linux/drivers/media/video
Yang Ruirui 69803ecf3a [media] v4l2: uvcvideo use after free bug fix
Unplugging uvc video camera trigger following oops:

eeepc kernel: [ 1393.500719] usb 3-2: USB disconnect, device number 4
eeepc kernel: [ 1393.504351] uvcvideo: Failed to resubmit video URB (-19).
eeepc kernel: [ 1495.428853] BUG: unable to handle kernel paging request at 6b6b6bcb
eeepc kernel: [ 1495.429017] IP: [<b0358d37>] dev_get_drvdata+0x17/0x20
eeepc kernel: [ 1495.429017] *pde = 00000000
eeepc kernel: [ 1495.429017] Oops: 0000 [#1] DEBUG_PAGEALLOC
eeepc kernel: [ 1495.429017]
eeepc kernel: [ 1495.429017] Pid: 3476, comm: cheese Not tainted 3.1.0-rc3-00270-g7a54f5e-dirty #485 ASUSTeK Computer INC. 900/900
eeepc kernel: [ 1495.429017] EIP: 0060:[<b0358d37>] EFLAGS: 00010202 CPU: 0
eeepc kernel: [ 1495.429017] EIP is at dev_get_drvdata+0x17/0x20
eeepc kernel: [ 1495.429017] EAX: 6b6b6b6b EBX: eb08d870 ECX: 00000000 EDX: eb08d930
eeepc kernel: [ 1495.429017] ESI: eb08d870 EDI: eb08d870 EBP: d3249cac ESP: d3249cac
eeepc kernel: [ 1495.429017]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
eeepc kernel: [ 1495.429017] Process cheese (pid: 3476, ti=d3248000 task=df46d870 task.ti=d3248000)
eeepc kernel: [ 1495.429017] Stack:
eeepc kernel: [ 1495.429017]  d3249cb8 b03e77a1 d307b840 d3249ccc b03e77d1 d307b840 eb08d870 eb08d830
eeepc kernel: [ 1495.429017]  d3249ce4 b03ed3b7 00000246 d307b840 eb08d870 d3021b80 d3249cec b03ed565
eeepc kernel: [ 1495.429017]  d3249cfc b03e044d e8323d10 b06e013c d3249d18 b0355fb9 fffffffe d3249d1c
eeepc kernel: [ 1495.429017] Call Trace:
eeepc kernel: [ 1495.429017]  [<b03e77a1>] v4l2_device_disconnect+0x11/0x30
eeepc kernel: [ 1495.429017]  [<b03e77d1>] v4l2_device_unregister+0x11/0x50
eeepc kernel: [ 1495.429017]  [<b03ed3b7>] uvc_delete+0x37/0x110
eeepc kernel: [ 1495.429017]  [<b03ed565>] uvc_release+0x25/0x30
eeepc kernel: [ 1495.429017]  [<b03e044d>] v4l2_device_release+0x9d/0xc0
eeepc kernel: [ 1495.429017]  [<b0355fb9>] device_release+0x19/0x90
eeepc kernel: [ 1495.429017]  [<b03adfdc>] ? usb_hcd_unlink_urb+0x7c/0x90
eeepc kernel: [ 1495.429017]  [<b026b99c>] kobject_release+0x3c/0x90
eeepc kernel: [ 1495.429017]  [<b026b960>] ? kobject_del+0x30/0x30
eeepc kernel: [ 1495.429017]  [<b026ca4c>] kref_put+0x2c/0x60
eeepc kernel: [ 1495.429017]  [<b026b88d>] kobject_put+0x1d/0x50
eeepc kernel: [ 1495.429017]  [<b03b2385>] ? usb_autopm_put_interface+0x25/0x30
