[PATCH] parisc/kprobes: always include asm-generic/kprobes.h

m/kprobes.h suffices, and nobody (outside of arch/) ever needs to explicitly include asm-generic/kprobes.h. Signed-off-by: Max Kellermann --- arch/parisc/include/asm/kprobes.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/parisc/include/asm/kprobes.h b/arch/parisc/i

[PATCH] parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check

) | ^~ Signed-off-by: Max Kellermann --- arch/parisc/kernel/ftrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/parisc/kernel/ftrace.c b/arch/parisc/kernel/ftrace.c index d1defb9ede70..621a4b386ae4 100644 --- a/arch/parisc/kernel/ftrace.c +++ b/arch/parisc/kernel/ftrace.c

Re: [PATCH v2 1/2] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On 2020/05/08 08:38, Max Kellermann wrote: > This fails for `O_PATH` file descriptors, because io_file_get() calls > fget(), which rejects `O_PATH` file descriptors. To support `O_PATH`, > fdget_raw() must be used (like path_init() in `fs/namei.c` does). > This rejection causes io_

[PATCH v2 1/2] fs/io_uring: fix O_PATH fds in openat, openat2, statx

` flag, but since those three operations don't need the `struct file*` but operate directly on the numeric file descriptors, the best solution here is to simply remove `needs_file` (and the accompanying flag `fd_non_reg`). Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/io_uring.c

[PATCH v2 2/2] fs/io_uring: remove unused flag fd_non_neg

--- fs/io_uring.c | 4 1 file changed, 4 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index d24f8e33323c..0aa7cd547ced 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -604,8 +604,6 @@ struct io_op_def { unsignedneeds_mm : 1; /* needs req->file

Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On 2020/05/07 21:29, Al Viro wrote: > Again, resolving the descriptor more than once in course of syscall > is almost always a serious bug; .. and that is what Linux currently does for those three operation, and yes, it's buggy. The generic preparation code looks up the fd, but later in the

Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On 2020/05/07 21:05, Jens Axboe wrote: > On 5/7/20 1:01 PM, Al Viro wrote: > > On Thu, May 07, 2020 at 08:57:25PM +0200, Max Kellermann wrote: > >> If an operation's flag `needs_file` is set, the function > >> io_req_set_file() calls io_file_get() to obtain a `struct f

Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On 2020/05/07 21:01, Al Viro wrote: > On Thu, May 07, 2020 at 08:57:25PM +0200, Max Kellermann wrote: > > If an operation's flag `needs_file` is set, the function > > io_req_set_file() calls io_file_get() to obtain a `struct file*`. > > > > This fails for `O_PATH` file

Re: [PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

On 2020/05/07 20:58, Jens Axboe wrote: > Do you happen to have a liburing test addition for this as well? No, I'll write one tomorrow. GitHub PR or email preferred? Max

[PATCH] fs/io_uring: fix O_PATH fds in openat, openat2, statx

(). Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/io_uring.c | 6 -- 1 file changed, 6 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index a46de2cfc28e..d24f8e33323c 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -693,8 +693,6 @@ static const struct io_op_def

[PATCH v2 1/4] fs/posix_acl: apply umask if superblock disables ACL support

://bugs.gentoo.org/show_bug.cgi?id=686142#c3 https://bugzilla.kernel.org/show_bug.cgi?id=203625 Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/posix_acl.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 84ad1c90d535..4071c66f234a

[PATCH v2 4/4] nfs/super: check NFS_CAP_ACLS instead of the NFS version

regression caused by commit 013cdf1088d723 which itself was not completely wrong, but failed to consider all the side effects by misdesigned VFS code. Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/nfs/super.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --gi

[PATCH v2 2/4] fs/ext4/acl: apply umask if ACL support is disabled

: https://github.com/MusicPlayerDaemon/MPD/issues/558 https://bugs.gentoo.org/show_bug.cgi?id=686142#c3 https://bugzilla.kernel.org/show_bug.cgi?id=203625 Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/ext4/acl.h | 5 + 1 file changed, 5 insertions(+) diff --git a/fs/ext4/acl.h

