[PATCH 2/5] [media] ddbridge: fix teardown/deregistration order in ddb_input_detach()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Scheller <d.scheller.oss@gmail.com>
To: linux-media@vger.kernel.org, mchehab@kernel.org,
	mchehab@s-opensource.com
Cc: jasmin@anw.at, Matthias Schwarzott <zzam@gentoo.org>
Subject: [PATCH 2/5] [media] ddbridge: fix teardown/deregistration order in ddb_input_detach()
Date: Wed, 23 Aug 2017 18:09:59 +0200	[thread overview]
Message-ID: <20170823161002.25459-3-d.scheller.oss@gmail.com> (raw)
In-Reply-To: <20170823161002.25459-1-d.scheller.oss@gmail.com>

From: Daniel Scheller <d.scheller@gmx.net>

Brought to attention by Matthias Schwarzott <zzam@gentoo.org> by fixing
possible use-after-free faults in some demod drivers:

In ddb_input_detach(), the i2c_client is unregistered and removed before
dvb frontends are unregistered and detached. While no use-after-free issue
was observed so far, there is another issue with this:

dvb->attached keeps track of the state of the input/output registration,
and the i2c_client unregistration takes place only if everything was
successful (dvb->attached == 0x31). If for some reason an error occurred
during the frontend setup, that value stays at 0x20. In the following
error handling and cleanup, ddb_input_detach() will skip down to that
state, leaving the i2c_client registered, causing refcount issues.

Fix this by moving the i2c_client deregistration down to case 0x20.

Cc: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
---
 drivers/media/pci/ddbridge/ddbridge-core.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/media/pci/ddbridge/ddbridge-core.c b/drivers/media/pci/ddbridge/ddbridge-core.c
index 2464bde1c432..281b6739b0c1 100644
--- a/drivers/media/pci/ddbridge/ddbridge-core.c
+++ b/drivers/media/pci/ddbridge/ddbridge-core.c
@@ -1255,11 +1255,6 @@ static void dvb_input_detach(struct ddb_input *input)

 	switch (dvb->attached) {
 	case 0x31:
-		client = dvb->i2c_client[0];
-		if (client) {
-			module_put(client->dev.driver->owner);
-			i2c_unregister_device(client);
-		}
 		if (dvb->fe2)
 			dvb_unregister_frontend(dvb->fe2);
 		if (dvb->fe)
@@ -1273,6 +1268,12 @@ static void dvb_input_detach(struct ddb_input *input)
 		dvb->fe = dvb->fe2 = NULL;
 		/* fallthrough */
 	case 0x20:
+		client = dvb->i2c_client[0];
+		if (client) {
+			module_put(client->dev.driver->owner);
+			i2c_unregister_device(client);
+		}
+
 		dvb_net_release(&dvb->dvbnet);
 		/* fallthrough */
 	case 0x12:
-- 
2.13.0

next prev parent reply	other threads:[~2017-08-23 16:10 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-23 16:09 [PATCH 0/5] last-minute misc ddbridge related changed Daniel Scheller
2017-08-23 16:09 ` [PATCH 1/5] [media] dvb-frontends/stv0910: release lock on gate_ctrl() failure Daniel Scheller
2017-08-23 16:09 ` Daniel Scheller [this message]
2017-08-23 16:10 ` [PATCH 3/5] [media] ddbridge: fix sparse warnings Daniel Scheller
2017-08-23 16:10 ` [PATCH 4/5] [media] staging/cxd2099: Add module parameter for buffer mode Daniel Scheller
2017-08-23 16:10 ` [PATCH 5/5] [media] dvb-frontends/stv0910: change minsymrate to 100Ksyms/s Daniel Scheller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2464bde1c43 dfblob:281b6739b0c )
 OR (
bs:"[PATCH 2/5] [media] ddbridge: fix teardown/deregistration order in ddb_input_detach()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170823161002.25459-3-d.scheller.oss@gmail.com \
    --to=d.scheller.oss@gmail.com \
    --cc=jasmin@anw.at \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=mchehab@s-opensource.com \
    --cc=zzam@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.