From: Sakari Ailus <sakari.ailus@linux.intel.com>
To: linux-media@vger.kernel.org, hverkuil@xs4all.nl
Cc: mchehab@osg.samsung.com, shuahkh@osg.samsung.com,
laurent.pinchart@ideasonboard.com
Subject: [RFC v3 02/21] Revert "[media] media: fix use-after-free in cdev_put() when app exits after driver unbind"
Date: Sat, 27 Aug 2016 02:43:10 +0300 [thread overview]
Message-ID: <1472255009-28719-3-git-send-email-sakari.ailus@linux.intel.com> (raw)
In-Reply-To: <1472255009-28719-1-git-send-email-sakari.ailus@linux.intel.com>
This reverts commit 5b28dde51d0c ("[media] media: fix use-after-free in
cdev_put() when app exits after driver unbind"). The commit was part of an
original patchset to avoid crashes when an unregistering device is in use.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
drivers/media/media-device.c | 6 ++----
drivers/media/media-devnode.c | 48 +++++++++++++++++--------------------------
2 files changed, 21 insertions(+), 33 deletions(-)
diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
index 33a9952..e61fa66 100644
--- a/drivers/media/media-device.c
+++ b/drivers/media/media-device.c
@@ -723,16 +723,16 @@ int __must_check __media_device_register(struct media_device *mdev,
ret = media_devnode_register(mdev, devnode, owner);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
+ kfree(devnode);
return ret;
}
ret = device_create_file(&devnode->dev, &dev_attr_model);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
media_devnode_unregister(devnode);
+ kfree(devnode);
return ret;
}
@@ -812,8 +812,6 @@ void media_device_unregister(struct media_device *mdev)
if (media_devnode_is_registered(mdev->devnode)) {
device_remove_file(&mdev->devnode->dev, &dev_attr_model);
media_devnode_unregister(mdev->devnode);
- /* devnode free is handled in media_devnode_*() */
- mdev->devnode = NULL;
}
}
EXPORT_SYMBOL_GPL(media_device_unregister);
diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c
index 5b605ff..ecdc02d 100644
--- a/drivers/media/media-devnode.c
+++ b/drivers/media/media-devnode.c
@@ -63,8 +63,13 @@ static void media_devnode_release(struct device *cd)
struct media_devnode *devnode = to_media_devnode(cd);
mutex_lock(&media_devnode_lock);
+
+ /* Delete the cdev on this minor as well */
+ cdev_del(&devnode->cdev);
+
/* Mark device node number as free */
clear_bit(devnode->minor, media_devnode_nums);
+
mutex_unlock(&media_devnode_lock);
/* Release media_devnode and perform other cleanups as needed. */
@@ -72,7 +77,6 @@ static void media_devnode_release(struct device *cd)
devnode->release(devnode);
kfree(devnode);
- pr_debug("%s: Media Devnode Deallocated\n", __func__);
}
static struct bus_type media_bus_type = {
@@ -201,8 +205,6 @@ static int media_release(struct inode *inode, struct file *filp)
/* decrease the refcount unconditionally since the release()
return value is ignored. */
put_device(&devnode->dev);
-
- pr_debug("%s: Media Release\n", __func__);
return 0;
}
@@ -233,7 +235,6 @@ int __must_check media_devnode_register(struct media_device *mdev,
if (minor == MEDIA_NUM_DEVICES) {
mutex_unlock(&media_devnode_lock);
pr_err("could not get a free minor\n");
- kfree(devnode);
return -ENFILE;
}
@@ -243,31 +244,27 @@ int __must_check media_devnode_register(struct media_device *mdev,
devnode->minor = minor;
devnode->media_dev = mdev;
- /* Part 1: Initialize dev now to use dev.kobj for cdev.kobj.parent */
- devnode->dev.bus = &media_bus_type;
- devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
