dvb_unregister_device() has a major problem: it combines unregistering with memory disposal. Sometimes, it is necessary to unregister a device, but no memory can be freed yet, because a process still has a (stale) file handle. Therefore, we need to split dvb_unregister_device(). This will allow sanitizing a few callers. With my new design, dvb_unregister_device() appears misnamed, but to reduce patch noise, I'm not renaming it just yet. Signed-off-by: Max Kellermann <max.kellermann@xxxxxxxxx> --- drivers/media/dvb-core/dvbdev.c | 19 ++++++++++++++++++- drivers/media/dvb-core/dvbdev.h | 23 +++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 75a3f4b..1bc2dba 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -523,7 +523,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, EXPORT_SYMBOL(dvb_register_device); -void dvb_unregister_device(struct dvb_device *dvbdev) +void dvb_remove_device(struct dvb_device *dvbdev) { if (!dvbdev) return; @@ -537,9 +537,26 @@ void dvb_unregister_device(struct dvb_device *dvbdev) device_destroy(dvb_class, MKDEV(DVB_MAJOR, dvbdev->minor)); list_del (&dvbdev->list_head); +} +EXPORT_SYMBOL(dvb_remove_device); + + +void dvb_free_device(struct dvb_device *dvbdev) +{ + if (!dvbdev) + return; + kfree (dvbdev->fops); kfree (dvbdev); } +EXPORT_SYMBOL(dvb_free_device); + + +void dvb_unregister_device(struct dvb_device *dvbdev) +{ + dvb_remove_device(dvbdev); + dvb_free_device(dvbdev); +} EXPORT_SYMBOL(dvb_unregister_device); diff --git a/drivers/media/dvb-core/dvbdev.h b/drivers/media/dvb-core/dvbdev.h index 4aff7bd..576bbd4 100644 --- a/drivers/media/dvb-core/dvbdev.h +++ b/drivers/media/dvb-core/dvbdev.h @@ -212,8 +212,31 @@ int dvb_register_device(struct dvb_adapter *adap, int demux_sink_pads); /** + * dvb_remove_device - Remove a registered DVB device + * + * This does not free memory. To do that, call dvb_free_device(). + * + * @dvbdev: pointer to struct dvb_device + */ +void dvb_remove_device(struct dvb_device *dvbdev); + +/** + * dvb_free_device - Free memory occupied by a DVB device. + * + * Call dvb_unregister_device() before calling this function. + * + * @dvbdev: pointer to struct dvb_device + */ +void dvb_free_device(struct dvb_device *dvbdev); + +/** * dvb_unregister_device - Unregisters a DVB device * + * This is a combination of dvb_remove_device() and dvb_free_device(). + * Using this function is usually a mistake, and is often an indicator + * for a use-after-free bug (when a userspace process keeps a file + * handle to a detached device). + * * @dvbdev: pointer to struct dvb_device */ void dvb_unregister_device(struct dvb_device *dvbdev); -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html