- 18 Nov, 2016 40 commits
-
-
Max Kellermann authored
This commit amends my old commit fe35637b ("[media] dvb_frontend: eliminate blocking wait in dvb_unregister_frontend()"), which added kref to struct dvb_frontend_private. It turned out that there are several use-after-free bugs left, which affect the struct dvb_frontend. Protecting it with kref also protects struct dvb_frontend_private, so we can simply move it. This is how the use-after-free looks like in KASAN: BUG: KASAN: use-after-free in string+0x60/0xb1 at addr ffff880033bd9fc0 Read of size 1 by task kworker/0:2/617 CPU: 0 PID: 617 Comm: kworker/0:2 Not tainted 4.8.0-rc1-hosting+ #60 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event 0000000000000000 ffff880033757218 ffffffff81394e50 ffff880033bd9fd0 ffff880035c03b00 ffff880033757240 ffffffff811f271d ffff880033bd9fc0 1ffff1000677b3f8 ffffed000677b3f8 ffff8800337572b8 ffffffff811f2afe Call Trace: [...] [<ffffffff813a2d2f>] vsnprintf+0x39d/0x7e9 [<ffffffff813993f9>] add_uevent_var+0x10f/0x1dc [<ffffffff814fe5ca>] rc_dev_uevent+0x55/0x6f [<ffffffff814438f8>] dev_uevent+0x2e1/0x316 [<ffffffff81399744>] kobject_uevent_env+0x27e/0x701 [<ffffffff81399bd2>] kobject_uevent+0xb/0xd [<ffffffff81443445>] device_del+0x322/0x383 [<ffffffff81500c0c>] rc_unregister_device+0x98/0xc3 [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90 [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5 [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80 [...] Object at ffff880033bd9fc0, in cache kmalloc-16 size: 16 Allocated: [...] Freed: PID = 617 [...] [<ffffffff811f034c>] kfree+0xd9/0x166 [<ffffffff814fe513>] ir_free_table+0x2f/0x51 [<ffffffff81500bc1>] rc_unregister_device+0x4d/0xc3 [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90 [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5 [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80 Another one: BUG: KASAN: use-after-free in do_sys_poll+0x336/0x6b8 at addr ffff88003563fcc0 Read of size 8 by task tuner on fronte/1042 CPU: 1 PID: 1042 Comm: tuner on fronte Tainted: G B 4.8.0-rc1-hosting+ #60 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 0000000000000000 ffff88003353f910 ffffffff81394e50 ffff88003563fd80 ffff880035c03200 ffff88003353f938 ffffffff811f271d ffff88003563fc80 1ffff10006ac7f98 ffffed0006ac7f98 ffff88003353f9b0 ffffffff811f2afe Call Trace: [...] [<ffffffff812289b3>] do_sys_poll+0x336/0x6b8 [...] [<ffffffff81228ed9>] SyS_poll+0xa9/0x194 [...] Object at ffff88003563fc80, in cache kmalloc-256 size: 256 Allocated: [...] Freed: PID = 617 [...] [<ffffffff811f034c>] kfree+0xd9/0x166 [<ffffffff814eb60d>] dvb_unregister_device+0xd6/0xe5 [<ffffffff814fa4ed>] dvb_unregister_frontend+0x4b/0x66 [<ffffffff8150810b>] dvb_usb_adapter_frontend_exit+0x69/0xac [<ffffffff8150617d>] dvb_usb_exit+0x43/0xe5 [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80 Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
Ensure that STB0899_POSTPROC_GPIO_POWER is set synchronously. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
Prepare for making "release" asynchronous (via kref). Some operations may need to be run synchronously in dvb_frontend_detach(), and that's why we need a "detach" callback. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
This code duplication is confusing and error prone. Let's merge them by moving the release/dvb_detach call into one function with one Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
It is not clear what this return value means. All implemenations return 0, and the one caller ignores the value. Let's remove this useless return value completely. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
Most release callback functions are identical: free the "tuner_priv" and clear it. Let's eliminate some bloat by providing this simple implementation in the dvb_frontend library. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
Commit da677fe1 ("[media] dvb-core/en50221: use kref to manage struct dvb_ca_private") moved the dvb_unregister_device() call to the kref callback, but that left lots of stale device state visible to userspace (e.g. in sysfs). By using dvb_remove_device() and dvb_free_device() instead of dvb_unregister_device(), we can avoid that. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
dvb_unregister_device() has a major problem: it combines unregistering with memory disposal. Sometimes, it is necessary to unregister a device, but no memory can be freed yet, because a process still has a (stale) file handle. Therefore, we need to split dvb_unregister_device(). This will allow sanitizing a few callers. With my new design, dvb_unregister_device() appears misnamed, but to reduce patch noise, I'm not renaming it just yet. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
These are immutable. Making them "const" allows the compiler to move them to the "rodata" section. Note that cxd2841er_t_c_ops cannot be made "const", because cxd2841er_attach() modifies it. Ouch! [mchehab@s-opensource.com: fix merge conflicts] Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Max Kellermann authored
rc_unregister_device() will first call ir_free_table(), and later device_del(); however, the latter causes a call to rc_dev_uevent(), which prints rc_map.name, which at this point has already bee freed. This fixes a use-after-free bug found with KASAN. As reported by Shuah: "I am seeing the following when I do rmmod on au0828 BUG: KASAN: use-after-free in string+0x170/0x1f0 at addr ffff8801bd513000 Read of size 1 by task rmmod/1831 CPU: 1 PID: 1831 Comm: rmmod Tainted: G W 4.9.0-rc5 #5 Hardware name: Hewlett-Packard HP ProBook 6475b/180F, BIOS 68TTU Ver. F.04 08/03/2012 ffff8801aea2f680 ffffffff81b37ad3 ffff8801fa403b80 ffff8801bd513000 ffff8801aea2f6a8 ffffffff8156c301 ffff8801aea2f738 ffff8801bd513000 ffff8801fa403b80 ffff8801aea2f728 ffffffff8156c59a ffff8801aea2f770 Call Trace: dump_stack+0x67/0x94 [<ffffffff8156c301>] kasan_object_err+0x21/0x70 [<ffffffff8156c59a>] kasan_report_error+0x1fa/0x4d0 [<ffffffffa116f05f>] ? au0828_exit+0x10/0x21 [au0828] [<ffffffff8156c8b3>] __asan_report_load1_noabort+0x43/0x50 [<ffffffff81b58b20>] ? string+0x170/0x1f0 [<ffffffff81b58b20>] string+0x170/0x1f0 [<ffffffff81b621c4>] vsnprintf+0x374/0x1c50 [<ffffffff81b61e50>] ? pointer+0xa80/0xa80 [<ffffffff8156b676>] ? save_stack+0x46/0xd0 [<ffffffff81566faa>] ? __kmalloc+0x14a/0x2a0 [<ffffffff81b3d70a>] ? kobject_get_path+0x9a/0x200 [<ffffffff81b408c2>] ? kobject_uevent_env+0x282/0xca0 [<ffffffff81b412eb>] ? kobject_uevent+0xb/0x10 [<ffffffff81f10104>] ? device_del+0x434/0x6d0 [<ffffffffa0fea717>] ? rc_unregister_device+0x177/0x240 [rc_core] [<ffffffffa116eeb0>] ? au0828_rc_unregister+0x60/0xb0 [au0828] The problem is fixed with this patch on Linux 4.9-rc4" Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Tested-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Peter Chen authored
It should call of_node_put on non-null poiner. Cc: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Peter Chen <peter.chen@nxp.com> Acked-by: Benoit Parrot <bparrot@ti.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Dan Carpenter authored
devm_pinctrl_get() can fail so we should check for that. Fixes: 0a6824bc ('[media] v4l2: blackfin: select proper pinctrl state in ppi_set_params if CONFIG_PINCTRL is enabled') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Andi Shyti authored
There is no need to check for CONFIG_COMPAT and consequently assign the compat_ioctl. Signed-off-by: Andi Shyti <andi.shyti@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Maciej S. Szmigiero authored
When saa7134 module driving a Medion 7134 card is reloaded reads of this card EEPROM (required for automatic detection of tuner model) will be corrupted due to I2C gate in DVB-T demod being left closed. This sometimes also happens on first saa7134 module load after a warm reboot. Fix this by opening this I2C gate before doing EEPROM read during i2c initialization. Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
CrazyCat authored
This patch fix streaming issue for Geniatech T230/PT360. Signed-off-by: CrazyCat <crazycat69@narod.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Peter Griffin authored
Now that CLK_PROC_STFE is defined as a critical clock in DT, we can remove the commented clk_disable_unprepare from the c8sectpfe driver. This means we now have balanced clk*enable/disable calls in the driver, but on STiH407 family the clock in reality will never actually be disabled. This is due to a HW bug where once the IP has been configured and the SLIM core is running, disabling the clock causes a unrecoverable bus lockup. Signed-off-by: Peter Griffin <peter.griffin@linaro.org> Acked-by: Patrice Chotard <patrice.chotard@st.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Jean-Baptiste Abbadie authored
Removes the superfluous statement about writing to the FSF in the GPL notice Signed-off-by: Jean-Baptiste Abbadie <jb@abbadie.fr> Acked-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Jean-Baptiste Abbadie authored
Align multiple lines statement with parentheses Signed-off-by: Jean-Baptiste Abbadie <jb@abbadie.fr> Acked-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Jean-Baptiste Abbadie authored
This replaces the S_* style permissions by numbers for the __ATTR macros Signed-off-by: Jean-Baptiste Abbadie <jb@abbadie.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sakari Ailus authored
Document the interface between the CSI-2 transmitter and receiver drivers. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: David Härdeman <david@hardeman.nu> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
Return directly after a call of the function "rc_allocate_device" failed at the beginning. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
The local variable "ret" will be set to an appropriate value a bit later. Thus omit the explicit initialisation at the beginning. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
The local variable "rc" will be set to an appropriate value a bit later. Thus omit the explicit initialisation at the beginning. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
* Return directly after a call of the function "kcalloc" failed at the beginning. * Reorder two calls for the function "kfree" at the end. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
Replace the specification of a data type by a pointer dereference as the parameter for the operator "sizeof" to make the corresponding size determination a bit safer. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
The script "checkpatch.pl" pointed information out like the following. WARNING: Possible unnecessary 'out of memory' message Thus remove such a logging statement in five functions. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Markus Elfring authored
* Multiplications for the size determination of memory allocations indicated that array data structures should be processed. Thus use the corresponding function "kcalloc". This issue was detected by using the Coccinelle software. * Replace the specification of data types by pointer dereferences to make the corresponding size determination a bit safer according to the Linux coding style convention. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Unfortunately, the callers of tveeprom don't do the right thing to initialize the device. So, it produces log messages like: [ 267.533010] (null): Hauppauge model 42012, rev C186, serial# 2819348 [ 267.533012] (null): tuner model is Philips FQ1236 MK3 (idx 86, type 43) [ 267.533013] (null): TV standards NTSC(M) (eeprom 0x08) [ 267.533014] (null): audio processor is MSP3445 (idx 12) [ 267.533015] (null): has radio So, replace it to pr_foo(), as it should work fine. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Instead of calling printk() directly, use pr_foo() macro. That should make the rc_core messages be formatted with the right prefix. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Unfortunately, KERN_CONT doesn't work with dev_foo(), producing weird messages like: tvp5150 6-005c: tvp5150: read 0xf6 = 0xff ff So, we need to get rid of it. As we're always printing read/write in hexa when dumping multiple register values, also remove the "0x" from the read/write debug messages too. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
When returning results via v4l2_subdev_core_ops.log_status, use dev_foo() call, instead of just calling printk() directly, without even specifying the log message level. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Instead of using v4l_foo(), use the dev_foo() macros, as most modern media drivers. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Instead of using pr_foo(), use dev_foo(), with provides a better output. As this device is a multi-interface one, we'll set the device name to show the chipset and the driver used. While here, get rid of printk continuation messages. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Instead of using the v4l_foo() macros, just use the kernel-wide dev_foo() macros, as there's no good reason to use something else. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Drivers using dev_foo() macro should not use KERN_CONT, as, internally, those macros work as if all strings were terminated by a \n. So, doing: dev_info(&client->dev, "%s ", client->name); printk(KERN_CONT "supports radio, mode is autodetect and autoselect"); Would produce the following output: msp3400 6-0044: msp3400 supports radio, mode is autodetect and autoselect As there's no good reason to use KERN_CONT, let's rewrite the code to avoid that, allowing this driver to be converted to dev_foo(). Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Currently, there's a mess at the V4L2 printk macros: some drivers use their own macros, others use pr_foo() or v4l_foo() macros, while more modern drivers use dev_foo() macros. The best is to get rid of v4l_foo() macros, as they can be replaced by either dev_foo() or pr_foo(). Yet, such change can be disruptive, as dev_foo() cannot use KERN_CONT. So, the best is to do such change driver by driver. There are replacements for most v4l_foo() macros, but it lacks a way to enable debug messages per level. So, add such macro, in order to make the conversion easier. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Tuner core uses its own printk internal macros, instead of the standard debug ones, for no good reason. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
The dvb-usb system has its own macro to print hexa dumps (debug_dump). Such macro doesn't support messages with KERN_CONT after commit 56387331 ("Merge branch 'printk-cleanups'"). So, let's get rid of a printk() that would be assuming that this would work. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
The dprintk() macro relies on continuation lines. This is not a good practice and will break after commit 56387331 ("Merge branch 'printk-cleanups'"). So, instead of directly calling printk(), use pr_foo() macros, adding a \n leading char on each macro call. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-