- devnode->dev.release = media_devnode_release;
- if (devnode->parent)
- devnode->dev.parent = devnode->parent;
- dev_set_name(&devnode->dev, "media%d", devnode->minor);
- device_initialize(&devnode->dev);
-
/* Part 2: Initialize and register the character device */
cdev_init(&devnode->cdev, &media_devnode_fops);
devnode->cdev.owner = owner;
- devnode->cdev.kobj.parent = &devnode->dev.kobj;
ret = cdev_add(&devnode->cdev, MKDEV(MAJOR(media_dev_t), devnode->minor), 1);
if (ret < 0) {
pr_err("%s: cdev_add failed\n", __func__);
- goto cdev_add_error;
+ goto error;
}
- /* Part 3: Add the media device */
- ret = device_add(&devnode->dev);
+ /* Part 3: Register the media device */
+ devnode->dev.bus = &media_bus_type;
+ devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
+ devnode->dev.release = media_devnode_release;
+ if (devnode->parent)
+ devnode->dev.parent = devnode->parent;
+ dev_set_name(&devnode->dev, "media%d", devnode->minor);
+ ret = device_register(&devnode->dev);
if (ret < 0) {
- pr_err("%s: device_add failed\n", __func__);
- goto device_add_error;
+ pr_err("%s: device_register failed\n", __func__);
+ goto error;
}
/* Part 4: Activate this minor. The char device can now be used. */
@@ -275,15 +272,12 @@ int __must_check media_devnode_register(struct media_device *mdev,
return 0;
-device_add_error:
- cdev_del(&devnode->cdev);
-cdev_add_error:
+error:
mutex_lock(&media_devnode_lock);
+ cdev_del(&devnode->cdev);
clear_bit(devnode->minor, media_devnode_nums);
- devnode->media_dev = NULL;
mutex_unlock(&media_devnode_lock);
- put_device(&devnode->dev);
return ret;
}
@@ -295,12 +289,8 @@ void media_devnode_unregister(struct media_devnode *devnode)
mutex_lock(&media_devnode_lock);
clear_bit(MEDIA_FLAG_REGISTERED, &devnode->flags);
- /* Delete the cdev on this minor as well */
- cdev_del(&devnode->cdev);
mutex_unlock(&media_devnode_lock);
- device_del(&devnode->dev);
- devnode->media_dev = NULL;
- put_device(&devnode->dev);
+ device_unregister(&devnode->dev);
}
/*
--
2.1.4
next prev parent reply other threads:[~2016-08-26 23:44 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 23:43 [RFC v3 00/21] Make use of kref in media device, grab references as needed Sakari Ailus
2016-08-26 23:43 ` [RFC v3 01/21] Revert "[media] media: fix media devnode ioctl/syscall and unregister race" Sakari Ailus
2016-08-26 23:43 ` Sakari Ailus [this message]
2016-08-26 23:43 ` [RFC v3 03/21] Revert "[media] media-device: dynamically allocate struct media_devnode" Sakari Ailus
2016-08-26 23:43 ` [RFC v3 04/21] media: Remove useless curly braces and parentheses Sakari Ailus
2016-08-26 23:43 ` [RFC v3 05/21] media: devnode: Rename mdev argument as devnode Sakari Ailus
2016-08-26 23:43 ` [RFC v3 06/21] media device: Drop nop release callback Sakari Ailus
2016-08-26 23:43 ` [RFC v3 07/21] media-device: Make devnode.dev->kobj parent of devnode.cdev Sakari Ailus
2016-08-26 23:43 ` [RFC v3 08/21] media: Enable allocating the media device dynamically Sakari Ailus
2016-08-26 23:43 ` [RFC v3 09/21] media: Split initialising and adding media devnode Sakari Ailus
2016-08-26 23:43 ` [RFC v3 10/21] media: Shuffle functions around Sakari Ailus
2016-08-26 23:43 ` [RFC v3 11/21] media device: Refcount the media device Sakari Ailus
2016-08-26 23:43 ` [RFC v3 12/21] media device: Initialise media devnode in media_device_init() Sakari Ailus
2016-08-26 23:43 ` [RFC v3 13/21] media device: Deprecate media_device_{init,cleanup}() for drivers Sakari Ailus
