mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-15 01:26:43 +07:00
9e08117c9d
Visual inspection of the usbvision driver shows that it suffers from three races between its open, close, and disconnect handlers. In particular, the driver is careful to update its usbvision->user and usbvision->remove_pending flags while holding the private mutex, but: usbvision_v4l2_close() and usbvision_radio_close() don't hold the mutex while they check the value of usbvision->remove_pending; usbvision_disconnect() doesn't hold the mutex while checking the value of usbvision->user; and also, usbvision_v4l2_open() and usbvision_radio_open() don't check whether the device has been unplugged before allowing the user to open the device files. Each of these can potentially lead to usbvision_release() being called twice and use-after-free errors. This patch fixes the races by reading the flags while the mutex is still held and checking for pending removes before allowing an open to succeed. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> CC: <stable@vger.kernel.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> |
||
|---|---|---|
| .. | ||
| airspy | ||
| as102 | ||
| au0828 | ||
| b2c2 | ||
| cpia2 | ||
| cx231xx | ||
| dvb-usb | ||
| dvb-usb-v2 | ||
| em28xx | ||
| go7007 | ||
| gspca | ||
| hackrf | ||
| hdpvr | ||
| msi2500 | ||
| pulse8-cec | ||
| pvrusb2 | ||
| pwc | ||
| rainshadow-cec | ||
| s2255 | ||
| siano | ||
| stk1160 | ||
| stkwebcam | ||
| tm6000 | ||
| ttusb-budget | ||
| ttusb-dec | ||
| usbtv | ||
| usbvision | ||
| uvc | ||
| zr364xx | ||
| Kconfig | ||
| Makefile | ||