From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
To: Shuah Khan <shuahkh@osg.samsung.com>
Cc: tiwai@suse.de, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: fix media_device_unregister() to destroy media device device resource
Date: Fri, 18 Mar 2016 06:52:31 -0300 [thread overview]
Message-ID: <20160318065231.67f2cd8b@recife.lan> (raw)
In-Reply-To: <1458254796-7727-1-git-send-email-shuahkh@osg.samsung.com>
Em Thu, 17 Mar 2016 16:46:36 -0600
Shuah Khan <shuahkh@osg.samsung.com> escreveu:
> When all drivers except usb-core driver is unbound, destroy the media device
> resource. Other wise, media device resource will persist in a defunct state.
> This leads to use-after-free and bad access errors during a subsequent bind.
> Fix it to destroy the media device resource when last reference is released
> in media_device_unregister().
>
> Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
> ---
> drivers/media/media-device.c | 28 ++++++++++++++++++++++------
> 1 file changed, 22 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
> index 070421e..7312612 100644
> --- a/drivers/media/media-device.c
> +++ b/drivers/media/media-device.c
> @@ -822,22 +822,38 @@ printk("%s: mdev=%p\n", __func__, mdev);
> dev_dbg(mdev->dev, "Media device unregistered\n");
> }
>
> +static void media_device_release_devres(struct device *dev, void *res)
> +{
> +}
> +
> +static void media_device_destroy_devres(struct device *dev)
> +{
> + int ret;
> +
> + ret = devres_destroy(dev, media_device_release_devres, NULL, NULL);
> + pr_debug("%s: devres_destroy() returned %d\n", __func__, ret);
> +}
> +
> void media_device_unregister(struct media_device *mdev)
> {
> + int ret;
> + struct device *dev;
> printk("%s: mdev=%p\n", __func__, mdev);
> if (mdev == NULL)
> return;
>
> - mutex_lock(&mdev->graph_mutex);
> - kref_put(&mdev->kref, do_media_device_unregister);
> - mutex_unlock(&mdev->graph_mutex);
> + ret = kref_put_mutex(&mdev->kref, do_media_device_unregister,
> + &mdev->graph_mutex);
> + if (ret) {
> + /* do_media_device_unregister() has run */
> + dev = mdev->dev;
> + mutex_unlock(&mdev->graph_mutex);
> + media_device_destroy_devres(dev);
This doesn't seem right: what happens on drivers that don't use
devres to allocate struct media_device?
> + }
>
> }
> EXPORT_SYMBOL_GPL(media_device_unregister);
>
> -static void media_device_release_devres(struct device *dev, void *res)
> -{
> -}
>
> struct media_device *media_device_get_devres(struct device *dev)
> {
--
Thanks,
Mauro
next prev parent reply other threads:[~2016-03-18 9:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-17 22:46 [PATCH] media: fix media_device_unregister() to destroy media device device resource Shuah Khan
2016-03-18 9:52 ` Mauro Carvalho Chehab [this message]
2016-03-18 13:36 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160318065231.67f2cd8b@recife.lan \
--to=mchehab@osg.samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=shuahkh@osg.samsung.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.