2016-08-26 23:43 ` [RFC v3 14/21] media device: Get the media device driver's device Sakari Ailus
2016-08-26 23:43 ` [RFC v3 15/21] media: Provide a way to the driver to set a private pointer Sakari Ailus
2016-08-26 23:43 ` [RFC v3 16/21] media: Add release callback for media device Sakari Ailus
2016-08-26 23:43 ` [RFC v3 17/21] v4l: Acquire a reference to the media device for every video device Sakari Ailus
2016-08-26 23:43 ` [RFC v3 18/21] media-device: Postpone graph object removal until free Sakari Ailus
2016-08-26 23:43 ` [RFC v3 19/21] omap3isp: Allocate the media device dynamically Sakari Ailus
2016-08-26 23:43 ` [RFC v3 20/21] omap3isp: Release the isp device struct by media device callback Sakari Ailus
2016-08-26 23:43 ` [RFC v3 21/21] omap3isp: Don't rely on devm for memory resource management Sakari Ailus
2016-12-15 11:23 ` Laurent Pinchart
2016-12-15 11:39 ` Sakari Ailus
2016-12-15 11:42 ` Laurent Pinchart
2016-12-15 11:45 ` Sakari Ailus
2016-12-15 11:57 ` Laurent Pinchart
2016-12-15 19:17 ` Shuah Khan
2016-12-16 13:32 ` Sakari Ailus
2016-12-16 14:39 ` Shuah Khan
2016-11-07 20:16 ` [RFC v3 00/21] Make use of kref in media device, grab references as needed Shuah Khan
2016-11-08 8:19 ` Sakari Ailus
2016-11-09 16:49 ` Shuah Khan
2016-11-09 17:00 ` Shuah Khan
2016-11-09 17:46 ` Mauro Carvalho Chehab
2016-11-14 13:27 ` Sakari Ailus
2016-11-22 17:44 ` Mauro Carvalho Chehab
2016-11-22 18:13 ` Hans Verkuil
2016-11-22 18:41 ` Shuah Khan
2016-11-22 22:56 ` Shuah Khan
2016-11-28 10:45 ` Sakari Ailus
2016-11-29 11:13 ` Mauro Carvalho Chehab
2016-12-13 10:53 ` Sakari Ailus
2016-12-13 12:24 ` Mauro Carvalho Chehab
2016-12-13 22:23 ` Shuah Khan
2016-12-15 10:39 ` Laurent Pinchart
2016-12-15 14:56 ` Shuah Khan
2016-12-16 16:58 ` Laurent Pinchart
2016-12-15 11:30 ` Sakari Ailus
2016-12-15 12:56 ` Laurent Pinchart
2016-12-15 14:03 ` Hans Verkuil
2016-12-15 14:32 ` Mauro Carvalho Chehab
2016-12-15 14:45 ` Hans Verkuil
2016-12-15 15:45 ` Mauro Carvalho Chehab
2016-12-15 16:07 ` Hans Verkuil
2016-12-16 16:47 ` Laurent Pinchart
2016-12-16 16:43 ` Laurent Pinchart
2016-12-15 14:45 ` Shuah Khan
2016-12-15 15:26 ` Hans Verkuil
2016-12-15 16:06 ` Shuah Khan
2016-12-15 16:28 ` Hans Verkuil
2016-12-15 17:09 ` Shuah Khan
2016-12-15 17:25 ` Mauro Carvalho Chehab
2016-12-15 17:51 ` Shuah Khan
2016-12-16 10:11 ` Hans Verkuil
2016-12-16 10:57 ` Mauro Carvalho Chehab
2016-12-16 11:27 ` Hans Verkuil
2016-12-16 12:00 ` Mauro Carvalho Chehab
2016-12-16 14:45 ` Hans Verkuil
2016-12-19 9:28 ` Media summit in Feb? - Was: " Mauro Carvalho Chehab
2016-12-21 1:31 ` Mauro Carvalho Chehab
2016-12-21 14:27 ` Shuah Khan
2016-12-22 17:47 ` Laurent Pinchart
2016-12-22 20:43 ` Mauro Carvalho Chehab
2016-12-16 10:03 ` Hans Verkuil
2016-12-16 10:12 ` Mauro Carvalho Chehab
2016-12-23 18:13 ` Laurent Pinchart
2016-12-15 17:08 ` Mauro Carvalho Chehab
2016-12-23 17:55 ` Laurent Pinchart
2016-12-23 17:48 ` Laurent Pinchart
2016-12-23 17:27 ` Laurent Pinchart
2016-12-16 15:07 ` Sakari Ailus
2016-12-16 16:34 ` Laurent Pinchart
2016-12-19 9:46 ` Mauro Carvalho Chehab
2017-01-02 7:53 ` Sakari Ailus
2017-01-24 10:49 ` Mauro Carvalho Chehab
2017-01-25 11:02 ` Sakari Ailus
2017-01-26 9:10 ` Mauro Carvalho Chehab
2017-05-30 23:41 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472255009-28719-3-git-send-email-sakari.ailus@linux.intel.com \
--to=sakari.ailus@linux.intel.com \
--cc=hverkuil@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=shuahkh@osg.samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).