[PATCH 02/12] [media] dvbdev: split dvb_unregister_device()

From: Max Kellermann
Date: Tue Aug 09 2016 - 17:43:03 EST


dvb_unregister_device() has a major problem: it combines unregistering
with memory disposal. Sometimes, it is necessary to unregister a
device, but no memory can be freed yet, because a process still has a
(stale) file handle. Therefore, we need to split
dvb_unregister_device(). This will allow sanitizing a few callers.

With my new design, dvb_unregister_device() appears misnamed, but to
reduce patch noise, I'm not renaming it just yet.

Signed-off-by: Max Kellermann <max.kellermann@xxxxxxxxx>
---
drivers/media/dvb-core/dvbdev.c | 19 ++++++++++++++++++-
drivers/media/dvb-core/dvbdev.h | 23 +++++++++++++++++++++++
2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 75a3f4b..1bc2dba 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -523,7 +523,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
EXPORT_SYMBOL(dvb_register_device);


-void dvb_unregister_device(struct dvb_device *dvbdev)
+void dvb_remove_device(struct dvb_device *dvbdev)
{
if (!dvbdev)
return;
@@ -537,9 +537,26 @@ void dvb_unregister_device(struct dvb_device *dvbdev)
device_destroy(dvb_class, MKDEV(DVB_MAJOR, dvbdev->minor));

list_del (&dvbdev->list_head);
+}
+EXPORT_SYMBOL(dvb_remove_device);
+
+
+void dvb_free_device(struct dvb_device *dvbdev)
+{
+ if (!dvbdev)
+ return;
+
kfree (dvbdev->fops);
kfree (dvbdev);
}
+EXPORT_SYMBOL(dvb_free_device);
+
+
+void dvb_unregister_device(struct dvb_device *dvbdev)
+{
+ dvb_remove_device(dvbdev);
+ dvb_free_device(dvbdev);
+}
EXPORT_SYMBOL(dvb_unregister_device);


diff --git a/drivers/media/dvb-core/dvbdev.h b/drivers/media/dvb-core/dvbdev.h
index 4aff7bd..576bbd4 100644
--- a/drivers/media/dvb-core/dvbdev.h
+++ b/drivers/media/dvb-core/dvbdev.h
@@ -212,8 +212,31 @@ int dvb_register_device(struct dvb_adapter *adap,
int demux_sink_pads);

/**
+ * dvb_remove_device - Remove a registered DVB device
+ *
+ * This does not free memory. To do that, call dvb_free_device().
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+void dvb_remove_device(struct dvb_device *dvbdev);
+
+/**
+ * dvb_free_device - Free memory occupied by a DVB device.
+ *
+ * Call dvb_unregister_device() before calling this function.
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+void dvb_free_device(struct dvb_device *dvbdev);
+
+/**
* dvb_unregister_device - Unregisters a DVB device
*
+ * This is a combination of dvb_remove_device() and dvb_free_device().
+ * Using this function is usually a mistake, and is often an indicator
+ * for a use-after-free bug (when a userspace process keeps a file
+ * handle to a detached device).
+ *
* @dvbdev: pointer to struct dvb_device
*/
void dvb_unregister_device(struct dvb_device *dvbdev);