From: Max Kellermann <max@duempel.org>
To: Shuah Khan <shuahkh@osg.samsung.com>
Cc: linux-media@vger.kernel.org, mchehab@osg.samsung.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private
Date: Thu, 16 Jun 2016 20:37:45 +0200 [thread overview]
Message-ID: <20160616183745.GA3727@swift.blarg.de> (raw)
In-Reply-To: <5762CE93.3080404@osg.samsung.com>
On 2016/06/16 18:06, Shuah Khan <shuahkh@osg.samsung.com> wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > Don't free the object until the file handle has been closed. Fixes
> > use-after-free bug which occurs when I disconnect my DVB-S received
> > while VDR is running.
>
> Which file handle? /dev/dvb---
I don't know which one triggers it. I get crashes with VDR, and VDR
opens all of them (ca0, demux0, frontend0), but won't release the file
handles even if they become defunct. Only restarting the VDR process
leads to recovery (or crash).
> I think dvb_ca_en50221_release() and dvb_ca_en50221_io_do_ioctl()
> should serialize access to ca. dvb_ca_en50221_io_do_ioctl() holds
> the ioctl_mutex, however, dvb_ca_en50221_release() could happen while
> ioctl is in progress. Maybe you can try fixing those first.
True, there are LOTS of race conditions in the DVB code. I see them
everywhere. But that's orthogonal to my patch, isn't it?
> As I mentioned in my review on your 3/3 patch, adding a kref here
> adds more refcounted objects to the mix. You want to avoid that.
Mauro asked me to add the kref. What is your suggestion to fix the
use-after-free bug?
I have a problem here, as mentioned in my last email: I don't know how
all of this is supposed to be, how it was designed; all I see is bugs
inside strange code, and I have to guess the previous author's
intentions and try to do the best to fix the code.
Max
prev parent reply other threads:[~2016-06-16 18:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-15 20:15 [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private Max Kellermann
2016-06-15 20:15 ` [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy() Max Kellermann
2016-06-16 16:24 ` Shuah Khan
2016-06-16 18:43 ` Max Kellermann
2016-06-16 18:55 ` Shuah Khan
2016-06-17 12:53 ` Sakari Ailus
2016-06-17 13:04 ` Max Kellermann
2016-06-15 20:15 ` [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister() Max Kellermann
2016-06-15 20:32 ` Shuah Khan
2016-06-15 20:37 ` Max Kellermann
2016-06-15 21:50 ` Shuah Khan
2016-06-16 9:29 ` Max Kellermann
2016-06-16 13:40 ` Shuah Khan
2016-06-16 16:06 ` [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private Shuah Khan
2016-06-16 18:37 ` Max Kellermann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160616183745.GA3727@swift.blarg.de \
--to=max@duempel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=shuahkh@osg.samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox