[PATCH] Fix the risk of an oops at dvb_dmx

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Fix the risk of an oops at dvb_dmx_release
@ 2010-02-01 13:35 Mauro Carvalho Chehab
  2010-02-01 15:00 ` Chicken Shack
  2010-02-05  2:46 ` Andy Walls
  0 siblings, 2 replies; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2010-02-01 13:35 UTC (permalink / raw)
  To: Linux Media Mailing List

dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed.

If the second vmalloc fails, filter is freed, but the pointer keeps pointing
to the old place. Later, when dvb_dmx_release() is called, it will try to
free an already freed memory, causing an OOPS.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/dvb/dvb-core/dvb_demux.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/drivers/media/dvb/dvb-core/dvb_demux.c b/drivers/media/dvb/dvb-core/dvb_demux.c
index b78cfb7..a78408e 100644
--- a/drivers/media/dvb/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb/dvb-core/dvb_demux.c
@@ -1246,6 +1246,7 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
 	dvbdemux->feed = vmalloc(dvbdemux->feednum * sizeof(struct dvb_demux_feed));
 	if (!dvbdemux->feed) {
 		vfree(dvbdemux->filter);
+		dvbdemux->filter = NULL;
 		return -ENOMEM;
 	}
 	for (i = 0; i < dvbdemux->filternum; i++) {
-- 
1.6.6.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix the risk of an oops at dvb_dmx_release
  2010-02-01 13:35 [PATCH] Fix the risk of an oops at dvb_dmx_release Mauro Carvalho Chehab
@ 2010-02-01 15:00 ` Chicken Shack
  2010-02-05  2:46 ` Andy Walls
  1 sibling, 0 replies; 3+ messages in thread
From: Chicken Shack @ 2010-02-01 15:00 UTC (permalink / raw)
  To: Mauro Carvalho Chehab; +Cc: Linux Media Mailing List

Am Montag, den 01.02.2010, 11:35 -0200 schrieb Mauro Carvalho Chehab:
> dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed.
> 
> If the second vmalloc fails, filter is freed, but the pointer keeps pointing
> to the old place. Later, when dvb_dmx_release() is called, it will try to
> free an already freed memory, causing an OOPS.
> 
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
> ---
>  drivers/media/dvb/dvb-core/dvb_demux.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/media/dvb/dvb-core/dvb_demux.c b/drivers/media/dvb/dvb-core/dvb_demux.c
> index b78cfb7..a78408e 100644
> --- a/drivers/media/dvb/dvb-core/dvb_demux.c
> +++ b/drivers/media/dvb/dvb-core/dvb_demux.c
> @@ -1246,6 +1246,7 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
>  	dvbdemux->feed = vmalloc(dvbdemux->feednum * sizeof(struct dvb_demux_feed));
>  	if (!dvbdemux->feed) {
>  		vfree(dvbdemux->filter);
> +		dvbdemux->filter = NULL;
>  		return -ENOMEM;
>  	}
>  	for (i = 0; i < dvbdemux->filternum; i++) {

Hi Mauro,

I tested this one.
It does not help the problem with alevt-dvb described by me, but the
horrible crash behaviour where nothing goes without hard reset after the
second start of alevt-dvb is gone. One step - well done!

Can you explain in some words what specific problems the other patch
resolves?

Thanks

CS



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Fix the risk of an oops at dvb_dmx_release
  2010-02-01 13:35 [PATCH] Fix the risk of an oops at dvb_dmx_release Mauro Carvalho Chehab
  2010-02-01 15:00 ` Chicken Shack
@ 2010-02-05  2:46 ` Andy Walls
  1 sibling, 0 replies; 3+ messages in thread
From: Andy Walls @ 2010-02-05  2:46 UTC (permalink / raw)
  To: Mauro Carvalho Chehab; +Cc: Linux Media Mailing List

On Mon, 2010-02-01 at 11:35 -0200, Mauro Carvalho Chehab wrote:
> dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed.
> 
> If the second vmalloc fails, filter is freed, but the pointer keeps pointing
> to the old place. Later, when dvb_dmx_release() is called, it will try to
> free an already freed memory, causing an OOPS.
> 
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

Looks good.

Reviewed-by: Andy Walls <awalls@radix.net>

> ---
>  drivers/media/dvb/dvb-core/dvb_demux.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/media/dvb/dvb-core/dvb_demux.c b/drivers/media/dvb/dvb-core/dvb_demux.c
> index b78cfb7..a78408e 100644
> --- a/drivers/media/dvb/dvb-core/dvb_demux.c
> +++ b/drivers/media/dvb/dvb-core/dvb_demux.c
> @@ -1246,6 +1246,7 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
>  	dvbdemux->feed = vmalloc(dvbdemux->feednum * sizeof(struct dvb_demux_feed));
>  	if (!dvbdemux->feed) {
>  		vfree(dvbdemux->filter);
> +		dvbdemux->filter = NULL;
>  		return -ENOMEM;
>  	}
>  	for (i = 0; i < dvbdemux->filternum; i++) {


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-02-05  2:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-01 13:35 [PATCH] Fix the risk of an oops at dvb_dmx_release Mauro Carvalho Chehab
2010-02-01 15:00 ` Chicken Shack
2010-02-05  2:46 ` Andy Walls

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox