Thread (2 messages) 2 messages, 2 authors, 2021-09-01

Re: [PATCH v2] usb: stkwebcam: update the reference count of the usb device structure

From: Hans Verkuil <hidden>
Date: 2021-09-01 10:55:39
Also in: lkml 

Hi Salah, Cai,

I received patches for this from both of you, but both have issues:

On 31/07/2021 18:18, Salah Triki wrote:
quoted hunk ↗ jump to hunk
Use usb_get_dev() to increment the reference count of the usb device
structure in order to avoid releasing the structure while it is still in
use. And use usb_put_dev() to decrement the reference count and thus,
when it will be equal to 0 the structure will be released.

Signed-off-by: Salah Triki <salah.triki@gmail.com>
---
Change since v1:
	Modification of the description

 drivers/media/usb/stkwebcam/stk-webcam.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c
index a45d464427c4..3b14679829ed 100644
--- a/drivers/media/usb/stkwebcam/stk-webcam.c
+++ b/drivers/media/usb/stkwebcam/stk-webcam.c
@@ -1309,7 +1309,7 @@ static int stk_camera_probe(struct usb_interface *interface,
 	init_waitqueue_head(&dev->wait_frame);
 	dev->first_init = 1; /* webcam LED management */
 
-	dev->udev = udev;
+	dev->udev = usb_get_dev(udev);
 	dev->interface = interface;
 	usb_get_intf(interface);
In the error path of stk_camera_probe you need to call usb_put_dev(), otherwise
the udev refcount won't go to 0.
quoted hunk ↗ jump to hunk
 
@@ -1376,6 +1376,7 @@ static void stk_camera_disconnect(struct usb_interface *interface)
 
 	usb_set_intfdata(interface, NULL);
 	unset_present(dev);
+	usb_put_dev(interface_to_usbdev(interface));
Cai just used usb_put_dev(dev->udev) here which makes more sense.

Cai also moved this to the stk_v4l_dev_release() function, which is probably
a better place.

However, there is another bug here as well: these lines in stk_camera_disconnect()
should be moved to stk_v4l_dev_release():

        v4l2_ctrl_handler_free(&dev->hdl);
        v4l2_device_unregister(&dev->v4l2_dev);
        kfree(dev);

When the last user of the video device has closed their fh, then stk_v4l_dev_release()
is called, so any cleanup of resources/memory should happen there. Right now if you are
streaming and the webcam is disconnected (or the device forcibly unloaded), the dev
pointer is freed in disconnect, but stk_v4l_dev_release() is called later and will
reference freed memory.

I'm not sure who of the two of you will make a v3, I leave that to you to fight out :-)

Regards,

	Hans

 
 	wake_up_interruptible(&dev->wait_frame);
 
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help