- 15 Jun, 2016 4 commits
-
-
Shuah Khan authored
Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Shuah Khan authored
When driver unbinds while media_ioctl is in progress, cdev_put() fails with when app exits after driver unbinds. Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets a reference to it and releases it in cdev_del() ensuring that the devnode is not deallocated as long as the application has the device file open. media_devnode_register() initializes the struct device kobj before calling cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the device. devnode is released when the last reference to the struct device is gone. This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has been tested on all three. kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50 kernel: [ 193.599745] Read of size 8 by task media_device_te/1851 kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54 kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0 kernel: [ 193.601083] Call Trace: kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94 kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0 kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40 kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530 kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40 kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0 kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50 kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50 kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0 kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10 kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0 kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20 kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250 - - - kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7 kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120 kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6 Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Along all media controller code, "mdev" is used to represent a pointer to struct media_device, and "devnode" for a pointer to struct media_devnode. However, inside media-devnode.[ch], "mdev" is used to represent a pointer to struct media_devnode. This is very confusing and may lead to development errors. So, let's change all occurrences at media-devnode.[ch] to also use "devnode" for such pointers. This patch doesn't make any functional changes. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 14 Jun, 2016 1 commit
-
-
Mauro Carvalho Chehab authored
For the third time in three years, I'm changing my e-mail at Samsung. That's bad, as it may stop communications with me for a while. So, this time, I'll also the mchehab@kernel.org e-mail, as it remains stable since ever. Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 10 Jun, 2016 2 commits
-
-
Colin Ian King authored
status is not initialized so it can contain garbage. The check for status containing the FE_HAS_LOCK bit may randomly pass or fail if the read of register 0x8c fails to set status after 25 read attempts. Fix this by initializing status to 0. Issue found with CoverityScan, CID#986738 Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Dan Carpenter authored
The code is checking for negative returns but it should be checking for zero. Fixes: aab3125c ('[media] em28xx: add support for registering multiple i2c buses') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
- 09 Jun, 2016 6 commits
-
-
Zhaoxiu Zeng authored
This patch removes the local MT2063_gcd function, uses lib gcd instead Signed-off-by: Zhaoxiu Zeng <zhaoxiu.zeng@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Martin Blumenstingl authored
The rtl2832 demod has 2 sets of PID filters. This patch enables the filter support when using a slave demod. Signed-off-by: Benjamin Larsson <benjamin@southpole.se> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Antti Palosaari authored
Remove __func__ and KBUILD_MODNAME from logging formatters and pass USB interface device instead, so logging can be done correctly. Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Alessandro Radicati authored
The MXL5007T tuner will lock-up on some devices after an I2C read transaction. This patch works around this issue by inhibiting such operations and emulating a 0x00 response. The workaround is only applied to USB devices known to exhibit this flaw. Signed-off-by: Alessandro Radicati <alessandro@radicati.net> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Alessandro Radicati authored
This patch will modify the af9035 driver to use the register address fields of the I2C read command for the combined write/read transaction case. Without this change, the firmware issues just a I2C read transaction without the preceding write transaction to select the register. Signed-off-by: Alessandro Radicati <alessandro@radicati.net> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Marek Szyprowski authored
Change return value back to -ENODEV when no region is defined for given device. This restores old behavior of this function, as some drivers rely on such error code. Fixes: 59ce4039 ("of: reserved_mem: add support for using more than one region for given device") Reported-by: Liviu Dudau <liviu.dudau@arm.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Reviewed-by: Liviu Dudau <Liviu.Dudau@arm.com> Acked-by: Rob Herring <robh@kernel.org> Reviewed-by: Sumit Semwal <sumit.semwal@linaro.org>
-
- 07 Jun, 2016 27 commits
-
-
Max Kellermann authored
Prepare for postponing the call until all file handles have been closed. [mchehab@osg.samsung.com: make checkpatch happy] Signed-off-by: Max Kellermann <max@duempel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Olli Salonen authored
Return -EINVAL if ds3000_set_frontend is called with invalid parameters. v1 of the patch series got incorrect subject lines. Signed-off-by: Olli Salonen <olli.salonen@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Fengguang Wu authored
drivers/media/dvb-frontends/helene.c:750:2-3: Unneeded semicolon Remove unneeded semicolon. Generated by: scripts/coccinelle/misc/semicolon.cocci CC: Abylay Ospan <aospan@netup.ru> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Martin Blumenstingl authored
No functional changes. Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Martin Blumenstingl authored
This adds the missing auto-select bits for DVB-frontends and tuners (if MEDIA_SUBDRV_AUTOSELECT is enabled) which are used by the various rtl28xxu devices. The driver itself probes for three more tuners, but it's not actually using any of them: - MEDIA_TUNER_MT2063 - MEDIA_TUNER_MT2266 - MEDIA_TUNER_MXL5007T Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Antti Palosaari authored
Move mn88472 DVB-T/T2/C demod driver out of staging to media. v2: Fix build error reported by kbuild test robot: drivers/staging/media/mn88472/Makefile: No such file or directory Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Antti Palosaari authored
Finalize driver in order to move out of staging. Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Julia Lawall authored
firmare -> firmware Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Antti Palosaari authored
1 and 2 wasn't enough for mn88472 chip on Astrometa device, so increase it to 3. Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Julia Lawall authored
firmare -> firmware Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Antti Palosaari authored
Latest, 3rd, regmap instance should be freed on error case. Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Hans Verkuil authored
Remove this deprecated old driver. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: Richard Röjfors <richard@puffinpack.se> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Hans Verkuil authored
Remove this deprecated old driver. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Hans Verkuil authored
Remove this deprecated old driver. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: Guennadi Liakhovetski <g.liakhovetski@gmx.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Hans Verkuil authored
Remove this deprecated old driver. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: Guennadi Liakhovetski <g.liakhovetski@gmx.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
ayaka authored
It is a cosmetic commit. Signed-off-by: ayaka <ayaka@soulik.info> Signed-off-by: Kamil Debski <k.debski@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
ayaka authored
We don't need to request the sizeimage or num_planes in try_fmt. Signed-off-by: ayaka <ayaka@soulik.info> Signed-off-by: Kamil Debski <k.debski@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
ayaka authored
The encoder forget the work to call hardware to release its buffers. This patch came from chromium project. I just change its code style and make the API match with new kernel. Signed-off-by: ayaka <ayaka@soulik.info> Signed-off-by: Kamil Debski <k.debski@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
I'm maintainer for Sony Helene tuner (drivers/media/dvb-frontends/helene.*) Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Mauro Carvalho Chehab authored
drivers/media/dvb-frontends/helene.c: In function 'helene_write_regs': drivers/media/dvb-frontends/helene.c:312:5: warning: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'unsigned int' [-Wformat=] "wr reg=%04x: len=%d vs %lu is too big!\n", ^ Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
correct is CXD2841ER and CXD2854ER incorrect was CXD2441ER and CXD2454ER Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
Old behaviour: frontend0 - DVB-S/S2 frontend1 - DVB-T/T2 frontend2 - DVB-C frontend3 - ISDB-T New behaviour (DVBv5 API compliant): frontend0 - DVB-S/S2 frontend1 - DVB-T/T2/C/ISDB-T DTV standard should be selected by DTV_DELIVERY_SYSTEM call. And DVB-C default bandwidth now 8MHz Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
bandwidth 1.7,5,6,7,8Mhz support for DVB-T2 Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
Fixed HELENE tuner frequency calculation Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Mauro Carvalho Chehab authored
now when new tuning parameters specified demod should retune. Also ISDB-T frequency offset calculation added (cxd2841er_get_carrier_offset_i). While here, fix re-tune for DVB-C Annex A, using the desired bandwidth, instead of using 8MHz. Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
Fix offset calculation inside cxd2841er_get_carrier_offset_t Now DVB-T should be tuned correctly Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Abylay Ospan authored
Avoid error message: cxd2841er_read_status_s(): invalid state 1 Always force demod to shutdown state before initializing Signed-off-by: Abylay Ospan <aospan@netup.ru> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-