Prepare for postponing the call until all file handles have been
closed.
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index f82cd1f..e33364c 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -161,6 +161,17 @@ struct dvb_ca_private {
struct mutex ioctl_mutex;
};
+static void dvb_ca_private_free(struct dvb_ca_private *ca)
+{
+ dvb_unregister_device(ca->dvbdev);
+ unsigned int i;
+ for (i = 0; i < ca->slot_count; i++) {
+ vfree(ca->slot_info[i].rx_buffer.data);
+ }
+ kfree(ca->slot_info);
+ kfree(ca);
+}
+
static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot, u8 * ebuf, int ecount);
static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, u8 * ebuf, int ecount);
@@ -1759,10 +1770,7 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
for (i = 0; i < ca->slot_count; i++) {
dvb_ca_en50221_slot_shutdown(ca, i);
- vfree(ca->slot_info[i].rx_buffer.data);
}
- kfree(ca->slot_info);
- dvb_unregister_device(ca->dvbdev);
- kfree(ca);
+ dvb_ca_private_free(ca);
pubca->private = NULL;
}
Fixes use-after-free bug which occurs when I disconnect my DVB-S
received while VDR is running.
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index e33364c..dfc686a 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -148,6 +148,9 @@ struct dvb_ca_private {
/* Flag indicating if the CA device is open */
unsigned int open:1;
+ /* Flag indicating if the CA device is released */
+ unsigned int released:1;
+
/* Flag indicating the thread should wake up now */
unsigned int wakeup:1;
@@ -1392,6 +1395,11 @@ static int dvb_ca_en50221_io_read_condition(struct dvb_ca_private *ca,
int found = 0;
u8 hdr[2];
+ if (ca->released) {
+ *result = -ENODEV;
+ return 1;
+ }
+
slot = ca->next_read_slot;
while ((slot_count < ca->slot_count) && (!found)) {
if (ca->slot_info[slot].slot_state != DVB_CA_SLOTSTATE_RUNNING)
@@ -1595,6 +1603,9 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
err = dvb_generic_release(inode, file);
+ if (ca->released)
+ dvb_ca_private_free(ca);
+
module_put(ca->pub->owner);
return err;
@@ -1701,6 +1712,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter,
}
init_waitqueue_head(&ca->wait_queue);
ca->open = 0;
+ ca->released = 0;
ca->wakeup = 0;
ca->next_read_slot = 0;
pubca->private = ca;
@@ -1765,12 +1777,21 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
dprintk("%s\n", __func__);
+ BUG_ON(ca->released);
+
/* shutdown the thread if there was one */
kthread_stop(ca->thread);
for (i = 0; i < ca->slot_count; i++) {
dvb_ca_en50221_slot_shutdown(ca, i);
}
- dvb_ca_private_free(ca);
+
+ if (ca->open) {
+ ca->released = 1;
+ mb();
+ wake_up_interruptible(&ca->wait_queue);
+ } else
+ dvb_ca_private_free(ca);
+
pubca->private = NULL;
}
Callbacks invoked from put_device() may free the struct media_devnode
pointer, so any cleanup needs to be done before put_device().
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/media-devnode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c
index 4d7e8dd..e263816 100644
--- a/drivers/media/media-devnode.c
+++ b/drivers/media/media-devnode.c
@@ -196,10 +196,11 @@ static int media_release(struct inode *inode, struct file *filp)
if (mdev->fops->release)
mdev->fops->release(filp);
+ filp->private_data = NULL;
+
/* decrease the refcount unconditionally since the release()
return value is ignored. */
put_device(&mdev->dev);
- filp->private_data = NULL;
return 0;
}
After media_devnode_unregister(), the struct media_device may be freed
already, and dereferencing it may crash.
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/media-device.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
index e9219f5..5c4669c 100644
--- a/drivers/media/media-device.c
+++ b/drivers/media/media-device.c
@@ -745,9 +745,8 @@ void media_device_unregister(struct media_device *mdev)
spin_unlock(&mdev->lock);
device_remove_file(&mdev->devnode.dev, &dev_attr_model);
+ dev_dbg(mdev->dev, "Media device unregistering\n");
media_devnode_unregister(&mdev->devnode);
-
- dev_dbg(mdev->dev, "Media device unregistered\n");
}
EXPORT_SYMBOL_GPL(media_device_unregister);
Fixes use-after-free bug which occurs when I disconnect my DVB-S
received while VDR is running.
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-dvb.c b/drivers/media/usb/dvb-usb/dvb-usb-dvb.c
index 9ddfcab..7859479 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-dvb.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-dvb.c
@@ -95,6 +95,12 @@ static int dvb_usb_stop_feed(struct dvb_demux_feed *dvbdmxfeed)
return dvb_usb_ctrl_feed(dvbdmxfeed, 0);
}
+static void dvb_usb_media_device_release(struct media_device *mdev)
+{
+ media_device_cleanup(mdev);
+ kfree(mdev);
+}
+
static int dvb_usb_media_device_init(struct dvb_usb_adapter *adap)
{
#ifdef CONFIG_MEDIA_CONTROLLER_DVB
@@ -113,6 +119,7 @@ static int dvb_usb_media_device_init(struct dvb_usb_adapter *adap)
strcpy(mdev->bus_info, udev->devpath);
mdev->hw_revision = le16_to_cpu(udev->descriptor.bcdDevice);
mdev->driver_version = LINUX_VERSION_CODE;
+ mdev->release = dvb_usb_media_device_release;
media_device_init(mdev);
@@ -138,10 +145,11 @@ static void dvb_usb_media_device_unregister(struct dvb_usb_adapter *adap)
if (!adap->dvb_adap.mdev)
return;
- media_device_unregister(adap->dvb_adap.mdev);
- media_device_cleanup(adap->dvb_adap.mdev);
- kfree(adap->dvb_adap.mdev);
+ struct media_device *mdev = adap->dvb_adap.mdev;
adap->dvb_adap.mdev = NULL;
+ media_device_unregister(mdev);
+ /* media_device_cleanup() and kfree() will be called by the
+ callback function dvb_usb_media_device_release() */
#endif
}
Allow the client to free its data structures only after all files have
been closed (fixing use-after-free bugs).
Signed-off-by: Max Kellermann <[email protected]>
---
drivers/media/media-device.c | 9 +++++++--
include/media/media-device.h | 2 ++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
index 5c4669c..a3901f9 100644
--- a/drivers/media/media-device.c
+++ b/drivers/media/media-device.c
@@ -551,9 +551,14 @@ static DEVICE_ATTR(model, S_IRUGO, show_model, NULL);
* Registration/unregistration
*/
-static void media_device_release(struct media_devnode *mdev)
+static void media_device_release(struct media_devnode *devnode)
{
- dev_dbg(mdev->parent, "Media device released\n");
+ struct media_device *mdev = to_media_device(devnode);
+
+ dev_dbg(devnode->parent, "Media device released\n");
+
+ if (mdev->release)
+ mdev->release(mdev);
}
/**
diff --git a/include/media/media-device.h b/include/media/media-device.h
index d385589..d184d0c 100644
--- a/include/media/media-device.h
+++ b/include/media/media-device.h
@@ -326,6 +326,8 @@ struct media_device {
int (*link_notify)(struct media_link *link, u32 flags,
unsigned int notification);
+
+ void (*release)(struct media_device *mdev);
};
#ifdef CONFIG_MEDIA_CONTROLLER
Hi Max,
[auto build test ERROR on v4.5-rc7]
[cannot apply to sailus-media/master linuxtv-media/master next-20160321]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Max-Kellermann/drivers-media-dvb-core-en50221-move-code-to-dvb_ca_private_free/20160321-213556
config: x86_64-randconfig-x000-201612 (attached as .config)
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
drivers/media/usb/dvb-usb/dvb-usb-dvb.c: In function 'dvb_usb_media_device_release':
>> drivers/media/usb/dvb-usb/dvb-usb-dvb.c:100:2: error: implicit declaration of function 'media_device_cleanup' [-Werror=implicit-function-declaration]
media_device_cleanup(mdev);
^
drivers/media/usb/dvb-usb/dvb-usb-dvb.c: At top level:
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:98:13: warning: 'dvb_usb_media_device_release' defined but not used [-Wunused-function]
static void dvb_usb_media_device_release(struct media_device *mdev)
^
In file included from include/uapi/linux/stddef.h:1:0,
from include/linux/stddef.h:4,
from include/uapi/linux/posix_types.h:4,
from include/uapi/linux/types.h:13,
from include/linux/types.h:5,
from include/uapi/linux/sysinfo.h:4,
from include/uapi/linux/kernel.h:4,
from include/linux/cache.h:4,
from include/linux/time.h:4,
from include/linux/input.h:11,
from drivers/media/usb/dvb-usb/dvb-usb.h:13,
from drivers/media/usb/dvb-usb/dvb-usb-common.h:12,
from drivers/media/usb/dvb-usb/dvb-usb-dvb.c:9:
drivers/media/usb/dvb-usb/dvb-usb-dvb.c: In function 'dvb_usb_adapter_frontend_init':
include/linux/compiler.h:147:6: warning: 'ret' may be used uninitialized in this function [-Wmaybe-uninitialized]
if (__builtin_constant_p(!!(cond)) ? !!(cond) : \
^
drivers/media/usb/dvb-usb/dvb-usb-dvb.c:289:6: note: 'ret' was declared here
int ret, i;
^
cc1: some warnings being treated as errors
vim +/media_device_cleanup +100 drivers/media/usb/dvb-usb/dvb-usb-dvb.c
94 deb_ts("stop pid: 0x%04x, feedtype: %d\n", dvbdmxfeed->pid, dvbdmxfeed->type);
95 return dvb_usb_ctrl_feed(dvbdmxfeed, 0);
96 }
97
98 static void dvb_usb_media_device_release(struct media_device *mdev)
99 {
> 100 media_device_cleanup(mdev);
101 kfree(mdev);
102 }
103
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Max,
[auto build test WARNING on v4.5-rc7]
[also build test WARNING on next-20160321]
[cannot apply to sailus-media/master linuxtv-media/master]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Max-Kellermann/drivers-media-dvb-core-en50221-move-code-to-dvb_ca_private_free/20160321-213556
config: xtensa-allyesconfig (attached as .config)
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All warnings (new ones prefixed by >>):
drivers/media/dvb-core/dvb_ca_en50221.c: In function 'dvb_ca_private_free':
>> drivers/media/dvb-core/dvb_ca_en50221.c:167:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
unsigned int i;
^
vim +167 drivers/media/dvb-core/dvb_ca_en50221.c
151 /* Flag indicating the thread should wake up now */
152 unsigned int wakeup:1;
153
154 /* Delay the main thread should use */
155 unsigned long delay;
156
157 /* Slot to start looking for data to read from in the next user-space read operation */
158 int next_read_slot;
159
160 /* mutex serializing ioctls */
161 struct mutex ioctl_mutex;
162 };
163
164 static void dvb_ca_private_free(struct dvb_ca_private *ca)
165 {
166 dvb_unregister_device(ca->dvbdev);
> 167 unsigned int i;
168 for (i = 0; i < ca->slot_count; i++) {
169 vfree(ca->slot_info[i].rx_buffer.data);
170 }
171 kfree(ca->slot_info);
172 kfree(ca);
173 }
174
175 static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca);
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Max,
[auto build test WARNING on v4.5-rc7]
[cannot apply to sailus-media/master linuxtv-media/master next-20160321]
[if your patch is applied to the wrong git tree, please drop us a note to help improving the system]
url: https://github.com/0day-ci/linux/commits/Max-Kellermann/drivers-media-dvb-core-en50221-move-code-to-dvb_ca_private_free/20160321-213556
config: xtensa-allyesconfig (attached as .config)
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All warnings (new ones prefixed by >>):
drivers/media/usb/dvb-usb/dvb-usb-dvb.c: In function 'dvb_usb_media_device_unregister':
>> drivers/media/usb/dvb-usb/dvb-usb-dvb.c:148:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
struct media_device *mdev = adap->dvb_adap.mdev;
^
vim +148 drivers/media/usb/dvb-usb/dvb-usb-dvb.c
132
133 static int dvb_usb_media_device_register(struct dvb_usb_adapter *adap)
134 {
135 #ifdef CONFIG_MEDIA_CONTROLLER_DVB
136 return media_device_register(adap->dvb_adap.mdev);
137 #else
138 return 0;
139 #endif
140 }
141
142 static void dvb_usb_media_device_unregister(struct dvb_usb_adapter *adap)
143 {
144 #ifdef CONFIG_MEDIA_CONTROLLER_DVB
145 if (!adap->dvb_adap.mdev)
146 return;
147
> 148 struct media_device *mdev = adap->dvb_adap.mdev;
149 adap->dvb_adap.mdev = NULL;
150 media_device_unregister(mdev);
151 /* media_device_cleanup() and kfree() will be called by the
152 callback function dvb_usb_media_device_release() */
153 #endif
154 }
155
156 int dvb_usb_adapter_dvb_init(struct dvb_usb_adapter *adap, short *adapter_nums)
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation