi,

Sorry for thread necromancy I am cleaning up electronically.
This patch has fallen through the cracks. As far as I can see the issue
is still open. I screwed this up. So do you want me to do a major
redesign? If not, what is to be done?

	Regards
		Oliver
Oliver Neukum Sept. 21, 2020, 9:10 a.m. UTC | #7
Am Mittwoch, den 16.05.2018, 12:27 +0200 schrieb Hans Verkuil:
> On 05/16/18 11:23, Oliver Neukum wrote:
> > Am Dienstag, den 15.05.2018, 18:01 +0200 schrieb Hans Verkuil:
> > > On 05/15/2018 05:46 PM, Oliver Neukum wrote:
> > > > Am Dienstag, den 15.05.2018, 16:28 +0200 schrieb Hans Verkuil:
> > > > > On 05/15/18 15:07, Oliver Neukum wrote:
> > Eh, but we cannot create a V4L device before the first device
> > is connected and we must certainly create multiple V4L devices if
> > multiple physical devices are connected.
> 
> v4l2_device_register is a terrible name. It does not create devices
> or register with anything, it just initializes a root data structure. I have
> proposed renaming this to v4l2_root_init() in the past, but people didn't
> want a big rename action.
> 
> BTW, with 'global data structure' I meant a data structure in struct usbtv.
> All I meant to say is that v4l2_device_register should be called in probe(),
> not in usbtv_video_init().

Hi,

Sorry for thread necromancy I am cleaning up electronically.
This patch has fallen through the cracks. As far as I can see the issue
is still open. I screwed this up. So do you want me to do a major
redesign? If not, what is to be done?

	Regards
		Oliver
diff mbox

Patch

diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
index 5095c380b2c1..4a03c4d66314 100644
--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -113,7 +113,8 @@  static int usbtv_probe(struct usb_interface *intf,
 
 usbtv_audio_fail:
 	/* we must not free at this point */
-	usb_get_dev(usbtv->udev);
+	v4l2_device_get(&usbtv->v4l2_dev);
+	/* this will undo the v4l2_device_get() */
 	usbtv_video_free(usbtv);
 
 usbtv_video_fail: