From: Sakari Ailus <sakari.ailus@linux.intel.com>
To: linux-media@vger.kernel.org, hverkuil@xs4all.nl
Cc: mchehab@osg.samsung.com, shuahkh@osg.samsung.com,
laurent.pinchart@ideasonboard.com
Subject: [RFC v4 02/21] Revert "[media] media: fix use-after-free in cdev_put() when app exits after driver unbind"
Date: Tue, 8 Nov 2016 15:55:11 +0200 [thread overview]
Message-ID: <1478613330-24691-2-git-send-email-sakari.ailus@linux.intel.com> (raw)
In-Reply-To: <1478613330-24691-1-git-send-email-sakari.ailus@linux.intel.com>
This reverts commit 5b28dde51d0c ("[media] media: fix use-after-free in
cdev_put() when app exits after driver unbind"). The commit was part of an
original patchset to avoid crashes when an unregistering device is in use.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
drivers/media/media-device.c | 6 ++----
drivers/media/media-devnode.c | 48 +++++++++++++++++--------------------------
2 files changed, 21 insertions(+), 33 deletions(-)
diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
index f2525eb..6f5ed09 100644
--- a/drivers/media/media-device.c
+++ b/drivers/media/media-device.c
@@ -721,16 +721,16 @@ int __must_check __media_device_register(struct media_device *mdev,
ret = media_devnode_register(mdev, devnode, owner);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
+ kfree(devnode);
return ret;
}
ret = device_create_file(&devnode->dev, &dev_attr_model);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
media_devnode_unregister(devnode);
+ kfree(devnode);
return ret;
}
@@ -810,8 +810,6 @@ void media_device_unregister(struct media_device *mdev)
if (media_devnode_is_registered(mdev->devnode)) {
device_remove_file(&mdev->devnode->dev, &dev_attr_model);
media_devnode_unregister(mdev->devnode);
- /* devnode free is handled in media_devnode_*() */
- mdev->devnode = NULL;
}
}
EXPORT_SYMBOL_GPL(media_device_unregister);
diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c
index 5b605ff..ecdc02d 100644
--- a/drivers/media/media-devnode.c
+++ b/drivers/media/media-devnode.c
@@ -63,8 +63,13 @@ static void media_devnode_release(struct device *cd)
struct media_devnode *devnode = to_media_devnode(cd);
mutex_lock(&media_devnode_lock);
+
+ /* Delete the cdev on this minor as well */
+ cdev_del(&devnode->cdev);
+
/* Mark device node number as free */
clear_bit(devnode->minor, media_devnode_nums);
+
mutex_unlock(&media_devnode_lock);
/* Release media_devnode and perform other cleanups as needed. */
@@ -72,7 +77,6 @@ static void media_devnode_release(struct device *cd)
devnode->release(devnode);
kfree(devnode);
- pr_debug("%s: Media Devnode Deallocated\n", __func__);
}
static struct bus_type media_bus_type = {
@@ -201,8 +205,6 @@ static int media_release(struct inode *inode, struct file *filp)
/* decrease the refcount unconditionally since the release()
return value is ignored. */
put_device(&devnode->dev);
-
- pr_debug("%s: Media Release\n", __func__);
return 0;
}
@@ -233,7 +235,6 @@ int __must_check media_devnode_register(struct media_device *mdev,
if (minor == MEDIA_NUM_DEVICES) {
mutex_unlock(&media_devnode_lock);
pr_err("could not get a free minor\n");
- kfree(devnode);
return -ENFILE;
}
@@ -243,31 +244,27 @@ int __must_check media_devnode_register(struct media_device *mdev,
devnode->minor = minor;
devnode->media_dev = mdev;
- /* Part 1: Initialize dev now to use dev.kobj for cdev.kobj.parent */
- devnode->dev.bus = &media_bus_type;
- devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
- devnode->dev.release = media_devnode_release;
- if (devnode->parent)
- devnode->dev.parent = devnode->parent;
- dev_set_name(&devnode->dev, "media%d", devnode->minor);
- device_initialize(&devnode->dev);
-
/* Part 2: Initialize and register the character device */
cdev_init(&devnode->cdev, &media_devnode_fops);
devnode->cdev.owner = owner;
- devnode->cdev.kobj.parent = &devnode->dev.kobj;
ret = cdev_add(&devnode->cdev, MKDEV(MAJOR(media_dev_t), devnode->minor), 1);
if (ret < 0) {
pr_err("%s: cdev_add failed\n", __func__);
- goto cdev_add_error;
+ goto error;
}
- /* Part 3: Add the media device */
- ret = device_add(&devnode->dev);
+ /* Part 3: Register the media device */
+ devnode->dev.bus = &media_bus_type;
+ devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
+ devnode->dev.release = media_devnode_release;
+ if (devnode->parent)
+ devnode->dev.parent = devnode->parent;
+ dev_set_name(&devnode->dev, "media%d", devnode->minor);
