From: iceberg <strakh@ispras.ru>
To: Vojtech Pavlik <vojtech@suse.cz>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Torokhov <dtor@mail.ru>,
Linux Kernlel Mailing List <linux-kernel@vger.kernel.org>,
linux-input@vger.kernel.org
Subject: [BUG] ati_remote2.c: possible mutex_lock without mutex_unlock
Date: Tue, 13 Oct 2009 17:52:07 +0000 [thread overview]
Message-ID: <1255456327.22233.0@pamir> (raw)
KERNEL_VERSION: 2.6.31
DESCRIBE:
In driver ./drivers/input/input.c possible call to mutex_lock
from function input_devices_seq_start without mutex_unlock.
After calling input_devices_seq_start we can't know whether
mutex was locked or not.
Case 1. If mutex_lock_interruptible was not
locked due to interrupt then input_devices_seq_start returns NULL.
Case 2. If mutex was successfuly locked but seq_list_start returned
NULL then input_devices_seq_start returns NULL too.
The last case occurs if seq_list_start is called with pos>size of
input_dev_list or pos<0.
Hence, after calling input_devices_seq_start we can not simply check
that result is not NULL and call input_devices_seq_stop function
which unlocks the mutex. Because in case 2 the mutex will stay locked.
void * ret = input_devices_seq_start(...);
if(ret!=NULL) {
//mutex is acquired for sure
input_devices_seq_stop(...);//unlocks the mutex
} else {
//mutex may be acquired or not
}
783 static void *input_devices_seq_start(struct seq_file *seq, loff_t
*pos)
784{
785 if (mutex_lock_interruptible(&input_mutex))
786 return NULL;
787
788 return seq_list_start(&input_dev_list, *pos);
789}
663struct list_head *seq_list_start(struct list_head *head, loff_t
pos)
664{
665 struct list_head *lh;
666
667 list_for_each(lh, head)
668 if (pos-- == 0)
669 return lh;
670
671 return NULL;
672}
673
674EXPORT_SYMBOL(seq_list_start);
675
Found by: Linux Driver Verification project
WARNING: multiple messages have this Message-ID (diff)
From: iceberg <strakh@ispras.ru>
To: Vojtech Pavlik <vojtech@suse.cz>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Dmitry Torokhov <dtor@mail.ru>,
Linux Kernlel Mailing List <linux-kernel@vger.kernel.org>,
linux-input@
Subject: [BUG] ati_remote2.c: possible mutex_lock without mutex_unlock
Date: Tue, 13 Oct 2009 17:52:07 +0000 [thread overview]
Message-ID: <1255456327.22233.0@pamir> (raw)
KERNEL_VERSION: 2.6.31
DESCRIBE:
In driver ./drivers/input/input.c possible call to mutex_lock
from function input_devices_seq_start without mutex_unlock.
After calling input_devices_seq_start we can't know whether
mutex was locked or not.
Case 1. If mutex_lock_interruptible was not
locked due to interrupt then input_devices_seq_start returns NULL.
Case 2. If mutex was successfuly locked but seq_list_start returned
NULL then input_devices_seq_start returns NULL too.
The last case occurs if seq_list_start is called with pos>size of
input_dev_list or pos<0.
Hence, after calling input_devices_seq_start we can not simply check
that result is not NULL and call input_devices_seq_stop function
which unlocks the mutex. Because in case 2 the mutex will stay locked.
void * ret = input_devices_seq_start(...);
if(ret!=NULL) {
//mutex is acquired for sure
input_devices_seq_stop(...);//unlocks the mutex
} else {
//mutex may be acquired or not
}
783 static void *input_devices_seq_start(struct seq_file *seq, loff_t
*pos)
784{
785 if (mutex_lock_interruptible(&input_mutex))
786 return NULL;
787
788 return seq_list_start(&input_dev_list, *pos);
789}
663struct list_head *seq_list_start(struct list_head *head, loff_t
pos)
664{
665 struct list_head *lh;
666
667 list_for_each(lh, head)
668 if (pos-- == 0)
669 return lh;
670
671 return NULL;
672}
673
674EXPORT_SYMBOL(seq_list_start);
675
Found by: Linux Driver Verification project
next reply other threads:[~2009-10-13 13:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-13 17:52 iceberg [this message]
2009-10-13 17:52 ` [BUG] ati_remote2.c: possible mutex_lock without mutex_unlock iceberg
2009-10-13 15:43 ` Jiri Kosina
2009-10-14 6:29 ` Dmitry Torokhov
2009-10-14 7:11 ` Jiri Kosina
2009-10-14 7:14 ` Dmitry Torokhov
2009-10-14 7:16 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1255456327.22233.0@pamir \
--to=strakh@ispras.ru \
--cc=dmitry.torokhov@gmail.com \
--cc=dtor@mail.ru \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vojtech@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.