* Patch "[media] media: usbtv: prevent access to free'd resources" has been added to the 4.7-stable tree
@ 2016-08-18 9:11 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-08-18 9:11 UTC (permalink / raw)
To: matthew; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
[media] media: usbtv: prevent access to free'd resources
to the 4.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
media-usbtv-prevent-access-to-free-d-resources.patch
and it can be found in the queue-4.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 2a00932f082aff93c3a55426e0c7af6d0ec03997 Mon Sep 17 00:00:00 2001
From: Matthew Leach <matthew@mattleach.net>
Date: Fri, 8 Jul 2016 09:04:27 -0300
Subject: [media] media: usbtv: prevent access to free'd resources
From: Matthew Leach <matthew@mattleach.net>
commit 2a00932f082aff93c3a55426e0c7af6d0ec03997 upstream.
When disconnecting the usbtv device, the sound card is unregistered
from ALSA and the snd member of the usbtv struct is set to NULL. If
the usbtv snd_trigger work is running, this can cause a race condition
where the kernel will attempt to access free'd resources, shown in
[1].
This patch fixes the disconnection code by cancelling any snd_trigger
work before unregistering the sound card from ALSA and checking that
the snd member still exists in the work function.
[1]:
usb 3-1.2: USB disconnect, device number 6
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff81093850>] process_one_work+0x30/0x480
PGD 405bbf067 PUD 405bbe067 PMD 0
Call Trace:
[<ffffffff81093ce8>] worker_thread+0x48/0x4e0
[<ffffffff81093ca0>] ? process_one_work+0x480/0x480
[<ffffffff81093ca0>] ? process_one_work+0x480/0x480
[<ffffffff81099998>] kthread+0xd8/0xf0
[<ffffffff815c73c2>] ret_from_fork+0x22/0x40
[<ffffffff810998c0>] ? kthread_worker_fn+0x170/0x170
---[ end trace 0f3dac5c1a38e610 ]---
Signed-off-by: Matthew Leach <matthew@mattleach.net>
Tested-by: Peter Sutton <foxxy@foxdogstudios.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/usbtv/usbtv-audio.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/usb/usbtv/usbtv-audio.c
+++ b/drivers/media/usb/usbtv/usbtv-audio.c
@@ -278,6 +278,9 @@ static void snd_usbtv_trigger(struct wor
{
struct usbtv *chip = container_of(work, struct usbtv, snd_trigger);
+ if (!chip->snd)
+ return;
+
if (atomic_read(&chip->snd_stream))
usbtv_audio_start(chip);
else
@@ -378,6 +381,8 @@ err:
void usbtv_audio_free(struct usbtv *usbtv)
{
+ cancel_work_sync(&usbtv->snd_trigger);
+
if (usbtv->snd && usbtv->udev) {
snd_card_free(usbtv->snd);
usbtv->snd = NULL;
Patches currently in stable-queue which might be from matthew@mattleach.net are
queue-4.7/media-usbtv-prevent-access-to-free-d-resources.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-18 9:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-18 9:11 Patch "[media] media: usbtv: prevent access to free'd resources" has been added to the 4.7-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.