eeepc kernel: [ 1495.429017]  [<b03f0e5d>] ? uvc_v4l2_release+0x5d/0xd0
eeepc kernel: [ 1495.429017]  [<b0355d2f>] put_device+0xf/0x20
eeepc kernel: [ 1495.429017]  [<b03dfa96>] v4l2_release+0x56/0x60
eeepc kernel: [ 1495.429017]  [<b019c8dc>] fput+0xcc/0x220
eeepc kernel: [ 1495.429017]  [<b01990f4>] filp_close+0x44/0x70
eeepc kernel: [ 1495.429017]  [<b012b238>] put_files_struct+0x158/0x180
eeepc kernel: [ 1495.429017]  [<b012b100>] ? put_files_struct+0x20/0x180
eeepc kernel: [ 1495.429017]  [<b012b2a0>] exit_files+0x40/0x50
eeepc kernel: [ 1495.429017]  [<b012b9e7>] do_exit+0x5a7/0x660
eeepc kernel: [ 1495.429017]  [<b0135f72>] ? __dequeue_signal+0x12/0x120
eeepc kernel: [ 1495.429017]  [<b055edf2>] ? _raw_spin_unlock_irq+0x22/0x30
eeepc kernel: [ 1495.429017]  [<b012badc>] do_group_exit+0x3c/0xb0
eeepc kernel: [ 1495.429017]  [<b015792b>] ? trace_hardirqs_on+0xb/0x10
eeepc kernel: [ 1495.429017]  [<b013755f>] get_signal_to_deliver+0x18f/0x570
eeepc kernel: [ 1495.429017]  [<b01020f7>] do_signal+0x47/0x9e0
eeepc kernel: [ 1495.429017]  [<b055edf2>] ? _raw_spin_unlock_irq+0x22/0x30
eeepc kernel: [ 1495.429017]  [<b015792b>] ? trace_hardirqs_on+0xb/0x10
eeepc kernel: [ 1495.429017]  [<b0123300>] ? T.1034+0x30/0xc0
eeepc kernel: [ 1495.429017]  [<b055c45f>] ? schedule+0x29f/0x640
eeepc kernel: [ 1495.429017]  [<b0102ac8>] do_notify_resume+0x38/0x40
eeepc kernel: [ 1495.429017]  [<b055f154>] work_notifysig+0x9/0x11
eeepc kernel: [ 1495.429017] Code: e5 5d 83 f8 01 19 c0 f7 d0 83 e0 f0 c3 8d b4 26 00 00 00 00 55 85 c0 89 e5 75 09 31 c0 5d c3 90 8d 74 26 00 8b 40 04 85 c0 74 f0 <8b> 40 60 5d c3 8d 74 26 00 55 89 e5 53 89 c3 83 ec 04 8b 40 04
eeepc kernel: [ 1495.429017] EIP: [<b0358d37>] dev_get_drvdata+0x17/0x20 SS:ESP 0068:d3249cac
eeepc kernel: [ 1495.429017] CR2: 000000006b6b6bcb
eeepc kernel: [ 1495.466975] uvcvideo: Failed to resubmit video URB (-27).
eeepc kernel: [ 1495.467860] uvcvideo: Failed to resubmit video URB (-27).
eeepc kernel: last message repeated 3 times
eeepc kernel: [ 1495.512610] ---[ end trace 73ec16848794e5a5 ]---

For uvc device, dev->vdev.dev is the &intf->dev,
uvc_delete code is as below:
	usb_put_intf(dev->intf);
	usb_put_dev(dev->udev);

	uvc_status_cleanup(dev);
	uvc_ctrl_cleanup_device(dev);

	if (dev->vdev.dev)
		v4l2_device_unregister(&dev->vdev);

Fix it by get_device in v4l2_device_register and put_device in v4l2_device_disconnect

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2011-09-21 16:52:52 -03:00
..