+ ret = device_register(&devnode->dev);
if (ret < 0) {
- pr_err("%s: device_add failed\n", __func__);
- goto device_add_error;
+ pr_err("%s: device_register failed\n", __func__);
+ goto error;
}
/* Part 4: Activate this minor. The char device can now be used. */
@@ -275,15 +272,12 @@ int __must_check media_devnode_register(struct media_device *mdev,
return 0;
-device_add_error:
- cdev_del(&devnode->cdev);
-cdev_add_error:
+error:
mutex_lock(&media_devnode_lock);
+ cdev_del(&devnode->cdev);
clear_bit(devnode->minor, media_devnode_nums);
- devnode->media_dev = NULL;
mutex_unlock(&media_devnode_lock);
- put_device(&devnode->dev);
return ret;
}
@@ -295,12 +289,8 @@ void media_devnode_unregister(struct media_devnode *devnode)
mutex_lock(&media_devnode_lock);
clear_bit(MEDIA_FLAG_REGISTERED, &devnode->flags);
- /* Delete the cdev on this minor as well */
- cdev_del(&devnode->cdev);
mutex_unlock(&media_devnode_lock);
- device_del(&devnode->dev);
- devnode->media_dev = NULL;
- put_device(&devnode->dev);
+ device_unregister(&devnode->dev);
}
/*
--
2.1.4
next prev parent reply other threads:[~2016-11-08 13:55 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 13:54 [RFC v4 00/21] Make use of kref in media device, grab references as needed Sakari Ailus
2016-11-08 13:55 ` [RFC v4 01/21] Revert "[media] media: fix media devnode ioctl/syscall and unregister race" Sakari Ailus
2016-11-08 13:55 ` Sakari Ailus [this message]
2016-11-08 13:55 ` [RFC v4 03/21] Revert "[media] media-device: dynamically allocate struct media_devnode" Sakari Ailus
2016-11-08 13:55 ` [RFC v4 04/21] media: Remove useless curly braces and parentheses Sakari Ailus
2016-11-22 9:59 ` Laurent Pinchart
2016-11-08 13:55 ` [RFC v4 05/21] media: devnode: Rename mdev argument as devnode Sakari Ailus
2016-11-22 10:00 ` Laurent Pinchart
2016-11-08 13:55 ` [RFC v4 06/21] media device: Drop nop release callback Sakari Ailus
2016-11-22 10:01 ` Laurent Pinchart
2016-11-08 13:55 ` [RFC v4 07/21] media-device: Make devnode.dev->kobj parent of devnode.cdev Sakari Ailus
2016-11-08 13:55 ` [RFC v4 08/21] media: Enable allocating the media device dynamically Sakari Ailus
2016-11-08 19:20 ` Shuah Khan
2016-11-10 23:53 ` Laurent Pinchart
2016-11-11 0:00 ` Shuah Khan
2016-11-11 0:11 ` Laurent Pinchart
2016-11-11 0:16 ` Shuah Khan
2016-11-11 0:19 ` Laurent Pinchart
2016-11-11 0:35 ` Shuah Khan
2016-11-14 13:40 ` Sakari Ailus
2016-11-15 0:13 ` Shuah Khan
2016-11-08 13:55 ` [RFC v4 09/21] media: Split initialising and adding media devnode Sakari Ailus
2016-11-08 13:55 ` [RFC v4 10/21] media: Shuffle functions around Sakari Ailus
2016-11-08 13:55 ` [RFC v4 11/21] media device: Refcount the media device Sakari Ailus
2016-11-08 13:55 ` [RFC v4 12/21] media device: Initialise media devnode in media_device_init() Sakari Ailus
2016-11-08 13:55 ` [RFC v4 13/21] media device: Deprecate media_device_{init,cleanup}() for drivers Sakari Ailus
2016-11-08 13:55 ` [RFC v4 14/21] media device: Get the media device driver's device Sakari Ailus
2016-11-22 9:46 ` Hans Verkuil
2016-11-22 9:58 ` Laurent Pinchart
2016-11-22 10:58 ` Hans Verkuil
2016-11-22 22:16 ` Laurent Pinchart
2016-11-08 13:55 ` [RFC v4 15/21] media: Provide a way to the driver to set a private pointer Sakari Ailus
2016-11-08 13:55 ` [RFC v4 16/21] media: Add release callback for media device Sakari Ailus
2016-11-08 13:55 ` [RFC v4 17/21] v4l: Acquire a reference to the media device for every video device Sakari Ailus
2016-11-08 13:55 ` [RFC v4 18/21] media-device: Postpone graph object removal until free Sakari Ailus
2016-11-08 13:55 ` [RFC v4 19/21] omap3isp: Allocate the media device dynamically Sakari Ailus
2016-11-22 10:05 ` Hans Verkuil
2016-12-02 14:52 ` Sakari Ailus
2016-11-08 13:55 ` [RFC v4 20/21] omap3isp: Release the isp device struct by media device callback Sakari Ailus
2016-11-08 13:55 ` [RFC v4 21/21] omap3isp: Don't rely on devm for memory resource management Sakari Ailus
2016-11-08 17:00 ` [RFC v4 01/21] Revert "[media] media: fix media devnode ioctl/syscall and unregister race" Mauro Carvalho Chehab
2016-11-10 23:49 ` Laurent Pinchart
2016-11-22 10:01 ` Laurent Pinchart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1478613330-24691-2-git-send-email-sakari.ailus@linux.intel.com \
--to=sakari.ailus@linux.intel.com \
--cc=hverkuil@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=shuahkh@osg.samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).