[PATCH] [media] dvbdev: add a mutex protecting the "mdev" pointer

8 85 c0 74 06 49 8b 7d RIP [] dvb_frontend_release+0xcb/0x120 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 7 +++ drivers/media/dvb-core/dvbdev.c | 4 drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 4 include/media/dvbdev.h

[PATCH] [media] pctv452e: move buffer to heap, no mutex

unusable (crashes instantly when plugging in the device). Signed-off-by: Max Kellermann --- drivers/media/usb/dvb-usb/pctv452e.c | 133 ++ 1 file changed, 72 insertions(+), 61 deletions(-) diff --git a/drivers/media/usb/dvb-usb/pctv452e.c b/drivers/media/usb/dvb

Re: [PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

On 2016/08/10 01:01, kbuild test robot wrote: > url: > https://github.com/0day-ci/linux/commits/Max-Kellermann/rc-main-clear-rc_map-name-in-ir_free_table/20160810-054811 > base: git://linuxtv.org/media_tree.git master > config: i386-randconfig-n0-201632 (attached as .config) >

[PATCH 09/12] [media] stb0899: move code to "detach" callback

Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously. Signed-off-by: Max Kellermann --- drivers/media/dvb-frontends/stb0899_drv.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-frontends/stb0899_drv.c b/drivers/media/dvb-frontends

[PATCH 01/12] [media] rc-main: clear rc_map.name in ir_free_table()

rc_unregister_device() will first call ir_free_table(), and later device_del(); however, the latter causes a call to rc_dev_uevent(), which prints rc_map.name, which at this point has already bee freed. This fixes a use-after-free bug found with KASAN. Signed-off-by: Max Kellermann --- drivers

[PATCH 10/12] [media] dvb_frontend: move kref to struct dvb_frontend

+0x43/0xe5 [] dvb_usb_device_exit+0x69/0x7d [] pctv452e_usb_disconnect+0x7b/0x80 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 46 ++--- drivers/media/dvb-core/dvb_frontend.h |1 + 2 files changed, 31 insertions(+), 16 deletions(-) di

[PATCH 07/12] [media] dvb_frontend: merge the two dvb_frontend_detach() versions

This code duplication is confusing and error prone. Let's merge them by moving the release/dvb_detach call into one function with one #ifdef. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 42 + 1 file changed, 12 insertions(+

[PATCH 06/12] [media] dvb_frontend: tuner_ops.release returns void

It is not clear what this return value means. All implemenations return 0, and the one caller ignores the value. Let's remove this useless return value completely. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |3 +-- drivers/media/dvb-core/dvb_front

[PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

Most release callback functions are identical: free the "tuner_priv" and clear it. Let's eliminate some bloat by providing this simple implementation in the dvb_frontend library. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |9 + dr

[PATCH 03/12] [media] dvb-core/en50221: use dvb_remove_device()

instead of dvb_unregister_device(), we can avoid that. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index b5b5b1

[PATCH 02/12] [media] dvbdev: split dvb_unregister_device()

sanitizing a few callers. With my new design, dvb_unregister_device() appears misnamed, but to reduce patch noise, I'm not renaming it just yet. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvbdev.c | 19 ++- drivers/media/dvb-core/dvbdev.h |

[PATCH 04/12] [media] dvb: make DVB frontend *_ops instances "const"

These are immutable. Making them "const" allows the compiler to move them to the "rodata" section. Note that cxd2841er_t_c_ops cannot be made "const", because cxd2841er_attach() modifies it. Ouch! Signed-off-by: Max Kellermann --- drivers/media/common/s

[PATCH 08/12] [media] dvb_frontend: add "detach" callback

Prepare for making "release" asynchronous (via kref). Some operations may need to be run synchronously in dvb_frontend_detach(), and that's why we need a "detach" callback. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |1 + drivers/medi

[PATCH 12/12] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann --- drivers/media/media-device.c |6 +- 1 file chang

[PATCH 11/12] [media] media-entity: clear media_gobj.mdev in _destroy()

variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/media

[PATCH 2/2] dvb_frontend: eliminate blocking wait in dvb_unregister_frontend()

){..}, at: [] usb_disconnect+0x52/0x260 #4: (&dev->mutex){..}, at: [] device_release_driver+0x1b/0x30 This patch removes the blocking wait, and postpones the kfree() call until all file handles have been closed by using struct kref. Signed-off-by: Max Kellermann

[PATCH 1/2] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

at fs/ioctl.c:689 #15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680 #16 0x8103feb2 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:207 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++- 1 file ch

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/17 14:53, Sakari Ailus wrote: > On Wed, Jun 15, 2016 at 10:15:07PM +0200, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The > > Is that somethi

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/16 18:24, Shuah Khan wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The > > function media_remove_intf_links() esta

Re: [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

On 2016/06/16 18:06, Shuah Khan wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > Don't free the object until the file handle has been closed. Fixes > > use-after-free bug which occurs when I disconnect my DVB-S received > > while VDR is running. > > W

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

(Shuah, I did not receive your second reply; I only found it in an email archive.) > Yes media_devnode_create() creates the interfaces links and these > links are deleted by media_devnode_remove(). > media_device_unregister() still needs to delete the interfaces > links. The reason for that is the

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

On 2016/06/15 22:32, Shuah Khan wrote: > This change introduces memory leaks, since drivers are relying on > media_device_unregister() to free interfaces. This is what I thought, too, until I checked the code paths. Who adds entries to that list? Only media_gobj_create() does, and only when typ

[PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

Don't free the object until the file handle has been closed. Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++- 1 file changed, 23 inser

[PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/media

[PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann --- drivers/media/media-device.c |4 +++- 1 file changed, 3 inser

[PATCH 6/6] drivers/media/dvb-usb-dvb: postpone kfree(mdev)

Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann --- drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dvb-usb-dvb.c

[PATCH 5/6] drivers/media/media-device: add "release" callback

Allow the client to free its data structures only after all files have been closed (fixing use-after-free bugs). Signed-off-by: Max Kellermann --- drivers/media/media-device.c |9 +++-- include/media/media-device.h |2 ++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git

[PATCH 2/6] drivers/media/dvb-core/en50221: postpone release until file is closed

Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 23 ++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core

[PATCH 3/6] drivers/media/media-devnode: clear private_data before put_device()

Callbacks invoked from put_device() may free the struct media_devnode pointer, so any cleanup needs to be done before put_device(). Signed-off-by: Max Kellermann --- drivers/media/media-devnode.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/media

[PATCH 4/6] drivers/media/media-device: move debug log before _devnode_unregister()

After media_devnode_unregister(), the struct media_device may be freed already, and dereferencing it may crash. Signed-off-by: Max Kellermann --- drivers/media/media-device.c |3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/media-device.c b/drivers/media

[PATCH 1/6] drivers/media/dvb-core/en50221: move code to dvb_ca_private_free()

Prepare for postponing the call until all file handles have been closed. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb

[PATCH] drivers/media/media-devnode: add missing mutex lock in error handler

All accesses to media_devnode_nums must be protected with media_devnode_lock. The error code path in media_devnode_register() did not do this, however. Signed-off-by: Max Kellermann --- drivers/media/media-devnode.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/media

Re: [PATCH] drivers/media/rc: postpone kfree(rc_dev)

On 2016/03/21 13:24, Mauro Carvalho Chehab wrote: > Please, always send us your Signed-off-by on your patches, as described at: > > https://linuxtv.org/wiki/index.php/Development:_Submitting_Patches#Developer.27s_Certificate_of_Origin_1.1 Sorry, I forgot this, and remembered only right aft

[PATCH] drivers/media/rc: postpone kfree(rc_dev)

CONFIG_DEBUG_KOBJECT_RELEASE found this bug. Signed-off-by: Max Kellermann --- drivers/media/rc/rc-main.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index 1042fa3..cb3e8db 100644 --- a/drivers/media/rc/rc

[PATCH] drivers/media/media-devnode: add missing mutex lock in error handler

Signed-off-by: Max Kellermann --- drivers/media/media-devnode.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c index cea35bf..4d7e8dd 100644 --- a/drivers/media/media-devnode.c +++ b/drivers/media/media-devnode.c @@ -266,8

[PATCH] drivers/media/media-devnode: add missing mutex lock in error handler

--- drivers/media/media-devnode.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c index cea35bf..4d7e8dd 100644 --- a/drivers/media/media-devnode.c +++ b/drivers/media/media-devnode.c @@ -266,8 +266,11 @@ int __must_check med

[PATCH] drivers/media/rc: postpone kfree(rc_dev)

CONFIG_DEBUG_KOBJECT_RELEASE found this bug. --- drivers/media/rc/rc-main.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index 1042fa3..cb3e8db 100644 --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-

[PATCH 1/2] media/dvb-core: fix inverted check

Breakage caused by commit f50d51661a Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvbdev.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 560450a..c756d4b 100644 --- a/drivers/media/dvb

[PATCH 2/2] media/dvb-core: forward media_create_pad_links() return value

Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvbdev.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index c756d4b..96de2fa 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media