From: Sakari Ailus <sakari.ailus@linux.intel.com>
To: linux-media@vger.kernel.org
Cc: laurent.pinchart@ideasonboard.com, hverkuil@xs4all.nl
Subject: [PATCH 03/26] Revert "[media] media: fix use-after-free in cdev_put() when app exits after driver unbind"
Date: Wed, 1 Feb 2023 23:45:12 +0200 [thread overview]
Message-ID: <20230201214535.347075-4-sakari.ailus@linux.intel.com> (raw)
In-Reply-To: <20230201214535.347075-1-sakari.ailus@linux.intel.com>
This reverts commit 5b28dde51d0c ("[media] media: fix use-after-free in
cdev_put() when app exits after driver unbind"). The commit was part of an
original patchset to avoid crashes when an unregistering device is in use.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
---
drivers/media/mc/mc-device.c | 6 ++---
drivers/media/mc/mc-devnode.c | 48 ++++++++++++++---------------------
2 files changed, 21 insertions(+), 33 deletions(-)
diff --git a/drivers/media/mc/mc-device.c b/drivers/media/mc/mc-device.c
index 013d54e1a55a..b6640e2c8a4c 100644
--- a/drivers/media/mc/mc-device.c
+++ b/drivers/media/mc/mc-device.c
@@ -736,16 +736,16 @@ int __must_check __media_device_register(struct media_device *mdev,
ret = media_devnode_register(mdev, devnode, owner);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
+ kfree(devnode);
return ret;
}
ret = device_create_file(&devnode->dev, &dev_attr_model);
if (ret < 0) {
- /* devnode free is handled in media_devnode_*() */
mdev->devnode = NULL;
media_devnode_unregister(devnode);
+ kfree(devnode);
return ret;
}
@@ -829,8 +829,6 @@ void media_device_unregister(struct media_device *mdev)
if (media_devnode_is_registered(mdev->devnode)) {
device_remove_file(&mdev->devnode->dev, &dev_attr_model);
media_devnode_unregister(mdev->devnode);
- /* devnode free is handled in media_devnode_*() */
- mdev->devnode = NULL;
}
}
EXPORT_SYMBOL_GPL(media_device_unregister);
diff --git a/drivers/media/mc/mc-devnode.c b/drivers/media/mc/mc-devnode.c
index 740573552e5d..1e1792c3ae3f 100644
--- a/drivers/media/mc/mc-devnode.c
+++ b/drivers/media/mc/mc-devnode.c
@@ -51,8 +51,13 @@ static void media_devnode_release(struct device *cd)
struct media_devnode *devnode = to_media_devnode(cd);
mutex_lock(&media_devnode_lock);
+
+ /* Delete the cdev on this minor as well */
+ cdev_del(&devnode->cdev);
+
/* Mark device node number as free */
clear_bit(devnode->minor, media_devnode_nums);
+
mutex_unlock(&media_devnode_lock);
/* Release media_devnode and perform other cleanups as needed. */
@@ -60,7 +65,6 @@ static void media_devnode_release(struct device *cd)
devnode->release(devnode);
kfree(devnode);
- pr_debug("%s: Media Devnode Deallocated\n", __func__);
}
static struct bus_type media_bus_type = {
@@ -189,8 +193,6 @@ static int media_release(struct inode *inode, struct file *filp)
/* decrease the refcount unconditionally since the release()
return value is ignored. */
put_device(&devnode->dev);
-
- pr_debug("%s: Media Release\n", __func__);
return 0;
}
@@ -221,7 +223,6 @@ int __must_check media_devnode_register(struct media_device *mdev,
if (minor == MEDIA_NUM_DEVICES) {
mutex_unlock(&media_devnode_lock);
pr_err("could not get a free minor\n");
- kfree(devnode);
return -ENFILE;
}
@@ -231,33 +232,29 @@ int __must_check media_devnode_register(struct media_device *mdev,
devnode->minor = minor;
devnode->media_dev = mdev;
- /* Part 1: Initialize dev now to use dev.kobj for cdev.kobj.parent */
- devnode->dev.bus = &media_bus_type;
- devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
- devnode->dev.release = media_devnode_release;
- if (devnode->parent)
- devnode->dev.parent = devnode->parent;
- dev_set_name(&devnode->dev, "media%d", devnode->minor);
- device_initialize(&devnode->dev);
-
/* Part 2: Initialize and register the character device */
cdev_init(&devnode->cdev, &media_devnode_fops);
devnode->cdev.owner = owner;
- devnode->cdev.kobj.parent = &devnode->dev.kobj;
kobject_set_name(&devnode->cdev.kobj, "media%d", devnode->minor);
ret = cdev_add(&devnode->cdev, MKDEV(MAJOR(media_dev_t),
devnode->minor), 1);
if (ret < 0) {
pr_err("%s: cdev_add failed\n", __func__);
- goto cdev_add_error;
+ goto error;
}
- /* Part 3: Add the media device */
- ret = device_add(&devnode->dev);
+ /* Part 3: Register the media device */
+ devnode->dev.bus = &media_bus_type;
+ devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
+ devnode->dev.release = media_devnode_release;
+ if (devnode->parent)
+ devnode->dev.parent = devnode->parent;
+ dev_set_name(&devnode->dev, "media%d", devnode->minor);
+ ret = device_register(&devnode->dev);
if (ret < 0) {
- pr_err("%s: device_add failed\n", __func__);
- goto device_add_error;
+ pr_err("%s: device_register failed\n", __func__);
+ goto error;
}
/* Part 4: Activate this minor. The char device can now be used. */
@@ -265,15 +262,12 @@ int __must_check media_devnode_register(struct media_device *mdev,
return 0;
-device_add_error:
- cdev_del(&devnode->cdev);
-cdev_add_error:
+error:
mutex_lock(&media_devnode_lock);
+ cdev_del(&devnode->cdev);
clear_bit(devnode->minor, media_devnode_nums);
- devnode->media_dev = NULL;
mutex_unlock(&media_devnode_lock);
- put_device(&devnode->dev);
return ret;
}
@@ -285,13 +279,9 @@ void media_devnode_unregister(struct media_devnode *devnode)
mutex_lock(&media_devnode_lock);
clear_bit(MEDIA_FLAG_REGISTERED, &devnode->flags);
- /* Delete the cdev on this minor as well */
- cdev_del(&devnode->cdev);
- devnode->media_dev = NULL;
mutex_unlock(&media_devnode_lock);
- device_del(&devnode->dev);
- put_device(&devnode->dev);
+ device_unregister(&devnode->dev);
}
/*
--
2.30.2
next prev parent reply other threads:[~2023-02-01 21:45 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-01 21:45 [PATCH 00/26] Media device lifetime management Sakari Ailus
2023-02-01 21:45 ` [PATCH 01/26] Revert "[media] media: fix media devnode ioctl/syscall and unregister race" Sakari Ailus
2023-02-01 21:45 ` [PATCH 02/26] Revert "media: utilize new cdev_device_add helper function" Sakari Ailus
2023-02-01 21:45 ` Sakari Ailus [this message]
2023-02-01 21:45 ` [PATCH 04/26] media: utilize new cdev_device_add helper function Sakari Ailus
2023-02-01 21:45 ` [PATCH 05/26] Revert "media: uvcvideo: Refactor teardown of uvc on USB disconnect" Sakari Ailus
2023-02-01 21:45 ` [PATCH 06/26] Revert "[media] media-device: dynamically allocate struct media_devnode" Sakari Ailus
2023-02-01 21:45 ` [PATCH 07/26] media: uvcvideo: Refactor teardown of uvc on USB disconnect Sakari Ailus
2023-02-01 21:45 ` [PATCH 08/26] media device: Drop nop release callback Sakari Ailus
2023-02-01 21:45 ` [PATCH 09/26] media: Do not call cdev_device_del() if cdev_device_add() fails Sakari Ailus
2023-02-01 21:45 ` [PATCH 10/26] media-device: Delete character device early Sakari Ailus
2023-02-01 21:45 ` [PATCH 11/26] media: Split initialising and adding media devnode Sakari Ailus
2023-02-01 21:45 ` [PATCH 12/26] media: Shuffle functions around Sakari Ailus
2023-02-01 21:45 ` [PATCH 13/26] media device: Initialise media devnode in media_device_init() Sakari Ailus
2023-02-01 21:45 ` [PATCH 14/26] media device: Refcount the media device Sakari Ailus
2023-02-01 21:45 ` [PATCH 15/26] v4l: Acquire a reference to the media device for every video device Sakari Ailus
2023-02-01 21:45 ` [PATCH 16/26] media-device: Postpone graph object removal until free Sakari Ailus
2023-02-01 21:45 ` [PATCH 17/26] omap3isp: Release the isp device struct by media device callback Sakari Ailus
2023-02-01 21:45 ` [PATCH 18/26] omap3isp: Don't use devm_request_irq() Sakari Ailus
2023-02-01 21:45 ` [PATCH 19/26] media: Add nop implementations of media_device_{init,cleanup} Sakari Ailus
2023-02-01 21:45 ` [PATCH 20/26] media: ipu3-cio2: Call v4l2_device_unregister() earlier Sakari Ailus
2023-02-01 21:45 ` [PATCH 21/26] media: ipu3-cio2: Don't use devm_request_irq() Sakari Ailus
2023-03-03 8:21 ` Hans Verkuil
2023-03-03 10:58 ` Sakari Ailus
2023-04-12 16:45 ` Sakari Ailus
2023-02-01 21:45 ` [PATCH 22/26] media: ipu3-cio2: Release the cio2 device context by media device callback Sakari Ailus
2023-02-01 21:45 ` [PATCH 23/26] media: Add per-file-handle data support Sakari Ailus
2023-02-01 21:45 ` [PATCH 24/26] media: Maintain a list of open file handles in a media device Sakari Ailus
2023-02-01 21:45 ` [PATCH 25/26] media: Implement best effort media device removal safety sans refcounting Sakari Ailus
2023-03-03 8:39 ` Hans Verkuil
2023-03-03 8:54 ` Hans Verkuil
2023-03-03 11:08 ` Sakari Ailus
2023-03-13 13:46 ` Hans Verkuil
2023-03-13 14:02 ` Sakari Ailus
2023-03-13 14:39 ` Hans Verkuil
2023-03-13 16:53 ` Sakari Ailus
2023-03-14 8:30 ` Hans Verkuil
2023-03-14 8:43 ` Sakari Ailus
2023-03-14 8:58 ` Hans Verkuil
2023-03-14 10:59 ` Sakari Ailus
2023-03-31 10:53 ` Hans Verkuil
2023-03-31 11:54 ` Sakari Ailus
2023-03-03 11:06 ` Sakari Ailus
2023-02-01 21:45 ` [PATCH 26/26] media: Document how Media device resources are released Sakari Ailus
2023-03-03 9:07 ` [PATCH 00/26] Media device lifetime management Hans Verkuil
2023-03-03 11:23 ` Sakari Ailus
2023-03-03 11:27 ` Hans Verkuil
2023-03-03 16:54 ` Sakari Ailus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230201214535.347075-4-sakari.ailus@linux.intel.com \
--to=sakari.ailus@linux.intel.com \
--cc=hverkuil@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-media@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).