au0828 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
bt8xx [media] bt8xx: Use current logging styles 2011-09-03 21:02:52 -03:00
cpia2 [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
cx18 [media] cx18: Fix videobuf capture 2011-09-18 08:03:39 -03:00
cx88 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
cx231xx [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
cx23885 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
cx25840 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
davinci [media] davinci vpbe: Use resource_size() 2011-09-21 14:10:34 -03:00
em28xx [media] em28xx: Fix em28xx_devused cleanup logic on error 2011-09-21 16:45:54 -03:00
et61x251 [media] et61x251: Use current logging styles 2011-09-03 21:11:59 -03:00
gspca [media] gspca - sonixj: Fix the darkness of sensor om6802 in 320x240 2011-09-11 09:33:37 -03:00
hdpvr [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
ivtv [media] ivtv: fill in service_set 2011-09-06 14:51:27 -03:00
m5mols [media] Stop using linux/version.h on the remaining video drivers 2011-07-27 17:53:16 -03:00
marvell-ccic [media] mmp_camera: add MODULE_ALIAS 2011-09-18 08:05:43 -03:00
omap [media] V4l2: OMAP: VOUT: Minor Cleanup, removing the unnecessary code 2011-07-27 17:56:06 -03:00
omap3isp [media] omap3isp: video: Avoid crashes when pipeline set stream operation fails 2011-09-21 15:30:13 -03:00
pvrusb2 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
pwc [media] pwc: add support for VIDIOC_LOG_STATUS 2011-09-21 10:51:20 -03:00
s5p-fimc [media] s5p-fimc: Remove single-planar capability flags 2011-09-06 17:51:18 -03:00
s5p-mfc [media] media: s5p-mfc: fix section mismatch 2011-09-21 14:53:37 -03:00
s5p-tv [media] media: vb2: change queue initialization order 2011-09-06 15:07:20 -03:00
saa7134 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
saa7164 [media] saa7164: Adding support for HVR2200 card id 0x8953 2011-09-21 10:16:31 -03:00
sn9c102 [media] return -ENOTTY for unsupported ioctl's at legacy drivers 2011-07-27 17:53:38 -03:00
tlg2300 [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
usbvision [media] drivers/media: do not use EXTRA_CFLAGS 2011-09-03 18:50:59 -03:00
uvc [media] uvcvideo: Set alternate setting 0 on resume if the bus has been reset 2011-08-06 10:42:15 -03:00
zoran [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
adp1653.c [media] [-mmotm] media: video/adp1653.c needs module.h 2011-09-21 14:51:51 -03:00
adv7170.c
adv7175.c [media] adv7175: support s_power 2011-01-19 11:45:55 -02:00
adv7180.c
adv7343_regs.h [media] adv7343: use control framework 2011-03-21 20:31:49 -03:00
adv7343.c [media] adv7343: use control framework 2011-03-21 20:31:49 -03:00
ak881x.c
arv.c [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
atmel-isi.c [media] media: vb2: change queue initialization order 2011-09-06 15:07:20 -03:00
bt819.c [media] vpx3220, bt819: fix compiler warnings 2011-09-06 14:46:17 -03:00
bt856.c
bt866.c
btcx-risc.c
btcx-risc.h
bw-qcam.c [media] drivers/media/video: add missing kfree 2011-07-27 17:55:55 -03:00
c-qcam.c [media] drivers/media/video: add missing kfree 2011-07-27 17:55:55 -03:00
cs53l32a.c
cs5345.c [media] cs5345: use the control framework 2011-03-21 20:31:49 -03:00
cs8420.h
cx2341x.c [media] v4l2-ctrls: use const char * const * for the menu arrays 2010-12-30 08:02:14 -02:00
fsl-viu.c [media] Stop using linux/version.h on the remaining video drivers 2011-07-27 17:53:16 -03:00
hexium_gemini.c [media] saa7146: Use current logging styles 2011-09-03 20:54:14 -03:00
hexium_orion.c [media] saa7146: Use current logging styles 2011-09-03 20:54:14 -03:00
ibmmpeg2.h
imx074.c [media] imx074: return a meaningful error code instead of -1 2011-04-13 09:54:35 -03:00
indycam.c
indycam.h
ir-kbd-i2c.c [media] ir-kbd-i2c: pass device code w/key in hauppauge case 2011-03-22 19:24:18 -03:00
Kconfig [media] mt9t001: Aptina (Micron) MT9T001 3MP sensor driver 2011-09-21 15:31:08 -03:00