[PATCH v2 3/4] linux/fs.h: fix umask on NFS with CONFIG_FS_POSIX_ACL=n

). Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- include/linux/fs.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/fs.h b/include/linux/fs.h index f7fdfe93e25d..5e9f3aa7ba26 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1993,7 +1993,12

[PATCH v2] Revert "NFS: readdirplus optimization by cache mechanism" (memleak)

ugs, which may seem unsuitable for the stable branches. Signed-off-by: Max Kellermann Cc: sta...@vger.kernel.org --- fs/nfs/dir.c | 90 --- fs/nfs/internal.h | 3 +- 2 files changed, 7 insertions(+), 86 deletions(-) diff --git a/fs/nfs/dir.c b

[PATCH] Revert "NFS: readdirplus optimization by cache mechanism" (memleak)

ugs, which may seem unsuitable for the stable branches. Signed-off-by: Max Kellermann --- fs/nfs/dir.c | 90 --- fs/nfs/internal.h | 3 +- 2 files changed, 7 insertions(+), 86 deletions(-) diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index 57b6a45576ad..

Re: Kernel 5.1.15 stuck in compaction

On 2019/07/08 12:35, Max Kellermann wrote: > one of our web servers got repeatedly stuck in the memory compaction > code; two PHP processes have been busy at 100% inside memory > compaction after a page fault: This trace maybe helpful as well; the first PHP process:

Kernel 5.1.15 stuck in compaction

Hi, one of our web servers got repeatedly stuck in the memory compaction code; two PHP processes have been busy at 100% inside memory compaction after a page fault: 100.00% 0.00% php-cgi7.0 [kernel.vmlinux] [k] page_fault | ---page_fault

[PATCH 4/4] nfs/super: check NFS_CAP_ACLS instead of the NFS version

regression caused by commit 013cdf1088d723 which itself was not completely wrong, but failed to consider all the side effects by misdesigned VFS code. Signed-off-by: Max Kellermann --- fs/nfs/super.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/nfs/super.c b/fs/n

[PATCH 2/4] fs/ext4/acl: apply umask if ACL support is disabled

: https://github.com/MusicPlayerDaemon/MPD/issues/558 https://bugs.gentoo.org/show_bug.cgi?id=686142#c3 https://bugzilla.kernel.org/show_bug.cgi?id=203625 Signed-off-by: Max Kellermann --- fs/ext4/acl.h | 5 + 1 file changed, 5 insertions(+) diff --git a/fs/ext4/acl.h b/fs/ext4/acl.h index

[PATCH 3/4] linux/fs.h: fix umask on NFS with CONFIG_FS_POSIX_ACL=n

). Signed-off-by: Max Kellermann --- include/linux/fs.h | 5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/fs.h b/include/linux/fs.h index dd28e7679089..299acdaaab56 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1985,7 +1985,12 @@ static inline bool sb_rdonly

[PATCH 1/4] fs/posix_acl: apply umask if superblock disables ACL support

://bugs.gentoo.org/show_bug.cgi?id=686142#c3 https://bugzilla.kernel.org/show_bug.cgi?id=203625 Signed-off-by: Max Kellermann --- fs/posix_acl.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/posix_acl.c b/fs/posix_acl.c index 2fd0fde16fe1..815f7b36ef94 100644 --- a/fs/posix_acl.c

Re: 5.1 kernel: khugepaged stuck at 100%

On 2019/06/07 09:40, Max Kellermann wrote: > On 2019/06/06 19:24, Max Kellermann wrote: > > I have the same problem (kernel 5.1.7), but over here, it's a PHP > > process, not khugepaged, which is looping inside compaction_alloc. > > This is what happened an hour late

Re: 5.1 kernel: khugepaged stuck at 100%

On 2019/06/06 19:24, Max Kellermann wrote: > I have the same problem (kernel 5.1.7), but over here, it's a PHP > process, not khugepaged, which is looping inside compaction_alloc. This is what happened an hour later: kernel tried to execute NX-protected page - exploit attempt? (uid:

Re: 5.1 kernel: khugepaged stuck at 100%

On 2019/05/16 16:14, Justin Piszcz wrote: > Kernel: 5.1.2 > > $ sudo cat /proc/$(pidof khugepaged)/stack > [<0>] 0x > > $ perf top > >PerfTop:3716 irqs/sec kernel:92.9% exact: 99.1% lost: 68/68 > drop: 0/0 [4000Hz cycles], (all, 12 CPUs) >

[PATCH] sound/soc/rockchip: add RT5640 codec option

-by: Max Kellermann --- sound/soc/rockchip/Kconfig | 10 ++ 1 file changed, 10 insertions(+) diff --git a/sound/soc/rockchip/Kconfig b/sound/soc/rockchip/Kconfig index 957046ac6c8c..ac2e27043107 100644 --- a/sound/soc/rockchip/Kconfig +++ b/sound/soc/rockchip/Kconfig @@ -42,6 +42,16

[PATCH] sound/soc/rockchip: add RT5640 codec option

-by: Max Kellermann --- sound/soc/rockchip/Kconfig | 10 ++ 1 file changed, 10 insertions(+) diff --git a/sound/soc/rockchip/Kconfig b/sound/soc/rockchip/Kconfig index 957046ac6c8c..ac2e27043107 100644 --- a/sound/soc/rockchip/Kconfig +++ b/sound/soc/rockchip/Kconfig @@ -42,6 +42,16

[PATCH] [media] dvbdev: add a mutex protecting the "mdev" pointer

8 85 c0 74 06 49 8b 7d RIP [] dvb_frontend_release+0xcb/0x120 Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_frontend.c | 7 +++ drivers/media/dvb-core/dvbdev.c | 4 drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 4

[PATCH] [media] dvbdev: add a mutex protecting the "mdev" pointer

8 85 c0 74 06 49 8b 7d RIP [] dvb_frontend_release+0xcb/0x120 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 7 +++ drivers/media/dvb-core/dvbdev.c | 4 drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 4 include/media/dvbdev.h

[PATCH] nfs/super: check NFS_CAP_ACLS instead of the NFS version

regression caused by commit 013cdf1088d723 which itself was not completely wrong, but failed to consider all the side effects by misdesigned VFS code. Signed-off-by: Max Kellermann <m...@cm4all.com> --- fs/nfs/super.c |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git

[PATCH] nfs/super: check NFS_CAP_ACLS instead of the NFS version

regression caused by commit 013cdf1088d723 which itself was not completely wrong, but failed to consider all the side effects by misdesigned VFS code. Signed-off-by: Max Kellermann --- fs/nfs/super.c |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/nfs/super.c b/fs/n

Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

On 2018/01/15 20:58, "Madhani, Himanshu" wrote: > We have patch to prevent this double free in 4.16/scsi-queue > already. No, let me repeat: this is a different bug! Your bug is about the free call after waiting for completion synchronously in

Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

On 2018/01/15 20:58, "Madhani, Himanshu" wrote: > We have patch to prevent this double free in 4.16/scsi-queue > already. No, let me repeat: this is a different bug! Your bug is about the free call after waiting for completion synchronously in qla24xx_els_dcmd_iocb(), after it was already freed

Re: [PATCH 2/2] dFrom: Max Kellermann <m...@cm4all.com>

On 2018/01/15 18:41, Greg KH wrote: > Your subject line is a bit odd :( True, I already repaired & resent it. Sorry for the hiccup.

Re: [PATCH 2/2] dFrom: Max Kellermann

On 2018/01/15 18:41, Greg KH wrote: > Your subject line is a bit odd :( True, I already repaired & resent it. Sorry for the hiccup.

[PATCH 2/2] dFrom: Max Kellermann <m...@cm4all.com>

d to check for "version==4". - If CONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is always set, as before. Signed-off-by: Max Kellermann <m...@cm4all.com> --- fs/nfs/super.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nf

[PATCH 2/2] dFrom: Max Kellermann

d to check for "version==4". - If CONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is always set, as before. Signed-off-by: Max Kellermann --- fs/nfs/super.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfs/super.c b/

[PATCH 1/2] linux/fs.h: fix umask on NFS with CONFIG_FS_POSIX_ACL=n

). Signed-off-by: Max Kellermann <m...@cm4all.com> --- include/linux/fs.h |5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/fs.h b/include/linux/fs.h index 440281f8564d..c3240c28e61b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1883,7 +1883,12 @@

[PATCH 1/2] linux/fs.h: fix umask on NFS with CONFIG_FS_POSIX_ACL=n

). Signed-off-by: Max Kellermann --- include/linux/fs.h |5 + 1 file changed, 5 insertions(+) diff --git a/include/linux/fs.h b/include/linux/fs.h index 440281f8564d..c3240c28e61b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1883,7 +1883,12 @@ static inline bool sb_rdonly

[PATCH] nfs/super: set MS_POSIXACL only if ACL support is enabled

ONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is always set, as before. Signed-off-by: Max Kellermann <m...@cm4all.com> --- fs/nfs/super.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfs/super.c b/fs/nfs/super.c index 216f67d628b3..ec4e1f

[PATCH] nfs/super: set MS_POSIXACL only if ACL support is enabled

ONFIG_FS_POSIX_ACL=y and CONFIG_NFS_V3_ACL=y, MS_POSIXACL is always set, as before. Signed-off-by: Max Kellermann --- fs/nfs/super.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/nfs/super.c b/fs/nfs/super.c index 216f67d628b3..ec4e1f2775e0 100644 --- a/fs/nfs/

[PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

s belongs to the object at 88278147a440 which belongs to the cache qla2xxx_srbs of size 344 The buggy address is located 336 bytes inside of 344-byte region [88278147a440, 88278147a598) Signed-off-by: Max Kellermann <m...@cm4all.com> --- drivers/scsi/qla2xxx/qla_init.c |3 ++-

[PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

s belongs to the object at 88278147a440 which belongs to the cache qla2xxx_srbs of size 344 The buggy address is located 336 bytes inside of 344-byte region [88278147a440, 88278147a598) Signed-off-by: Max Kellermann --- drivers/scsi/qla2xxx/qla_init.c |3 ++- 1 file changed, 2 in

Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

On 2017/12/07 21:38, "Madhani, Himanshu" wrote: > NACK > > These calls are asynchronous calls and free should be called by > completion. I don't understand the NACK, and your text doesn't explain it. It only describes a second bug that is orthogonal to mine.

Re: [PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

On 2017/12/07 21:38, "Madhani, Himanshu" wrote: > NACK > > These calls are asynchronous calls and free should be called by > completion. I don't understand the NACK, and your text doesn't explain it. It only describes a second bug that is orthogonal to mine.

[PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

s belongs to the object at 88278147a440 which belongs to the cache qla2xxx_srbs of size 344 The buggy address is located 336 bytes inside of 344-byte region [88278147a440, 88278147a598) Signed-off-by: Max Kellermann <m...@cm4all.com> --- drivers/scsi/qla2xxx/qla_init.c |3 ++-

[PATCH] drivers/scsi/qla2xxx: fix double free bug after firmware timeout

s belongs to the object at 88278147a440 which belongs to the cache qla2xxx_srbs of size 344 The buggy address is located 336 bytes inside of 344-byte region [88278147a440, 88278147a598) Signed-off-by: Max Kellermann --- drivers/scsi/qla2xxx/qla_init.c |3 ++- 1 file changed, 2 in

[PATCH] [media] pctv452e: move buffer to heap, no mutex

unusable (crashes instantly when plugging in the device). Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/usb/dvb-usb/pctv452e.c | 133 ++ 1 file changed, 72 insertions(+), 61 deletions(-) diff --git a/drivers/media/usb/d

[PATCH] [media] pctv452e: move buffer to heap, no mutex

unusable (crashes instantly when plugging in the device). Signed-off-by: Max Kellermann --- drivers/media/usb/dvb-usb/pctv452e.c | 133 ++ 1 file changed, 72 insertions(+), 61 deletions(-) diff --git a/drivers/media/usb/dvb-usb/pctv452e.c b/drivers/media/usb/dvb

Re: [PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

On 2016/08/10 01:01, kbuild test robot <l...@intel.com> wrote: > url: > https://github.com/0day-ci/linux/commits/Max-Kellermann/rc-main-clear-rc_map-name-in-ir_free_table/20160810-054811 > base: git://linuxtv.org/media_tree.git master > config: i386-randconfig-n0-201632 (a

Re: [PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

On 2016/08/10 01:01, kbuild test robot wrote: > url: > https://github.com/0day-ci/linux/commits/Max-Kellermann/rc-main-clear-rc_map-name-in-ir_free_table/20160810-054811 > base: git://linuxtv.org/media_tree.git master > config: i386-randconfig-n0-201632 (attached as .config) >

[PATCH 10/12] [media] dvb_frontend: move kref to struct dvb_frontend

+0x43/0xe5 [] dvb_usb_device_exit+0x69/0x7d [] pctv452e_usb_disconnect+0x7b/0x80 Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_frontend.c | 46 ++--- drivers/media/dvb-core/dvb_frontend.h |1 + 2 files changed, 31 i

[PATCH 10/12] [media] dvb_frontend: move kref to struct dvb_frontend

+0x43/0xe5 [] dvb_usb_device_exit+0x69/0x7d [] pctv452e_usb_disconnect+0x7b/0x80 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 46 ++--- drivers/media/dvb-core/dvb_frontend.h |1 + 2 files changed, 31 insertions(+), 16 deletions(-)

[PATCH 09/12] [media] stb0899: move code to "detach" callback

Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-frontends/stb0899_drv.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-frontends/stb0899_dr

[PATCH 09/12] [media] stb0899: move code to "detach" callback

Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously. Signed-off-by: Max Kellermann --- drivers/media/dvb-frontends/stb0899_drv.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-frontends/stb0899_drv.c b/drivers/media/dvb-frontends

[PATCH 11/12] [media] media-entity: clear media_gobj.mdev in _destroy()

this variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff

[PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

Most release callback functions are identical: free the "tuner_priv" and clear it. Let's eliminate some bloat by providing this simple implementation in the dvb_frontend library. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_fronte

[PATCH 04/12] [media] dvb: make DVB frontend *_ops instances "const"

These are immutable. Making them "const" allows the compiler to move them to the "rodata" section. Note that cxd2841er_t_c_ops cannot be made "const", because cxd2841er_attach() modifies it. Ouch! Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --

[PATCH 08/12] [media] dvb_frontend: add "detach" callback

Prepare for making "release" asynchronous (via kref). Some operations may need to be run synchronously in dvb_frontend_detach(), and that's why we need a "detach" callback. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_frontend

[PATCH 01/12] [media] rc-main: clear rc_map.name in ir_free_table()

rc_unregister_device() will first call ir_free_table(), and later device_del(); however, the latter causes a call to rc_dev_uevent(), which prints rc_map.name, which at this point has already bee freed. This fixes a use-after-free bug found with KASAN. Signed-off-by: Max Kellermann <max.kell

[PATCH 11/12] [media] media-entity: clear media_gobj.mdev in _destroy()

this variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/media

[PATCH 05/12] [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations

Most release callback functions are identical: free the "tuner_priv" and clear it. Let's eliminate some bloat by providing this simple implementation in the dvb_frontend library. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |9 + drivers

[PATCH 04/12] [media] dvb: make DVB frontend *_ops instances "const"

These are immutable. Making them "const" allows the compiler to move them to the "rodata" section. Note that cxd2841er_t_c_ops cannot be made "const", because cxd2841er_attach() modifies it. Ouch! Signed-off-by: Max Kellermann --- drivers/media/common/s

[PATCH 08/12] [media] dvb_frontend: add "detach" callback

Prepare for making "release" asynchronous (via kref). Some operations may need to be run synchronously in dvb_frontend_detach(), and that's why we need a "detach" callback. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |1 + drivers/media/dvb

[PATCH 01/12] [media] rc-main: clear rc_map.name in ir_free_table()

rc_unregister_device() will first call ir_free_table(), and later device_del(); however, the latter causes a call to rc_dev_uevent(), which prints rc_map.name, which at this point has already bee freed. This fixes a use-after-free bug found with KASAN. Signed-off-by: Max Kellermann --- drivers

[PATCH 03/12] [media] dvb-core/en50221: use dvb_remove_device()

() instead of dvb_unregister_device(), we can avoid that. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_ca_en50221.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/

[PATCH 02/12] [media] dvbdev: split dvb_unregister_device()

sanitizing a few callers. With my new design, dvb_unregister_device() appears misnamed, but to reduce patch noise, I'm not renaming it just yet. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvbdev.c | 19 ++- drivers/media/dv

[PATCH 06/12] [media] dvb_frontend: tuner_ops.release returns void

It is not clear what this return value means. All implemenations return 0, and the one caller ignores the value. Let's remove this useless return value completely. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_frontend.c |3 +-- d

[PATCH 03/12] [media] dvb-core/en50221: use dvb_remove_device()

() instead of dvb_unregister_device(), we can avoid that. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c index b5b5b1

[PATCH 02/12] [media] dvbdev: split dvb_unregister_device()

sanitizing a few callers. With my new design, dvb_unregister_device() appears misnamed, but to reduce patch noise, I'm not renaming it just yet. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvbdev.c | 19 ++- drivers/media/dvb-core/dvbdev.h | 23

[PATCH 06/12] [media] dvb_frontend: tuner_ops.release returns void

It is not clear what this return value means. All implemenations return 0, and the one caller ignores the value. Let's remove this useless return value completely. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c |3 +-- drivers/media/dvb-core/dvb_frontend.h

[PATCH 12/12] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/media-device.c

[PATCH 07/12] [media] dvb_frontend: merge the two dvb_frontend_detach() versions

This code duplication is confusing and error prone. Let's merge them by moving the release/dvb_detach call into one function with one #ifdef. Signed-off-by: Max Kellermann <max.kellerm...@gmail.com> --- drivers/media/dvb-core/dvb_frontend.c | 42 +

[PATCH 12/12] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann --- drivers/media/media-device.c |6 +- 1 file changed, 5

[PATCH 07/12] [media] dvb_frontend: merge the two dvb_frontend_detach() versions

This code duplication is confusing and error prone. Let's merge them by moving the release/dvb_detach call into one function with one #ifdef. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 42 + 1 file changed, 12 insertions(+), 30

[PATCH 2/2] dvb_frontend: eliminate blocking wait in dvb_unregister_frontend()

ect+0x52/0x260 #4: (>mutex){..}, at: [] device_release_driver+0x1b/0x30 This patch removes the blocking wait, and postpones the kfree() call until all file handles have been closed by using struct kref. Signed-off-by: Max Kellermann <m...@duempel.org> --- dri

[PATCH 2/2] dvb_frontend: eliminate blocking wait in dvb_unregister_frontend()

ect+0x52/0x260 #4: (>mutex){..}, at: [] device_release_driver+0x1b/0x30 This patch removes the blocking wait, and postpones the kfree() call until all file handles have been closed by using struct kref. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_frontend.c | 33 +

[PATCH 1/2] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

l (arg=, cmd=, fd=) at fs/ioctl.c:689 #15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680 #16 0x8103feb2 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:207 Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/dvb-core/dvb_ca_en50

[PATCH 1/2] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

/ioctl.c:689 #15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680 #16 0x8103feb2 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:207 Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++- 1 file changed

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/17 14:53, Sakari Ailus <sakari.ai...@iki.fi> wrote: > On Wed, Jun 15, 2016 at 10:15:07PM +0200, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The &

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/17 14:53, Sakari Ailus wrote: > On Wed, Jun 15, 2016 at 10:15:07PM +0200, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The > > Is that somethi

