On 04/28/2016 01:19 AM, Lars-Peter Clausen wrote:
> On 04/27/2016 11:56 PM, Shuah Khan wrote:
dev_dbg(mdev->dev, "Media device unregistered\n");
}
diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c
index 29409f4..9af9ba1 100644
--- a/drivers/medi
Em Wed, 27 Apr 2016 07:51:08 -0600
Shuah Khan escreveu:
> > - cdev patch;
> > - kref patch.
> >
> > As a bonus side, by breaking into that, it helps to identify what
> > fixes are needed if we found similar issues at the other parts of
> > the subsystems.
>
> No problem breaking the it into 3
Em Wed, 27 Apr 2016 15:56:33 -0600
Shuah Khan escreveu:
> On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote:
> > Looks mostly good, a few comments.
> >
> > On 04/27/2016 05:08 AM, Shuah Khan wrote:
> > [...]
> >> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp,
> >> unsign
On 04/27/2016 11:56 PM, Shuah Khan wrote:
>>> dev_dbg(mdev->dev, "Media device unregistered\n");
>>> }
>>> diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c
>>> index 29409f4..9af9ba1 100644
>>> --- a/drivers/media/media-devnode.c
>>> +++ b/drivers/media/media-devnode.
On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote:
> Looks mostly good, a few comments.
>
> On 04/27/2016 05:08 AM, Shuah Khan wrote:
> [...]
>> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp,
>> unsigned int cmd,
>> unsigned long arg)
>> {
>>
Looks mostly good, a few comments.
On 04/27/2016 05:08 AM, Shuah Khan wrote:
[...]
> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp,
> unsigned int cmd,
> unsigned long arg)
> {
> struct media_devnode *devnode = media_devnode_data(filp);
>
Hi Mauro,
On 04/27/2016 03:55 AM, Mauro Carvalho Chehab wrote:
> Hi Shuah,
>
> Good work! I have a few notes below.
>
> Em Tue, 26 Apr 2016 21:08:32 -0600
> Shuah Khan escreveu:
>
>> When driver unbind is run while media_ioctl is in progress, media_ioctl()
>> fails with use-after-free. This fi
Hi Shuah,
Good work! I have a few notes below.
Em Tue, 26 Apr 2016 21:08:32 -0600
Shuah Khan escreveu:
> When driver unbind is run while media_ioctl is in progress, media_ioctl()
> fails with use-after-free. This first use-after-free is followed by more
> user-after-free errors in media_release
When driver unbind is run while media_ioctl is in progress, media_ioctl()
fails with use-after-free. This first use-after-free is followed by more
user-after-free errors in media_release(), kobject_put(), and cdev_put()
as driver unbind continues. This problem is found on uvcvideo, em28xx, and
au08