ks0127.c
ks0127.h
m52790.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
Makefile [media] mt9t001: Aptina (Micron) MT9T001 3MP sensor driver 2011-09-21 15:31:08 -03:00
mem2mem_testdev.c [media] media: vb2: change plane sizes array to unsigned int[] 2011-09-06 15:04:27 -03:00
meye.c [media] v4l2-ioctl: add priority handling support 2011-03-22 16:37:59 -03:00
meye.h
msp3400-driver.c [media] msp3400: fill in v4l2_tuner based on vt->type field 2011-07-07 17:28:30 -03:00
msp3400-driver.h
msp3400-kthreads.c Fix common misspellings 2011-03-31 11:26:23 -03:00
mt9m001.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mt9m111.c [media] mt9m111: move lastpage to struct mt9m111 for multi instances 2011-09-21 14:03:24 -03:00
mt9p031.c [media] mt9p031: Aptina (Micron) MT9P031 5MP sensor driver 2011-09-11 09:49:28 -03:00
mt9t001.c [media] mt9t001: Aptina (Micron) MT9T001 3MP sensor driver 2011-09-21 15:31:08 -03:00
mt9t031.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mt9t112.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mt9v011.c [media] mt9v011: Fixed gain calculation 2011-07-27 17:52:25 -03:00
mt9v022.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mt9v032.c [media] v4l: mt9v032: Fix Bayer pattern 2011-07-27 17:56:10 -03:00
mx1_camera.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mx2_camera.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
mx3_camera.c [media] media: vb2: dma contig allocator: use dma_addr instread of paddr 2011-09-06 15:05:10 -03:00
mxb.c [media] saa7146: Use current logging styles 2011-09-03 20:54:14 -03:00
mxb.h
noon010pc30.c [media] noon010pc30: Remove g_chip_ident operation handler 2011-09-21 14:31:34 -03:00
omap1_camera.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
omap24xxcam-dma.c
omap24xxcam.c Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 2011-07-30 00:08:53 -07:00
omap24xxcam.h
ov772x.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
ov2640.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
ov5642.c [media] ov5642: include module.h for its facilities 2011-07-29 12:54:36 -03:00
ov6650.c Fix common misspellings 2011-03-31 11:26:23 -03:00
ov7670.c [media] marvell-cam: Move cafe-ccic into its own directory 2011-07-27 17:53:00 -03:00
ov9640.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
ov9640.h
ov9740.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
pms.c [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
pxa_camera.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
rj54n1cb0c.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
s2255drv.c [media] Stop using linux/version.h on the remaining video drivers 2011-07-27 17:53:16 -03:00
saa711x_regs.h
saa717x.c
saa6588.c [media] saa6588: rename rds.h to saa6588.h 2010-12-29 08:17:18 -02:00
saa7110.c [media] saa7110: use control framework 2011-03-21 20:31:50 -03:00
saa7115.c [media] saa7115: use the new auto cluster support 2011-09-21 10:51:49 -03:00
saa7121.h
saa7127.c
saa7146.h
saa7146reg.h
saa7185.c
saa7191.c
saa7191.h
sh_mobile_ceu_camera.c [media] media: vb2: dma contig allocator: use dma_addr instread of paddr 2011-09-06 15:05:10 -03:00
sh_mobile_csi2.c [media] V4L: sh_mobile_csi2: switch away from using the soc-camera bus notifier 2011-07-27 17:56:08 -03:00
sh_vou.c [media] Stop using linux/version.h on the remaining video drivers 2011-07-27 17:53:16 -03:00
soc_camera_platform.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
soc_camera.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
soc_mediabus.c [media] V4L: soc-camera: add more format look-up entries 2011-05-20 12:05:27 -03:00
sr030pc30.c [media] sr030pc30: Remove empty s_stream op 2011-09-21 12:48:45 -03:00
stk-sensor.c
stk-webcam.c [media] drivers/media/video/stk-webcam.c: coding style issue 2011-09-18 08:13:10 -03:00
stk-webcam.h
tcm825x.c Fix common misspellings 2011-03-31 11:26:23 -03:00
tcm825x.h
tda7432.c [media] Correct and add some parameter descriptions 2011-07-27 17:52:59 -03:00
tda9840.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
tea6415c.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
tea6415c.h
tea6420.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
tea6420.h
ths7303.c
timblogiw.c [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
tlv320aic23b.c [media] tlv320aic23b: use control framework 2011-03-21 20:31:50 -03:00
tuner-core.c [media] xc4000: removed card_type 2011-07-27 17:52:40 -03:00
tvaudio.c [media] tvaudio: fix compiler warnings 2011-09-06 14:44:30 -03:00
tveeprom.c [media] tveeprom: update hauppauge tuner list thru 174 2011-05-20 09:27:15 -03:00
tvp514x_regs.h
tvp514x.c [media] tvp514x: use the control framework 2011-03-21 20:31:50 -03:00
tvp5150_reg.h
tvp5150.c [media] tvp5150: device detection should be done only once 2011-03-21 20:32:04 -03:00
tvp7002_reg.h
tvp7002.c [media] tvp7002: use control framework 2011-03-21 20:31:50 -03:00
tw9910.c [media] V4L: soc-camera: remove soc-camera bus and devices on it 2011-07-27 17:56:08 -03:00
upd64031a.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
upd64083.c [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev 2011-04-29 12:33:28 -03:00
v4l2-common.c [media] v4l2-ctrls: add new bitmask control type 2011-07-27 17:55:38 -03:00
v4l2-compat-ioctl32.c [media] v4l2-compat-ioctl32: add VIDIOC_DQEVENT support 2011-07-27 17:53:20 -03:00
v4l2-ctrls.c [media] v4l2-ctrls: implement new volatile autocluster scheme 2011-09-21 10:48:30 -03:00
v4l2-dev.c [media] v4l: Don't access media entity after is has been destroyed 2011-06-30 23:12:36 -03:00
v4l2-device.c [media] v4l2: uvcvideo use after free bug fix 2011-09-21 16:52:52 -03:00
v4l2-event.c [media] v4l2-ctrls/v4l2-events: small coding style cleanups 2011-07-27 17:53:34 -03:00
v4l2-fh.c [media] v4l2-event/ctrls/fh: allocate events per fh and per type instead of just per-fh 2011-07-27 17:53:31 -03:00
v4l2-int-device.c
v4l2-ioctl.c [media] media: v4l: remove single to multiplane conversion 2011-09-06 15:03:10 -03:00
v4l2-mem2mem.c [media] media: mem2mem: eliminate possible NULL pointer dereference 2011-09-06 15:03:26 -03:00
v4l2-subdev.c [media] v4l2-event/ctrls/fh: allocate events per fh and per type instead of just per-fh 2011-07-27 17:53:31 -03:00
via-camera.c [media] [Resend] viacam: Don't explode if pci_find_bus() returns NULL 2011-09-11 09:33:39 -03:00
via-camera.h [media] Add the via framebuffer camera controller driver 2010-10-21 13:45:28 -02:00
videobuf2-core.c [media] media: vb2: change queue initialization order 2011-09-06 15:07:20 -03:00
videobuf2-dma-contig.c [media] media: vb2: dma contig allocator: use dma_addr instread of paddr 2011-09-06 15:05:10 -03:00
videobuf2-dma-sg.c [media] videobuf2: Do not unconditionally map S/G buffers into kernel space 2011-09-03 10:57:33 -03:00
videobuf2-memops.c [media] media: vb2: fix userptr VMA release seq 2011-09-06 15:05:21 -03:00
videobuf2-vmalloc.c [media] Update Pawel Osciak's e-mail address 2011-03-22 04:55:05 -03:00
videobuf-core.c [media] V4L: remove V4L1 compatibility mode 2010-12-29 08:17:07 -02:00
videobuf-dma-contig.c Revert "[media] V4L: videobuf, don't use dma addr as physical" 2011-04-19 10:54:44 -07:00
videobuf-dma-sg.c [media] videobuf_pages_to_sg: sglist[0] length problem 2011-07-27 17:52:19 -03:00
videobuf-dvb.c
videobuf-vmalloc.c
vino.c [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
vino.h
vivi.c [media] vivi: add support for VIDIOC_LOG_STATUS 2011-09-21 10:51:10 -03:00
vp27smpx.c
vpx3220.c [media] vpx3220, bt819: fix compiler warnings 2011-09-06 14:46:17 -03:00
w9966.c [media] Stop using linux/version.h on most video drivers 2011-07-27 17:53:12 -03:00
wm8739.c
wm8775.c [media] Add proper audio support for Nova-S Plus with wm8775 ADC 2011-03-21 20:32:19 -03:00
zr364xx.c [media] drivers/media/video/zr364xx.c: add missing cleanup code 2011-09-03 18:43:58 -03:00