kernel/linux.git/include/media/media-devnode.h, branch v4.4.278

media: fix media devnode ioctl/syscall and unregister race

2020-05-27T14:40:25+00:00

commit 6f0dd24a084a17f9984dd49dffbf7055bf123993 upstream. Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan Suggested-by: Sakari Ailus Reported-by: Mauro Carvalho Chehab Tested-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: adjut filename, context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

media-device: dynamically allocate struct media_devnode

2020-05-27T14:40:25+00:00

commit a087ce704b802becbb4b0f2a20f2cb3f6911802e upstream. struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: - Drop change in au0828 - Include in media-device.c - Adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

media-devnode: fix namespace mess

2020-05-27T14:40:25+00:00

commit 163f1e93e995048b894c5fc86a6034d16beed740 upstream. Along all media controller code, "mdev" is used to represent a pointer to struct media_device, and "devnode" for a pointer to struct media_devnode. However, inside media-devnode.[ch], "mdev" is used to represent a pointer to struct media_devnode. This is very confusing and may lead to development errors. So, let's change all occurrences at media-devnode.[ch] to also use "devnode" for such pointers. This patch doesn't make any functional changes. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: adjust filename, context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

[media] Docbook: Fix description of struct media_devnode

2015-08-22T07:45:03+00:00

Warning(.//include/media/media-devnode.h:80): No description found for parameter 'fops' Warning(.//include/media/media-devnode.h:80): No description found for parameter 'dev' Warning(.//include/media/media-devnode.h:80): No description found for parameter 'cdev' Warning(.//include/media/media-devnode.h:80): No description found for parameter 'release' Signed-off-by: Mauro Carvalho Chehab Acked-by: Jonathan Corbet

[media] media: Use a better owner for the media device

2014-05-13T16:39:00+00:00

mdev->fops->owner is actually the owner of the very same module which implements media_device_register(), so it can't be unloaded anyway. Instead, use THIS_MODULE through a macro as does video_register_device(). Signed-off-by: Sakari Ailus Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab

[media] media: Add 64--32 bit compat ioctl handler

2013-03-18T23:44:36+00:00

Provide an ioctl handler for 32-bit binaries on 64-bit systems. Signed-off-by: Sakari Ailus Acked-by: Laurent Pinchart Tested-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab

[media] media: Media device node support

2011-03-22T07:52:22+00:00

The media_devnode structure provides support for registering and unregistering character devices using a dynamic major number. Reference counting is handled internally, making device drivers easier to write without having to solve the open/disconnect race condition issue over and over again. The code is based on video/v4l2-dev.c. [mchehab@redhat.com: Remove linux/smp_lock.h include to not break compilation on bisect] Signed-off-by: Laurent Pinchart Acked-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab