Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/28/2016 01:19 AM, Lars-Peter Clausen wrote: > On 04/27/2016 11:56 PM, Shuah Khan wrote: dev_dbg(mdev->dev, "Media device unregistered\n"); } diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c index 29409f4..9af9ba1 100644 ---

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/28/2016 01:19 AM, Lars-Peter Clausen wrote: > On 04/27/2016 11:56 PM, Shuah Khan wrote: dev_dbg(mdev->dev, "Media device unregistered\n"); } diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c index 29409f4..9af9ba1 100644 ---

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Em Wed, 27 Apr 2016 07:51:08 -0600 Shuah Khan escreveu: > > - cdev patch; > > - kref patch. > > > > As a bonus side, by breaking into that, it helps to identify what > > fixes are needed if we found similar issues at the other parts of > > the subsystems. > > No

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Em Wed, 27 Apr 2016 07:51:08 -0600 Shuah Khan escreveu: > > - cdev patch; > > - kref patch. > > > > As a bonus side, by breaking into that, it helps to identify what > > fixes are needed if we found similar issues at the other parts of > > the subsystems. > > No problem breaking the it into

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Em Wed, 27 Apr 2016 15:56:33 -0600 Shuah Khan escreveu: > On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote: > > Looks mostly good, a few comments. > > > > On 04/27/2016 05:08 AM, Shuah Khan wrote: > > [...] > >> @@ -428,7 +428,7 @@ static long

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Em Wed, 27 Apr 2016 15:56:33 -0600 Shuah Khan escreveu: > On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote: > > Looks mostly good, a few comments. > > > > On 04/27/2016 05:08 AM, Shuah Khan wrote: > > [...] > >> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp, > >>

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/27/2016 11:56 PM, Shuah Khan wrote: >>> dev_dbg(mdev->dev, "Media device unregistered\n"); >>> } >>> diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c >>> index 29409f4..9af9ba1 100644 >>> --- a/drivers/media/media-devnode.c >>> +++

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/27/2016 11:56 PM, Shuah Khan wrote: >>> dev_dbg(mdev->dev, "Media device unregistered\n"); >>> } >>> diff --git a/drivers/media/media-devnode.c b/drivers/media/media-devnode.c >>> index 29409f4..9af9ba1 100644 >>> --- a/drivers/media/media-devnode.c >>> +++

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote: > Looks mostly good, a few comments. > > On 04/27/2016 05:08 AM, Shuah Khan wrote: > [...] >> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp, >> unsigned int cmd, >> unsigned long arg) >> { >>

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

On 04/27/2016 10:43 AM, Lars-Peter Clausen wrote: > Looks mostly good, a few comments. > > On 04/27/2016 05:08 AM, Shuah Khan wrote: > [...] >> @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp, >> unsigned int cmd, >> unsigned long arg) >> { >>

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Looks mostly good, a few comments. On 04/27/2016 05:08 AM, Shuah Khan wrote: [...] > @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp, > unsigned int cmd, > unsigned long arg) > { > struct media_devnode *devnode = media_devnode_data(filp);

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Looks mostly good, a few comments. On 04/27/2016 05:08 AM, Shuah Khan wrote: [...] > @@ -428,7 +428,7 @@ static long media_device_ioctl(struct file *filp, > unsigned int cmd, > unsigned long arg) > { > struct media_devnode *devnode = media_devnode_data(filp);

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Hi Mauro, On 04/27/2016 03:55 AM, Mauro Carvalho Chehab wrote: > Hi Shuah, > > Good work! I have a few notes below. > > Em Tue, 26 Apr 2016 21:08:32 -0600 > Shuah Khan escreveu: > >> When driver unbind is run while media_ioctl is in progress, media_ioctl() >> fails

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Hi Mauro, On 04/27/2016 03:55 AM, Mauro Carvalho Chehab wrote: > Hi Shuah, > > Good work! I have a few notes below. > > Em Tue, 26 Apr 2016 21:08:32 -0600 > Shuah Khan escreveu: > >> When driver unbind is run while media_ioctl is in progress, media_ioctl() >> fails with use-after-free. This

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Hi Shuah, Good work! I have a few notes below. Em Tue, 26 Apr 2016 21:08:32 -0600 Shuah Khan escreveu: > When driver unbind is run while media_ioctl is in progress, media_ioctl() > fails with use-after-free. This first use-after-free is followed by more >

Re: [PATCH] media: fix media_ioctl use-after-free when driver unbinds

Hi Shuah, Good work! I have a few notes below. Em Tue, 26 Apr 2016 21:08:32 -0600 Shuah Khan escreveu: > When driver unbind is run while media_ioctl is in progress, media_ioctl() > fails with use-after-free. This first use-after-free is followed by more > user-after-free errors in

[PATCH] media: fix media_ioctl use-after-free when driver unbinds

When driver unbind is run while media_ioctl is in progress, media_ioctl() fails with use-after-free. This first use-after-free is followed by more user-after-free errors in media_release(), kobject_put(), and cdev_put() as driver unbind continues. This problem is found on uvcvideo, em28xx, and

[PATCH] media: fix media_ioctl use-after-free when driver unbinds

When driver unbind is run while media_ioctl is in progress, media_ioctl() fails with use-after-free. This first use-after-free is followed by more user-after-free errors in media_release(), kobject_put(), and cdev_put() as driver unbind continues. This problem is found on uvcvideo, em28xx, and