m/kprobes.h suffices, and nobody (outside
of arch/) ever needs to explicitly include asm-generic/kprobes.h.
Signed-off-by: Max Kellermann
---
arch/parisc/include/asm/kprobes.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/parisc/include/asm/kprobes.h
b/arch/parisc/i
)
| ^~
Signed-off-by: Max Kellermann
---
arch/parisc/kernel/ftrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/parisc/kernel/ftrace.c b/arch/parisc/kernel/ftrace.c
index d1defb9ede70..621a4b386ae4 100644
--- a/arch/parisc/kernel/ftrace.c
+++ b/arch/parisc/kernel/ftrace.c
On 2020/05/08 08:38, Max Kellermann wrote:
> This fails for `O_PATH` file descriptors, because io_file_get() calls
> fget(), which rejects `O_PATH` file descriptors. To support `O_PATH`,
> fdget_raw() must be used (like path_init() in `fs/namei.c` does).
> This rejection causes io_
` flag, but since those three operations don't
need the `struct file*` but operate directly on the numeric file
descriptors, the best solution here is to simply remove `needs_file`
(and the accompanying flag `fd_non_reg`).
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/io_uring.c
---
fs/io_uring.c | 4
1 file changed, 4 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index d24f8e33323c..0aa7cd547ced 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -604,8 +604,6 @@ struct io_op_def {
unsignedneeds_mm : 1;
/* needs req->file
On 2020/05/07 21:29, Al Viro wrote:
> Again, resolving the descriptor more than once in course of syscall
> is almost always a serious bug;
.. and that is what Linux currently does for those three operation,
and yes, it's buggy. The generic preparation code looks up the fd,
but later in the
On 2020/05/07 21:05, Jens Axboe wrote:
> On 5/7/20 1:01 PM, Al Viro wrote:
> > On Thu, May 07, 2020 at 08:57:25PM +0200, Max Kellermann wrote:
> >> If an operation's flag `needs_file` is set, the function
> >> io_req_set_file() calls io_file_get() to obtain a `struct f
On 2020/05/07 21:01, Al Viro wrote:
> On Thu, May 07, 2020 at 08:57:25PM +0200, Max Kellermann wrote:
> > If an operation's flag `needs_file` is set, the function
> > io_req_set_file() calls io_file_get() to obtain a `struct file*`.
> >
> > This fails for `O_PATH` file
On 2020/05/07 20:58, Jens Axboe wrote:
> Do you happen to have a liburing test addition for this as well?
No, I'll write one tomorrow. GitHub PR or email preferred?
Max
().
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/io_uring.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index a46de2cfc28e..d24f8e33323c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -693,8 +693,6 @@ static const struct io_op_def
://bugs.gentoo.org/show_bug.cgi?id=686142#c3
https://bugzilla.kernel.org/show_bug.cgi?id=203625
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/posix_acl.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 84ad1c90d535..4071c66f234a
regression caused by commit 013cdf1088d723 which itself was not
completely wrong, but failed to consider all the side effects by
misdesigned VFS code.
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/nfs/super.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --gi
:
https://github.com/MusicPlayerDaemon/MPD/issues/558
https://bugs.gentoo.org/show_bug.cgi?id=686142#c3
https://bugzilla.kernel.org/show_bug.cgi?id=203625
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/ext4/acl.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/fs/ext4/acl.h
).
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
include/linux/fs.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index f7fdfe93e25d..5e9f3aa7ba26 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1993,7 +1993,12
ugs, which may seem unsuitable for the stable branches.
Signed-off-by: Max Kellermann
Cc: sta...@vger.kernel.org
---
fs/nfs/dir.c | 90 ---
fs/nfs/internal.h | 3 +-
2 files changed, 7 insertions(+), 86 deletions(-)
diff --git a/fs/nfs/dir.c b
ugs, which may seem unsuitable for the stable branches.
Signed-off-by: Max Kellermann
---
fs/nfs/dir.c | 90 ---
fs/nfs/internal.h | 3 +-
2 files changed, 7 insertions(+), 86 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 57b6a45576ad..
On 2019/07/08 12:35, Max Kellermann wrote:
> one of our web servers got repeatedly stuck in the memory compaction
> code; two PHP processes have been busy at 100% inside memory
> compaction after a page fault:
This trace maybe helpful as well; the first PHP process:
Hi,
one of our web servers got repeatedly stuck in the memory compaction
code; two PHP processes have been busy at 100% inside memory
compaction after a page fault:
100.00% 0.00% php-cgi7.0 [kernel.vmlinux] [k] page_fault
|
---page_fault
regression caused by commit 013cdf1088d723 which itself was not
completely wrong, but failed to consider all the side effects by
misdesigned VFS code.
Signed-off-by: Max Kellermann
---
fs/nfs/super.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/super.c b/fs/n
:
https://github.com/MusicPlayerDaemon/MPD/issues/558
https://bugs.gentoo.org/show_bug.cgi?id=686142#c3
https://bugzilla.kernel.org/show_bug.cgi?id=203625
Signed-off-by: Max Kellermann
---
fs/ext4/acl.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/fs/ext4/acl.h b/fs/ext4/acl.h
index
).
Signed-off-by: Max Kellermann
---
include/linux/fs.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index dd28e7679089..299acdaaab56 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1985,7 +1985,12 @@ static inline bool sb_rdonly
://bugs.gentoo.org/show_bug.cgi?id=686142#c3
https://bugzilla.kernel.org/show_bug.cgi?id=203625
Signed-off-by: Max Kellermann
---
fs/posix_acl.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 2fd0fde16fe1..815f7b36ef94 100644
--- a/fs/posix_acl.c
On 2019/06/07 09:40, Max Kellermann wrote:
> On 2019/06/06 19:24, Max Kellermann wrote:
> > I have the same problem (kernel 5.1.7), but over here, it's a PHP
> > process, not khugepaged, which is looping inside compaction_alloc.
>
> This is what happened an hour late
On 2019/06/06 19:24, Max Kellermann wrote:
> I have the same problem (kernel 5.1.7), but over here, it's a PHP
> process, not khugepaged, which is looping inside compaction_alloc.
This is what happened an hour later:
kernel tried to execute NX-protected page - exploit attempt? (uid:
On 2019/05/16 16:14, Justin Piszcz wrote:
> Kernel: 5.1.2
>
> $ sudo cat /proc/$(pidof khugepaged)/stack
> [<0>] 0x
>
> $ perf top
>
>PerfTop:3716 irqs/sec kernel:92.9% exact: 99.1% lost: 68/68
> drop: 0/0 [4000Hz cycles], (all, 12 CPUs)
>
-by: Max Kellermann
---
sound/soc/rockchip/Kconfig | 10 ++
1 file changed, 10 insertions(+)
diff --git a/sound/soc/rockchip/Kconfig b/sound/soc/rockchip/Kconfig
index 957046ac6c8c..ac2e27043107 100644
--- a/sound/soc/rockchip/Kconfig
+++ b/sound/soc/rockchip/Kconfig
@@ -42,6 +42,16
-by: Max Kellermann
---
sound/soc/rockchip/Kconfig | 10 ++
1 file changed, 10 insertions(+)
diff --git a/sound/soc/rockchip/Kconfig b/sound/soc/rockchip/Kconfig
index 957046ac6c8c..ac2e27043107 100644
--- a/sound/soc/rockchip/Kconfig
+++ b/sound/soc/rockchip/Kconfig
@@ -42,6 +42,16
8 85 c0 74 06 49 8b 7d
RIP [] dvb_frontend_release+0xcb/0x120
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_frontend.c | 7 +++
drivers/media/dvb-core/dvbdev.c | 4
drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 4
8 85 c0 74 06 49 8b 7d
RIP [] dvb_frontend_release+0xcb/0x120
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c | 7 +++
drivers/media/dvb-core/dvbdev.c | 4
drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 4
include/media/dvbdev.h
regression caused by commit 013cdf1088d723 which itself was not
completely wrong, but failed to consider all the side effects by
misdesigned VFS code.
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
fs/nfs/super.c |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git
regression caused by commit 013cdf1088d723 which itself was not
completely wrong, but failed to consider all the side effects by
misdesigned VFS code.
Signed-off-by: Max Kellermann
---
fs/nfs/super.c |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/super.c b/fs/n
On 2018/01/15 20:58, "Madhani, Himanshu" wrote:
> We have patch to prevent this double free in 4.16/scsi-queue
> already.
No, let me repeat: this is a different bug!
Your bug is about the free call after waiting for completion
synchronously in
On 2018/01/15 20:58, "Madhani, Himanshu" wrote:
> We have patch to prevent this double free in 4.16/scsi-queue
> already.
No, let me repeat: this is a different bug!
Your bug is about the free call after waiting for completion
synchronously in qla24xx_els_dcmd_iocb(), after it was already freed
On 2018/01/15 18:41, Greg KH wrote:
> Your subject line is a bit odd :(
True, I already repaired & resent it. Sorry for the hiccup.
On 2018/01/15 18:41, Greg KH wrote:
> Your subject line is a bit odd :(
True, I already repaired & resent it. Sorry for the hiccup.
d to check for
"version==4".
- If CONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is
always set, as before.
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
fs/nfs/super.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nf
d to check for
"version==4".
- If CONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is
always set, as before.
Signed-off-by: Max Kellermann
---
fs/nfs/super.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/super.c b/
).
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
include/linux/fs.h |5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 440281f8564d..c3240c28e61b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1883,7 +1883,12 @@
).
Signed-off-by: Max Kellermann
---
include/linux/fs.h |5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 440281f8564d..c3240c28e61b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1883,7 +1883,12 @@ static inline bool sb_rdonly
ONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is
always set, as before.
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
fs/nfs/super.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 216f67d628b3..ec4e1f
ONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is
always set, as before.
Signed-off-by: Max Kellermann
---
fs/nfs/super.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 216f67d628b3..ec4e1f2775e0 100644
--- a/fs/nfs/
s belongs to the object at 88278147a440
which belongs to the cache qla2xxx_srbs of size 344
The buggy address is located 336 bytes inside of
344-byte region [88278147a440, 88278147a598)
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
drivers/scsi/qla2xxx/qla_init.c |3 ++-
s belongs to the object at 88278147a440
which belongs to the cache qla2xxx_srbs of size 344
The buggy address is located 336 bytes inside of
344-byte region [88278147a440, 88278147a598)
Signed-off-by: Max Kellermann
---
drivers/scsi/qla2xxx/qla_init.c |3 ++-
1 file changed, 2 in
On 2017/12/07 21:38, "Madhani, Himanshu" wrote:
> NACK
>
> These calls are asynchronous calls and free should be called by
> completion.
I don't understand the NACK, and your text doesn't explain it. It
only describes a second bug that is orthogonal to mine.
On 2017/12/07 21:38, "Madhani, Himanshu" wrote:
> NACK
>
> These calls are asynchronous calls and free should be called by
> completion.
I don't understand the NACK, and your text doesn't explain it. It
only describes a second bug that is orthogonal to mine.
s belongs to the object at 88278147a440
which belongs to the cache qla2xxx_srbs of size 344
The buggy address is located 336 bytes inside of
344-byte region [88278147a440, 88278147a598)
Signed-off-by: Max Kellermann <m...@cm4all.com>
---
drivers/scsi/qla2xxx/qla_init.c |3 ++-
s belongs to the object at 88278147a440
which belongs to the cache qla2xxx_srbs of size 344
The buggy address is located 336 bytes inside of
344-byte region [88278147a440, 88278147a598)
Signed-off-by: Max Kellermann
---
drivers/scsi/qla2xxx/qla_init.c |3 ++-
1 file changed, 2 in
unusable (crashes instantly when
plugging in the device).
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/usb/dvb-usb/pctv452e.c | 133 ++
1 file changed, 72 insertions(+), 61 deletions(-)
diff --git a/drivers/media/usb/d
unusable (crashes instantly when
plugging in the device).
Signed-off-by: Max Kellermann
---
drivers/media/usb/dvb-usb/pctv452e.c | 133 ++
1 file changed, 72 insertions(+), 61 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/pctv452e.c
b/drivers/media/usb/dvb
On 2016/08/10 01:01, kbuild test robot <l...@intel.com> wrote:
> url:
> https://github.com/0day-ci/linux/commits/Max-Kellermann/rc-main-clear-rc_map-name-in-ir_free_table/20160810-054811
> base: git://linuxtv.org/media_tree.git master
> config: i386-randconfig-n0-201632 (a
On 2016/08/10 01:01, kbuild test robot wrote:
> url:
> https://github.com/0day-ci/linux/commits/Max-Kellermann/rc-main-clear-rc_map-name-in-ir_free_table/20160810-054811
> base: git://linuxtv.org/media_tree.git master
> config: i386-randconfig-n0-201632 (attached as .config)
>
+0x43/0xe5
[] dvb_usb_device_exit+0x69/0x7d
[] pctv452e_usb_disconnect+0x7b/0x80
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_frontend.c | 46 ++---
drivers/media/dvb-core/dvb_frontend.h |1 +
2 files changed, 31 i
+0x43/0xe5
[] dvb_usb_device_exit+0x69/0x7d
[] pctv452e_usb_disconnect+0x7b/0x80
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c | 46 ++---
drivers/media/dvb-core/dvb_frontend.h |1 +
2 files changed, 31 insertions(+), 16 deletions(-)
Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-frontends/stb0899_drv.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-frontends/stb0899_dr
Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-frontends/stb0899_drv.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-frontends/stb0899_drv.c
b/drivers/media/dvb-frontends
this variable. So this patch really implements
this behavior, and adds another mdev==NULL check to
media_gobj_destroy() to protect against double removal.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/media-entity.c |6 ++
1 file changed, 6 insertions(+)
diff
Most release callback functions are identical: free the "tuner_priv"
and clear it. Let's eliminate some bloat by providing this simple
implementation in the dvb_frontend library.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_fronte
These are immutable. Making them "const" allows the compiler to move
them to the "rodata" section.
Note that cxd2841er_t_c_ops cannot be made "const", because
cxd2841er_attach() modifies it. Ouch!
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
--
Prepare for making "release" asynchronous (via kref). Some operations
may need to be run synchronously in dvb_frontend_detach(), and that's
why we need a "detach" callback.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_frontend
rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.
This fixes a use-after-free bug found with KASAN.
Signed-off-by: Max Kellermann <max.kell
this variable. So this patch really implements
this behavior, and adds another mdev==NULL check to
media_gobj_destroy() to protect against double removal.
Signed-off-by: Max Kellermann
---
drivers/media/media-entity.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/media
Most release callback functions are identical: free the "tuner_priv"
and clear it. Let's eliminate some bloat by providing this simple
implementation in the dvb_frontend library.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c |9 +
drivers
These are immutable. Making them "const" allows the compiler to move
them to the "rodata" section.
Note that cxd2841er_t_c_ops cannot be made "const", because
cxd2841er_attach() modifies it. Ouch!
Signed-off-by: Max Kellermann
---
drivers/media/common/s
Prepare for making "release" asynchronous (via kref). Some operations
may need to be run synchronously in dvb_frontend_detach(), and that's
why we need a "detach" callback.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c |1 +
drivers/media/dvb
rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.
This fixes a use-after-free bug found with KASAN.
Signed-off-by: Max Kellermann
---
drivers
() instead of dvb_unregister_device(), we can avoid
that.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_ca_en50221.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c
b/drivers/media/dvb-core/
sanitizing a few callers.
With my new design, dvb_unregister_device() appears misnamed, but to
reduce patch noise, I'm not renaming it just yet.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvbdev.c | 19 ++-
drivers/media/dv
It is not clear what this return value means. All implemenations
return 0, and the one caller ignores the value. Let's remove this
useless return value completely.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_frontend.c |3 +--
d
() instead of dvb_unregister_device(), we can avoid
that.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_ca_en50221.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c
b/drivers/media/dvb-core/dvb_ca_en50221.c
index b5b5b1
sanitizing a few callers.
With my new design, dvb_unregister_device() appears misnamed, but to
reduce patch noise, I'm not renaming it just yet.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvbdev.c | 19 ++-
drivers/media/dvb-core/dvbdev.h | 23
It is not clear what this return value means. All implemenations
return 0, and the one caller ignores the value. Let's remove this
useless return value completely.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c |3 +--
drivers/media/dvb-core/dvb_frontend.h
handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.
This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/media-device.c
This code duplication is confusing and error prone. Let's merge them
by moving the release/dvb_detach call into one function with one
#ifdef.
Signed-off-by: Max Kellermann <max.kellerm...@gmail.com>
---
drivers/media/dvb-core/dvb_frontend.c | 42 +
handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.
This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.