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/16 18:24, Shuah Khan <shua...@osg.samsung.com> wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The > > funct

Re: [PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

On 2016/06/16 18:24, Shuah Khan wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > media_gobj_destroy() may be called twice on one instance - once by > > media_device_unregister() and again by dvb_media_device_free(). The > > function media_remove_intf_links() esta

Re: [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

On 2016/06/16 18:06, Shuah Khan <shua...@osg.samsung.com> wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > Don't free the object until the file handle has been closed. Fixes > > use-after-free bug which occurs when I disconnect my DVB-S received > > while VDR

Re: [PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

On 2016/06/16 18:06, Shuah Khan wrote: > On 06/15/2016 02:15 PM, Max Kellermann wrote: > > Don't free the object until the file handle has been closed. Fixes > > use-after-free bug which occurs when I disconnect my DVB-S received > > while VDR is running. > > Which

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

(Shuah, I did not receive your second reply; I only found it in an email archive.) > Yes media_devnode_create() creates the interfaces links and these > links are deleted by media_devnode_remove(). > media_device_unregister() still needs to delete the interfaces > links. The reason for that is

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

(Shuah, I did not receive your second reply; I only found it in an email archive.) > Yes media_devnode_create() creates the interfaces links and these > links are deleted by media_devnode_remove(). > media_device_unregister() still needs to delete the interfaces > links. The reason for that is

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

On 2016/06/15 22:32, Shuah Khan wrote: > This change introduces memory leaks, since drivers are relying on > media_device_unregister() to free interfaces. This is what I thought, too, until I checked the code paths. Who adds entries to that list? Only

Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

On 2016/06/15 22:32, Shuah Khan wrote: > This change introduces memory leaks, since drivers are relying on > media_device_unregister() to free interfaces. This is what I thought, too, until I checked the code paths. Who adds entries to that list? Only media_gobj_create() does, and only when

[PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

Don't free the object until the file handle has been closed. Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++-

[PATCH 1/3] drivers/media/dvb-core/en50221: use kref to manage struct dvb_ca_private

Don't free the object until the file handle has been closed. Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann --- drivers/media/dvb-core/dvb_ca_en50221.c | 24 +++- 1 file changed, 23 insertions

[PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/media-device.c |4 +++-

[PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

this variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff

[PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann --- drivers/media/media-device.c |4 +++- 1 file changed, 3 insertions

[PATCH 2/3] drivers/media/media-entity: clear media_gobj.mdev in _destroy()

this variable. So this patch really implements this behavior, and adds another mdev==NULL check to media_gobj_destroy() to protect against double removal. Signed-off-by: Max Kellermann --- drivers/media/media-entity.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/media

[PATCH 6/6] drivers/media/dvb-usb-dvb: postpone kfree(mdev)

Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/media/u

[PATCH 5/6] drivers/media/media-device: add "release" callback

Allow the client to free its data structures only after all files have been closed (fixing use-after-free bugs). Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/media-device.c |9 +++-- include/media/media-device.h |2 ++ 2 files changed, 9 insertions

[PATCH 6/6] drivers/media/dvb-usb-dvb: postpone kfree(mdev)

Fixes use-after-free bug which occurs when I disconnect my DVB-S received while VDR is running. Signed-off-by: Max Kellermann --- drivers/media/usb/dvb-usb/dvb-usb-dvb.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/dvb-usb/dvb-usb-dvb.c

[PATCH 5/6] drivers/media/media-device: add "release" callback

Allow the client to free its data structures only after all files have been closed (fixing use-after-free bugs). Signed-off-by: Max Kellermann --- drivers/media/media-device.c |9 +++-- include/media/media-device.h |2 ++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git

[PATCH 1/6] drivers/media/dvb-core/en50221: move code to dvb_ca_private_free()

Prepare for postponing the call until all file handles have been closed. Signed-off-by: Max Kellermann <m...@duempel.org> --- drivers/media/dvb-core/dvb_ca_en50221.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/media/dvb-core/dvb_ca_en5022

  1   2   >