Fix device removal locking#46
Merged
Merged
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Shaoen-Lin
force-pushed
the
fix-device-removal-loop
branch
2 times, most recently
from
ce31656 to
5a032f0
Compare
jserv
requested changes
Jun 5, 2026
jserv
left a comment
jserv
left a comment
Collaborator
There was a problem hiding this comment.
Indent with clang-format-18
control_iocontrol_destroy_device() reads a vcam_devices entry before taking vcam_devices_lock, but later removes entries from the same array while holding the lock. Concurrent destroy requests can therefore use a stale index or device pointer after another request shifts the array. Take vcam_devices_lock before validating the index and reading the device pointer. Remove the device from vcam_devices while still holding the lock, then release the lock before destroying the device. The removal loop shifts vcam_devices entries left by reading vcam_devices[i + 1]. The old loop allowed i to reach vcam_device_count - 1, so the last iteration read one entry past the valid array range. Stop the loop before i + 1 reaches vcam_device_count. Signed-off-by: Shaoen-Lin <shaoen.lin92@gmail.com>
Shaoen-Lin
force-pushed
the
fix-device-removal-loop
branch
from
5a032f0 to
f0fc97c
Compare
Collaborator
|
Thank @Shaoen-Lin for contributing! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
control_iocontrol_destroy_device()reads avcam_devicesentry beforetaking
vcam_devices_lock, but later removes entries from the samearray while holding the lock. Concurrent destroy requests can therefore
use a stale index or device pointer after another request shifts the
array.
Take
vcam_devices_lockbefore validating the index and reading thedevice pointer. Remove the device from
vcam_deviceswhile stillholding the lock, then release the lock before destroying the device.
Also stop the removal loop before i + 1 reaches
vcam_device_count, so itdoes not read past the last valid
vcam_devicesentry.Summary by cubic
Fix race and off-by-one in device removal to prevent stale pointers and out-of-bounds access. Take
vcam_devices_lockbefore validating the index and reading the device pointer, shiftvcam_deviceswithi + 1 < vcam_device_count, then release the lock before destroying the device.Written for commit f0fc97c. Summary will update on new commits.