LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Marcel Siegert <mws@linuxtv.org>
To: Arjan van de Ven <arjan@infradead.org>
Cc: mchehab@infradead.org, v4l-dvb-maintainer@linuxtv.org,
	linux-kernel@vger.kernel.org,
	"Manu Abraham" <abraham.manu@gmail.com>
Subject: Re: dvb shared datastructure bug?
Date: Tue, 13 Feb 2007 12:04:38 +0100	[thread overview]
Message-ID: <200702131204.47314.mws@linuxtv.org> (raw)
In-Reply-To: <1171352878.12771.30.camel@laptopd505.fenrus.org>


[-- Attachment #1.1: Type: text/plain, Size: 1696 bytes --]

On Tuesday 13 February 2007, Arjan van de Ven wrote:
> Hi,
> 
> while working on the last pieces of the file_ops constantification, DVB
> is the small village in France that is holding the Romans at bay... but
> I think I found the final flaw in it now: 
> 
>        *pdvbdev = dvbdev = kmalloc(sizeof(struct dvb_device), GFP_KERNEL);
> 
>         if (!dvbdev) {
>                 mutex_unlock(&dvbdev_register_lock);
>                 return -ENOMEM;
>         }
> 
>         memcpy(dvbdev, template, sizeof(struct dvb_device));
>         dvbdev->type = type;
>         dvbdev->id = id;
>         dvbdev->adapter = adap;
>         dvbdev->priv = priv;
> 
>         dvbdev->fops->owner = adap->module;
> 
> 
> this is the place in DVB that is writing to a struct file_operations.
> But as with almost all such cases in the kernel, this one is buggy:
> While the code nicely copies a template dvbdev, that template only has a
> pointer to a *shared* fops struct, the copy doesn't help that. So this
> code is overwriting the fops owner field for ALL active devices, not
> just the ones the copy of the template is for....
> 
> I'm lost in the maze of this part of DVB (it seems to have some magic
> potion to resist me) but I was hoping some of the local citizens could
> take a look at this buglet...
> 
> Greetings,
>     Arjan van de Ven

hi arjan,
thanks for pointing out this issue.

attached find a patch that fixes the problem.

@mauro - please pull changeset a7ac92d208fe
   dvbdev: fix illegal re-usage of fileoperations struct

from  http://www.linuxtv.org/hg/~mws/v4l-dvb-fixtree

for upstream to kernel. thanks.

best regards 
marcel

[-- Attachment #1.2: dvbdevfix.patch --]
[-- Type: text/x-diff, Size: 1673 bytes --]

diff -r 667e84e2e762 linux/drivers/media/dvb/dvb-core/dvbdev.c
--- a/linux/drivers/media/dvb/dvb-core/dvbdev.c	Tue Feb 13 07:00:55 2007 -0200
+++ b/linux/drivers/media/dvb/dvb-core/dvbdev.c	Tue Feb 13 12:00:13 2007 +0100
@@ -211,12 +211,14 @@ int dvb_register_device(struct dvb_adapt
 			const struct dvb_device *template, void *priv, int type)
 {
 	struct dvb_device *dvbdev;
+	struct file_operations *dvbdevfops;
+
 	int id;
 
 	if (mutex_lock_interruptible(&dvbdev_register_lock))
 		return -ERESTARTSYS;
 
-	if ((id = dvbdev_get_free_id (adap, type)) < 0) {
+	if ((id = dvbdev_get_free_id (adap, type)) < 0){
 		mutex_unlock(&dvbdev_register_lock);
 		*pdvbdev = NULL;
 		printk ("%s: could get find free device id...\n", __FUNCTION__);
@@ -225,7 +227,15 @@ int dvb_register_device(struct dvb_adapt
 
 	*pdvbdev = dvbdev = kmalloc(sizeof(struct dvb_device), GFP_KERNEL);
 
-	if (!dvbdev) {
+	if (!dvbdev){
+		mutex_unlock(&dvbdev_register_lock);
+		return -ENOMEM;
+	}
+
+	dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL);
+
+	if (!dvbdevfops){
+		kfree (dvbdev);
 		mutex_unlock(&dvbdev_register_lock);
 		return -ENOMEM;
 	}
@@ -235,7 +245,7 @@ int dvb_register_device(struct dvb_adapt
 	dvbdev->id = id;
 	dvbdev->adapter = adap;
 	dvbdev->priv = priv;
-
+	dvbdev->fops = dvbdevfops;
 	dvbdev->fops->owner = adap->module;
 
 	list_add_tail (&dvbdev->list_head, &adap->device_list);
@@ -263,6 +273,7 @@ void dvb_unregister_device(struct dvb_de
 					dvbdev->type, dvbdev->id)));
 
 	list_del (&dvbdev->list_head);
+	kfree (dvbdev->fops);
 	kfree (dvbdev);
 }
 EXPORT_SYMBOL(dvb_unregister_device);

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

  parent reply	other threads:[~2007-02-13 11:30 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-13  7:47 Arjan van de Ven
2007-02-13  8:49 ` [v4l-dvb-maintainer] " Manu Abraham
2007-02-13 11:04 ` Marcel Siegert [this message]
2007-02-13 11:14   ` Manu Abraham
2007-02-13 11:35     ` Jakub Jelinek
2007-02-13 12:02       ` Marcel Siegert
2007-02-13 13:09       ` [v4l-dvb-maintainer] " Trent Piepho
2007-02-13 13:21         ` Marcel Siegert
2007-02-13 13:21         ` Manu Abraham
2007-02-13 11:35   ` Arjan van de Ven
2007-02-13 13:05     ` Marcel Siegert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200702131204.47314.mws@linuxtv.org \
    --to=mws@linuxtv.org \
    --cc=abraham.manu@gmail.com \
    --cc=arjan@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab@infradead.org \
    --cc=v4l-dvb-maintainer@linuxtv.org \
    --subject='Re: dvb shared datastructure bug?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).