summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEzequiel Garcia <ezequiel@collabora.com>2018-05-23 22:13:48 +0200
committerMauro Carvalho Chehab <mchehab+samsung@kernel.org>2018-05-28 22:05:03 +0200
commit6992effe5344ceba1c53fd1a062df57e820b27cd (patch)
tree8c1fe015adc7dd0a813ffe2eb9c2a344ceabb9e1
parentmedia: gspca: fix g/s_parm handling (diff)
downloadlinux-6992effe5344ceba1c53fd1a062df57e820b27cd.tar.xz
linux-6992effe5344ceba1c53fd1a062df57e820b27cd.zip
media: gspca: Kill all URBs before releasing any of them
Some subdrivers access the gspca_dev->urb array in the completion handler. To prevent use-after-free (actually, NULL dereferences) we need to synchronously kill all the URBs before we release them. In particular, this is currently the case for drivers such as sn9c20x and sonixj, which access the gspca_dev->urb[0] in the context of completion handler for *any* of the URBs. This commit changes the destroy_urb implementation, so it kills all URBs first, and then proceed to set the URBs to NULL in the array and release them. Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-rw-r--r--drivers/media/usb/gspca/gspca.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
index a72799666417..57aa521e16b1 100644
--- a/drivers/media/usb/gspca/gspca.c
+++ b/drivers/media/usb/gspca/gspca.c
@@ -472,13 +472,20 @@ static void destroy_urbs(struct gspca_dev *gspca_dev)
unsigned int i;
gspca_dbg(gspca_dev, D_STREAM, "kill transfer\n");
+
+ /* Killing all URBs guarantee that no URB completion
+ * handler is running. Therefore, there shouldn't
+ * be anyone trying to access gspca_dev->urb[i]
+ */
+ for (i = 0; i < MAX_NURBS; i++)
+ usb_kill_urb(gspca_dev->urb[i]);
+
+ gspca_dbg(gspca_dev, D_STREAM, "releasing urbs\n");
for (i = 0; i < MAX_NURBS; i++) {
urb = gspca_dev->urb[i];
- if (urb == NULL)
- break;
-
+ if (!urb)
+ continue;
gspca_dev->urb[i] = NULL;
- usb_kill_urb(urb);
usb_free_coherent(gspca_dev->dev,
urb->transfer_buffer_length,
urb->transfer_buffer,