Signed-off-by: Max Kellermann
---
drivers/media/media-device.c |6 +-
1 file changed, 5
This code duplication is confusing and error prone. Let's merge them
by moving the release/dvb_detach call into one function with one
#ifdef.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c | 42 +
1 file changed, 12 insertions(+), 30
ect+0x52/0x260
#4: (>mutex){..}, at: []
device_release_driver+0x1b/0x30
This patch removes the blocking wait, and postpones the kfree() call
until all file handles have been closed by using struct kref.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
dri
ect+0x52/0x260
#4: (>mutex){..}, at: []
device_release_driver+0x1b/0x30
This patch removes the blocking wait, and postpones the kfree() call
until all file handles have been closed by using struct kref.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_frontend.c | 33 +
l (arg=, cmd=, fd=) at fs/ioctl.c:689
#15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680
#16 0x8103feb2 in entry_SYSCALL_64 () at
arch/x86/entry/entry_64.S:207
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/dvb-core/dvb_ca_en50
/ioctl.c:689
#15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680
#16 0x8103feb2 in entry_SYSCALL_64 () at
arch/x86/entry/entry_64.S:207
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++-
1 file changed
On 2016/06/17 14:53, Sakari Ailus <sakari.ai...@iki.fi> wrote:
> On Wed, Jun 15, 2016 at 10:15:07PM +0200, Max Kellermann wrote:
> > media_gobj_destroy() may be called twice on one instance - once by
> > media_device_unregister() and again by dvb_media_device_free(). The
&
On 2016/06/17 14:53, Sakari Ailus wrote:
> On Wed, Jun 15, 2016 at 10:15:07PM +0200, Max Kellermann wrote:
> > media_gobj_destroy() may be called twice on one instance - once by
> > media_device_unregister() and again by dvb_media_device_free(). The
>
> Is that somethi
On 2016/06/16 18:24, Shuah Khan <shua...@osg.samsung.com> wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > media_gobj_destroy() may be called twice on one instance - once by
> > media_device_unregister() and again by dvb_media_device_free(). The
> > funct
On 2016/06/16 18:24, Shuah Khan wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > media_gobj_destroy() may be called twice on one instance - once by
> > media_device_unregister() and again by dvb_media_device_free(). The
> > function media_remove_intf_links() esta
On 2016/06/16 18:06, Shuah Khan <shua...@osg.samsung.com> wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > Don't free the object until the file handle has been closed. Fixes
> > use-after-free bug which occurs when I disconnect my DVB-S received
> > while VDR
On 2016/06/16 18:06, Shuah Khan wrote:
> On 06/15/2016 02:15 PM, Max Kellermann wrote:
> > Don't free the object until the file handle has been closed. Fixes
> > use-after-free bug which occurs when I disconnect my DVB-S received
> > while VDR is running.
>
> Which
(Shuah, I did not receive your second reply; I only found it in an
email archive.)
> Yes media_devnode_create() creates the interfaces links and these
> links are deleted by media_devnode_remove().
> media_device_unregister() still needs to delete the interfaces
> links. The reason for that is
(Shuah, I did not receive your second reply; I only found it in an
email archive.)
> Yes media_devnode_create() creates the interfaces links and these
> links are deleted by media_devnode_remove().
> media_device_unregister() still needs to delete the interfaces
> links. The reason for that is
On 2016/06/15 22:32, Shuah Khan wrote:
> This change introduces memory leaks, since drivers are relying on
> media_device_unregister() to free interfaces.
This is what I thought, too, until I checked the code paths. Who adds
entries to that list? Only
On 2016/06/15 22:32, Shuah Khan wrote:
> This change introduces memory leaks, since drivers are relying on
> media_device_unregister() to free interfaces.
This is what I thought, too, until I checked the code paths. Who adds
entries to that list? Only media_gobj_create() does, and only when
Don't free the object until the file handle has been closed. Fixes
use-after-free bug which occurs when I disconnect my DVB-S received
while VDR is running.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++-
Don't free the object until the file handle has been closed. Fixes
use-after-free bug which occurs when I disconnect my DVB-S received
while VDR is running.
Signed-off-by: Max Kellermann
---
drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++-
1 file changed, 23 insertions
handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.
This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/media-device.c |4 +++-
this variable. So this patch really implements
this behavior, and adds another mdev==NULL check to
media_gobj_destroy() to protect against double removal.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/media-entity.c |6 ++
1 file changed, 6 insertions(+)
diff
handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.
This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.
Signed-off-by: Max Kellermann
---
drivers/media/media-device.c |4 +++-
1 file changed, 3 insertions
this variable. So this patch really implements
this behavior, and adds another mdev==NULL check to
media_gobj_destroy() to protect against double removal.
Signed-off-by: Max Kellermann
---
drivers/media/media-entity.c |6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/media
Fixes use-after-free bug which occurs when I disconnect my DVB-S
received while VDR is running.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/media/u
Allow the client to free its data structures only after all files have
been closed (fixing use-after-free bugs).
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/media-device.c |9 +++--
include/media/media-device.h |2 ++
2 files changed, 9 insertions
Fixes use-after-free bug which occurs when I disconnect my DVB-S
received while VDR is running.
Signed-off-by: Max Kellermann
---
drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-dvb.c
Allow the client to free its data structures only after all files have
been closed (fixing use-after-free bugs).
Signed-off-by: Max Kellermann
---
drivers/media/media-device.c |9 +++--
include/media/media-device.h |2 ++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git
Prepare for postponing the call until all file handles have been
closed.
Signed-off-by: Max Kellermann <m...@duempel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en5022
1 - 100 of 170 matches
Mail list logo