| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
commit a4aebaf6e6efff548b01a3dc49b4b9074751c15b upstream.
When CONFIG_DVB_DYNAMIC_MINORS, ret is not initialized, and a
semaphore is left at the wrong state, in case of errors.
Make the code simpler and avoid mistakes by having just one error
check logic used weather DVB_DYNAMIC_MINORS is used or not.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202410201717.ULWWdJv8-lkp@intel.com/
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/9e067488d8935b8cf00959764a1fa5de85d65725.1730926254.git.mchehab+huawei@kernel.org
Cc: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ]
The dvbdev contains a static variable used to store dvb minors.
The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
or not. When not set, dvb_register_device() won't check for
boundaries, as it will rely that a previous call to
dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption
that the register functions already did the needed checks.
This can be fragile if some device ends using different
calls. This also generate warnings on static check analysers
like Coverity.
So, add explicit guards to prevent potential risk of OOM issues.
Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ]
Because the size passed to copy_from_user() cannot be known beforehand,
it needs to be checked during runtime with check_object_size. That makes
gcc believe that the content of sbuf can be used before init.
Fix:
./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized]
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 ]
In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed
in several error-handling paths. However, *pdvbdev is not set to NULL
after dvbdev's deallocation, causing use-after-frees in many places,
for example, in the following call chain:
budget_register
|-> dvb_dmxdev_init
|-> dvb_register_device
|-> dvb_dmxdev_release
|-> dvb_unregister_device
|-> dvb_remove_device
|-> dvb_device_put
|-> kref_put
When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in
dvb_register_device) could point to memory that had been freed in
dvb_register_device. Thereafter, this pointer is transferred to
kref_put and triggering a use-after-free.
Link: https://lore.kernel.org/linux-media/20240203134046.3120099-1-alexious@zju.edu.cn
Fixes: b61901024776 ("V4L/DVB (5244): Dvbdev: fix illegal re-usage of fileoperations struct")
Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit a2dd235df435a05d389240be748909ada91201d2 ]
If call to file->f_op->open() fails, then call dvb_device_put(dvbdev).
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ]
dvb_register_device() dynamically allocates fops with kmemdup()
to set the fops->owner.
And these fops are registered in 'file->f_ops' using replace_fops()
in the dvb_device_open() process, and kfree()d in dvb_free_device().
However, it is not common to use dynamically allocated fops instead
of 'static const' fops as an argument of replace_fops(),
and UAF may occur.
These UAFs can occur on any dvb type using dvb_register_device(),
such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc.
So, instead of kfree() the fops dynamically allocated in
dvb_register_device() in dvb_free_device() called during the
.disconnect() process, kfree() it collectively in exit_dvbdev()
called when the dvbdev.c module is removed.
Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
commit 6b0d0477fce747d4137aa65856318b55fba72198 upstream.
In function dvb_register_device() -> dvb_register_media_device() ->
dvb_create_media_entity(), dvb->entity is allocated and initialized. If
the initialization fails, it frees the dvb->entity, and return an error
code. The caller takes the error code and handles the error by calling
dvb_media_device_free(), which unregisters the entity and frees the
field again if it is not NULL. As dvb->entity may not NULLed in
dvb_create_media_entity() when the allocation of dvbdev->pad fails, a
double free may occur. This may also cause an Use After free in
media_device_unregister_entity().
Fix this by storing NULL to dvb->entity when it is freed.
Link: https://lore.kernel.org/linux-media/20220426052921.2088416-1-keitasuzuki.park@sslab.ics.keio.ac.jp
Fixes: fcd5ce4b3936 ("media: dvb-core: fix a memory leak bug")
Cc: stable@vger.kernel.org
Cc: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream.
Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...
Just place the kref_init at correct position.
Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]
dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.
This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.
Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
use SPDX-License-Identifier instead of a verbose license text
and remove verbose license text.
Link: https://lore.kernel.org/linux-media/20210916020018.8550-1-caihuoqing@baidu.com
Signed-off-by: Cai Huoqing <caihuoqing@baidu.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
As reported by smatch:
drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:510 dvb_register_device() warn: '&dvbdev->list_head' not removed from list
drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:530 dvb_register_device() warn: '&dvbdev->list_head' not removed from list
drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:545 dvb_register_device() warn: '&dvbdev->list_head' not removed from list
The error logic inside dvb_register_device() doesn't remove
devices from the dvb_adapter_list in case of errors.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn`
before setting it to NULL, as documented in include/media/media-device.h:
"The media_entity instance itself must be freed explicitly by the driver
if required."
Link: https://syzkaller.appspot.com/bug?id=9bbe4b842c98f0ed05c5eed77a226e9de33bf298
Link: https://lore.kernel.org/linux-media/20201211083039.521617-1-yepeilin.cs@gmail.com
Cc: stable@vger.kernel.org
Fixes: 0230d60e4661 ("[media] dvbdev: Add RF connector if needed")
Reported-by: syzbot+7f09440acc069a0d38ac@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
When device_create() fails, dvbdev and dvbdevfops should
be freed just like when dvb_register_media_device() fails.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
Fixes bug exposed by:
[a3fbc2e6bb0: media: mc-entity.c: use WARN_ON, validate link pads]
The dvbdev incorrectly requests a tuner sink pad to connect to a demux
sink pad. The media controller failure percolates back and the dvb device
creation fails. Fix this by requesting a tuner source pad. Instead of
forcing that pad to be index zero, check if a negative integer error
is returned. A note is added that first source pad found is chosen.
Affected bridges cx231xx and em28xx printed the below warning[s]
when a variety of media controller dvb enabled devices were connected.
The warning returns an error causing all affected devices to fail DVB
device creation.
[ 253.138332] ------------[ cut here ]------------
[ 253.138339] WARNING: CPU: 0 PID: 1550 at drivers/media/mc/mc-entity.c:669 media_create_pad_link+0x1e0/0x200 [mc]
[ 253.138339] Modules linked in: si2168 em28xx_dvb(+) em28xx si2157 lgdt3306a cx231xx_dvb dvb_core cx231xx_alsa cx25840 cx231xx tveeprom cx2341x i2c_mux videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc ir_rc5_decoder rc_hauppauge mceusb rc_core eda
c_mce_amd kvm nls_iso8859_1 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper efi_pstore wmi_bmof k10temp asix usbnet mii nouveau snd_hda_codec_realtek snd_hda_codec_generic input_leds ledtrig_audio snd_hda_codec_hdmi mxm_wmi snd_hda_in
tel video snd_intel_dspcfg ttm snd_hda_codec drm_kms_helper snd_hda_core drm snd_hwdep snd_seq_midi snd_seq_midi_event i2c_algo_bit snd_pcm snd_rawmidi fb_sys_fops snd_seq syscopyarea sysfillrect snd_seq_device sysimgblt snd_timer snd soundcore ccp mac_hid sch_fq_codel parport_p
c ppdev lp parport ip_tables x_tables autofs4 vfio_pci irqbypass vfio_virqfd vfio_iommu_type1 vfio hid_generic usbhid hid i2c_piix4 ahci libahci wmi gpio_amdpt
[ 253.138370] gpio_generic
[ 253.138372] CPU: 0 PID: 1550 Comm: modprobe Tainted: G W 5.7.0-rc2+ #181
[ 253.138373] Hardware name: MSI MS-7A39/B350M GAMING PRO (MS-7A39), BIOS 2.G0 04/27/2018
[ 253.138376] RIP: 0010:media_create_pad_link+0x1e0/0x200 [mc]
[ 253.138378] Code: 26 fd ff ff 44 8b 4d d0 eb d9 0f 0b 41 b9 ea ff ff ff 44 89 c8 c3 0f 0b 41 b9 ea ff ff ff eb f2 0f 0b 41 b9 ea ff ff ff eb e8 <0f> 0b 41 b9 ea ff ff ff eb af 0f 0b 41 b9 ea ff ff ff eb a5 66 90
[ 253.138379] RSP: 0018:ffffb9ecc0ee7a78 EFLAGS: 00010246
[ 253.138380] RAX: ffff943f706c99d8 RBX: 0000000000000000 RCX: 0000000000000000
[ 253.138381] RDX: ffff943f613e0180 RSI: 0000000000000000 RDI: ffff943f706c9958
[ 253.138381] RBP: ffffb9ecc0ee7ab0 R08: 0000000000000001 R09: ffff943f613e0180
[ 253.138382] R10: ffff943f613e0180 R11: ffff943f706c9400 R12: 0000000000000000
[ 253.138383] R13: 0000000000000001 R14: ffff943f706c9958 R15: 0000000000000001
[ 253.138384] FS: 00007f3cd29ba540(0000) GS:ffff943f8ec00000(0000) knlGS:0000000000000000
[ 253.138385] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 253.138385] CR2: 000055f7de0ca830 CR3: 00000003dd208000 CR4: 00000000003406f0
[ 253.138386] Call Trace:
[ 253.138392] media_create_pad_links+0x104/0x1b0 [mc]
[ 253.138397] dvb_create_media_graph+0x350/0x5f0 [dvb_core]
[ 253.138402] em28xx_dvb_init+0x5ea/0x2600 [em28xx_dvb]
[ 253.138408] em28xx_register_extension+0x63/0xc0 [em28xx]
[ 253.138410] ? 0xffffffffc039c000
[ 253.138412] em28xx_dvb_register+0x15/0x1000 [em28xx_dvb]
[ 253.138416] do_one_initcall+0x71/0x250
[ 253.138418] ? do_init_module+0x27/0x22e
[ 253.138421] ? _cond_resched+0x1a/0x50
[ 253.138423] ? kmem_cache_alloc_trace+0x1ec/0x270
[ 253.138425] ? __vunmap+0x1e3/0x240
[ 253.138427] do_init_module+0x5f/0x22e
[ 253.138430] load_module+0x2525/0x2d40
[ 253.138436] __do_sys_finit_module+0xe5/0x120
[ 253.138438] ? __do_sys_finit_module+0xe5/0x120
[ 253.138442] __x64_sys_finit_module+0x1a/0x20
[ 253.138443] do_syscall_64+0x57/0x1b0
[ 253.138445] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 253.138446] RIP: 0033:0x7f3cd24dc839
[ 253.138448] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[ 253.138449] RSP: 002b:00007ffe4fc514d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 253.138450] RAX: ffffffffffffffda RBX: 000055a9237f63f0 RCX: 00007f3cd24dc839
[ 253.138451] RDX: 0000000000000000 RSI: 000055a922c3ad2e RDI: 0000000000000000
[ 253.138451] RBP: 000055a922c3ad2e R08: 0000000000000000 R09: 0000000000000000
[ 253.138452] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 253.138453] R13: 000055a9237f5550 R14: 0000000000040000 R15: 000055a9237f63f0
[ 253.138456] ---[ end trace a60f19c54aa96ec4 ]---
[ 234.915628] ------------[ cut here ]------------
[ 234.915640] WARNING: CPU: 0 PID: 1502 at drivers/media/mc/mc-entity.c:669 media_create_pad_link+0x1e0/0x200 [mc]
[ 234.915641] Modules linked in: si2157 lgdt3306a cx231xx_dvb(+) dvb_core cx231xx_alsa cx25840 cx231xx tveeprom cx2341x i2c_mux videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc ir_rc5_decoder rc_hauppauge mceusb rc_core edac_mce_amd kvm nls_iso8859
_1 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper efi_pstore wmi_bmof k10temp asix usbnet mii nouveau snd_hda_codec_realtek snd_hda_codec_generic input_leds ledtrig_audio snd_hda_codec_hdmi mxm_wmi snd_hda_intel video snd_intel_dspcf
g ttm snd_hda_codec drm_kms_helper snd_hda_core drm snd_hwdep snd_seq_midi snd_seq_midi_event i2c_algo_bit snd_pcm snd_rawmidi fb_sys_fops snd_seq syscopyarea sysfillrect snd_seq_device sysimgblt snd_timer snd soundcore ccp mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tab
les x_tables autofs4 vfio_pci irqbypass vfio_virqfd vfio_iommu_type1 vfio hid_generic usbhid hid i2c_piix4 ahci libahci wmi gpio_amdpt gpio_generic
[ 234.915700] CPU: 0 PID: 1502 Comm: modprobe Not tainted 5.7.0-rc2+ #181
[ 234.915702] Hardware name: MSI MS-7A39/B350M GAMING PRO (MS-7A39), BIOS 2.G0 04/27/2018
[ 234.915709] RIP: 0010:media_create_pad_link+0x1e0/0x200 [mc]
[ 234.915712] Code: 26 fd ff ff 44 8b 4d d0 eb d9 0f 0b 41 b9 ea ff ff ff 44 89 c8 c3 0f 0b 41 b9 ea ff ff ff eb f2 0f 0b 41 b9 ea ff ff ff eb e8 <0f> 0b 41 b9 ea ff ff ff eb af 0f 0b 41 b9 ea ff ff ff eb a5 66 90
[ 234.915714] RSP: 0018:ffffb9ecc1b6fa50 EFLAGS: 00010246
[ 234.915717] RAX: ffff943f8c94a9d8 RBX: 0000000000000000 RCX: 0000000000000000
[ 234.915719] RDX: ffff943f613e0900 RSI: 0000000000000000 RDI: ffff943f8c94a958
[ 234.915721] RBP: ffffb9ecc1b6fa88 R08: 0000000000000001 R09: ffff943f613e0900
[ 234.915723] R10: ffff943f613e0900 R11: ffff943f6b590c00 R12: 0000000000000000
[ 234.915724] R13: 0000000000000001 R14: ffff943f8c94a958 R15: 0000000000000001
[ 234.915727] FS: 00007f4ca3646540(0000) GS:ffff943f8ec00000(0000) knlGS:0000000000000000
[ 234.915729] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 234.915731] CR2: 00007fff7a53ba18 CR3: 00000003da614000 CR4: 00000000003406f0
[ 234.915733] Call Trace:
[ 234.915745] media_create_pad_links+0x104/0x1b0 [mc]
[ 234.915756] dvb_create_media_graph+0x350/0x5f0 [dvb_core]
[ 234.915766] dvb_init.part.4+0x691/0x1360 [cx231xx_dvb]
[ 234.915780] dvb_init+0x1a/0x20 [cx231xx_dvb]
[ 234.915787] cx231xx_register_extension+0x71/0xa0 [cx231xx]
[ 234.915791] ? 0xffffffffc042f000
[ 234.915796] cx231xx_dvb_register+0x15/0x1000 [cx231xx_dvb]
[ 234.915802] do_one_initcall+0x71/0x250
[ 234.915807] ? do_init_module+0x27/0x22e
[ 234.915811] ? _cond_resched+0x1a/0x50
[ 234.915816] ? kmem_cache_alloc_trace+0x1ec/0x270
[ 234.915820] ? __vunmap+0x1e3/0x240
[ 234.915826] do_init_module+0x5f/0x22e
[ 234.915831] load_module+0x2525/0x2d40
[ 234.915848] __do_sys_finit_module+0xe5/0x120
[ 234.915850] ? __do_sys_finit_module+0xe5/0x120
[ 234.915862] __x64_sys_finit_module+0x1a/0x20
[ 234.915865] do_syscall_64+0x57/0x1b0
[ 234.915870] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 234.915872] RIP: 0033:0x7f4ca3168839
[ 234.915876] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[ 234.915878] RSP: 002b:00007ffcea3db3b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 234.915881] RAX: ffffffffffffffda RBX: 000055af22c29340 RCX: 00007f4ca3168839
[ 234.915882] RDX: 0000000000000000 RSI: 000055af22c38390 RDI: 0000000000000001
[ 234.915884] RBP: 000055af22c38390 R08: 0000000000000000 R09: 0000000000000000
[ 234.915885] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[ 234.915887] R13: 000055af22c29060 R14: 0000000000040000 R15: 0000000000000000
[ 234.915896] ---[ end trace a60f19c54aa96ec3 ]---
Signed-off-by: Brad Love <brad@nextdimension.cc>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
Use the newer API returning an ERRPTR and use the new helper to bail
out.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
|
|
In dvb_create_media_entity(), 'dvbdev->entity' is allocated through
kzalloc(). Then, 'dvbdev->pads' is allocated through kcalloc(). However, if
kcalloc() fails, the allocated 'dvbdev->entity' is not deallocated, leading
to a memory leak bug. To fix this issue, free 'dvbdev->entity' before
returning -ENOMEM.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
kmemdup is introduced to duplicate a region of memory in a neat way.
Rather than kmalloc/kzalloc + memcpy, which the programmer needs to
write the size twice (sometimes lead to mistakes), kmemdup improves
readability, leads to smaller code and also reduce the chances of mistakes.
Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy.
Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
As warned by smatch:
drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:529 dvb_register_device() error: double unlock 'sem:&minor_rwsem'
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
Use codespell to fix lots of typos over frontends.
Manually verified to avoid false-positives.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
On tuner pads, multiple signals are present. Be sure to get
the right PAD by using them.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
The implementation of strscpy() is more robust and safer.
That's now the recommended way to copy NUL terminated strings.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
Currently links between entities and an interface are just marked as
ENABLED. But (at least today) these links cannot be disabled by userspace
or the driver, so they should also be marked as IMMUTABLE.
It might become possible that drivers can disable such links (if for some
reason the device node cannot be used), so we might need to add a new link
flag at some point to mark interface links that can be changed by the driver
but not by userspace.
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
During destruction, a race condition in
dvb_media_controller_disable_source() can cause a kernel crash,
because the "mdev" pointer has been read successfully while another
task executes dvb_usb_media_device_unregister(), which destroys the
object. Example for such a crash:
general protection fault: 0000 [#1] SMP
CPU: 1 PID: 301 Comm: vdr Not tainted 4.8.1-nuc+ #102
[142B blob data]
task: ffff8802301f2040 task.stack: ffff880233728000
RIP: 0010:[<ffffffff816c296b>] [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120
RSP: 0018:ffff88023372bdd8 EFLAGS: 00010202
RAX: 001fd55c000000da RBX: ffff880236bad810 RCX: 0000000000000000
RDX: ffff880235bd81f0 RSI: 0000000000000246 RDI: ffff880235bd81e8
RBP: ffff88023372be00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88022f009910 R12: 0000000000000000
R13: ffff880235a21a80 R14: ffff880235bd8000 R15: ffff880235bb8a78
FS: 0000000000000000(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96edd69818 CR3: 0000000002406000 CR4: 00000000001006e0
Stack:
ffff88022f009900 0000000000000008 ffff880235bb8a78 ffff8802344fbb20
ffff880236437b40 ffff88023372be48 ffffffff8117a81e ffff880235bb8a78
ffff88022f009910 ffff8802335a7400 ffff8802301f2040 ffff88022f009900
Call Trace:
[<ffffffff8117a81e>] __fput+0xde/0x1d0
[<ffffffff8117a949>] ____fput+0x9/0x10
[<ffffffff810a9fce>] task_work_run+0x7e/0xa0
[<ffffffff81094bab>] do_exit+0x27b/0xa50
[<ffffffff810407e3>] ? __do_page_fault+0x1c3/0x430
[<ffffffff81095402>] do_group_exit+0x42/0xb0
[<ffffffff8109547f>] SyS_exit_group+0xf/0x10
[<ffffffff8108bedb>] entry_SYSCALL_64_fastpath+0x13/0x8f
Code: 31 c9 49 8d be e8 01 00 00 ba 01 00 00 00 be 03 00 00 00 e8 68 2d a0 ff 48 8b 83 10 03 00 00 48 8b 80 88 00 00 00 48 85 c0 74 12 <48> 8b 80 88 02 00 00 48 85 c0 74 06 49 8b 7d
RIP [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120
[mchehab+samsung@kernel.org: fix a Coding Style issue]
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
|
|
If allocation of struct board_info fails, return NULL from
dvb_module_probe().
Fix this warning:
drivers/media/dvb-core/dvbdev.c:958 dvb_module_probe() error: potential null dereference 'board_info'. (kzalloc returns null)
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Not sure why, but, on ia64, with Linaro's gcc 7.3 compiler,
using #ifdef (CONFIG_I2C) is not OK.
So, replace it by IS_ENABLED(CONFIG_I2C), in order to fix the
builds there.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The dvb_attach()/dvb_detach() methods are ugly hacks designed
to keep using the I2C low-level API. The proper way is to
do I2C bus bindings instead.
Several modules were already converted to use it. Yet,
it is painful to use it, as lots of code need to be
duplicated.
Make it easier by providing two new helper functions:
- dvb_module_probe()
- dvb_module_release()
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Except for DVB, all media kAPI headers are at include/media.
Move the headers to it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
changeset 6bbf7a855d20 ("media: dvbdev: convert DVB device types into an enum")
added a new warning on gcc 6:
>> drivers/media/dvb-core/dvbdev.c:86:1: warning: control reaches end of non-void function [-Wreturn-type]
That's because gcc is not smart enough to see that all types are
present at the switch. Also, the current code is not too optimized.
So, replace it to a more optimized one, based on a static table.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 6bbf7a855d20 ("media: dvbdev: convert DVB device types into an enum")
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Enums can be documented via kernel-doc. So, convert the
DVB_DEVICE_* macros to an enum.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Drop the FSF's postal address from the source code files that typically
contain mostly the license text. Of the 628 removed instances, 578 are
outdated.
The patch has been created with the following command without manual edits:
git grep -l "675 Mass Ave\|59 Temple Place\|51 Franklin St" -- \
drivers/media/ include/media|while read i; do i=$i perl -e '
open(F,"< $ENV{i}");
$a=join("", <F>);
$a =~ s/[ \t]*\*\n.*You should.*\n.*along with.*\n.*(\n.*USA.*$)?\n//m
&& $a =~ s/(^.*)Or, (point your browser to) /$1To obtain the license, $2\n$1/m;
close(F);
open(F, "> $ENV{i}");
print F $a;
close(F);'; done
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
|
|
dvb_unregister_device() has a major problem: it combines unregistering
with memory disposal. Sometimes, it is necessary to unregister a
device, but no memory can be freed yet, because a process still has a
(stale) file handle. Therefore, we need to split
dvb_unregister_device(). This will allow sanitizing a few callers.
With my new design, dvb_unregister_device() appears misnamed, but to
reduce patch noise, I'm not renaming it just yet.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The dvb-core directly calls printk() without using the modern
printk macros, or using the proper printk levels. Change it
to use pr_foo().
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Instead of always return -ENOMEM, return the real error that should
come from media_create_pad_link().
Signed-off-by: Max Kellermann <max@duempel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
The test for the return code was mistakenly inverted. This caused DVB
devices with CA module to fail on modprobe.
Tested with TechnoTrend CT2-4650 CI USB tuner.
Signed-off-by: Olli Salonen <olli.salonen@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
The space is missing after ',', and this will be introduce much
noise when checking new patch around them.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Since the number of elements equals to 1, so just use kzalloc to
simplify the code and make it more readable.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
The parentheses are not required after return, and just remove it.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
The output of a tuner is not only IF frequencies. They may also
output audio on some of its pins, and may even be a zero-IF tuner,
with outputs a baseband. So, rename the PAD name to make it
clearer and add a proper documentation about that at tuner.h.
No functional changes.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Devices like mxl111sf-based WinTV Aero-m have multiple
frontends, all linked on the same demod. Currently, the
dvb_create_graph() function is not smart enough to create
multiple links. Fix it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Several pure digital TV devices have a frontend with the tuner
integrated on it. Add the RF connector when dvb_create_media_graph()
is called on such devices.
Tested with siano and dvb_usb_mxl111sf drivers.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Those functions are used only if CONFIG_MEDIA_CONTROLLER_DVB.
Without that, if !CONFIG_MEDIA_CONTROLLER_DVB, it would produce
two warnings:
drivers/media/dvb-core/dvbdev.c:219:12: warning: 'dvb_create_tsout_entity' defined but not used [-Wunused-function]
static int dvb_create_tsout_entity(struct dvb_device *dvbdev,
^
drivers/media/dvb-core/dvbdev.c:264:12: warning: 'dvb_create_media_entity' defined but not used [-Wunused-function]
static int dvb_create_media_entity(struct dvb_device *dvbdev,
^
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
With the MC next gen rework, what's left for media_entity_init()
is to just initialize the PADs. However, certain devices, like
a FLASH led/light doesn't have any input or output PAD.
So, there's no reason why calling media_entity_init() would be
mandatory. Also, despite its name, what this function actually
does is to initialize the PADs data. So, rename it to
media_entity_pads_init() in order to reflect that.
The media entity actual init happens during entity register,
at media_device_register_entity(). We should move init of
num_links and num_backlinks to it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
We should not be creating device nodes at IRQ contexts. So,
the only flags we'll be using will be GFP_KERNEL. Let's
remove the gfp_flags, in order to make the interface simpler.
If we ever need it, it would be easy to revert those changes.
While here, remove an extra blank line.
Suggested-by: Sakari Ailus <sakari.ailus@iki.fi>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Indirect links are those whose interface indirectly controls
other functions.
There are two interfaces that have indirect controls at the DVB
side:
- the network interface, which also controls the demux;
- the DVR interface which also controls the demux.
One could argue that the frontend control to the tuner is indirect.
Well, that's debatable. There's no way to create subdev interfaces
for tuner and demod, as those devices are tightly coupled. So, it
was decided that just one interface is the best to control both
entities, and there's no plan (or easy way) to decouple both. So,
the DVB frontend interface should link to both entities.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Cleanup the code a little bit by moving the routine that creates
links between DVR and demux to the I/O entitis into a separate
function.
While here, fix the code to use strncmp() instead of strcmp().
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Rename the userspace types from MEDIA_ENT_T_ to MEDIA_ENT_F_
and add the backward compatibility bits.
The changes at the .c files was generated by the following
coccinelle script:
@@
@@
-MEDIA_ENT_T_UNKNOWN
+MEDIA_ENT_F_UNKNOWN
@@
@@
-MEDIA_ENT_T_DVB_BASE
+MEDIA_ENT_F_DVB_BASE
@@
@@
-MEDIA_ENT_T_V4L2_BASE
+MEDIA_ENT_F_V4L2_BASE
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_BASE
+MEDIA_ENT_F_V4L2_SUBDEV_BASE
@@
@@
-MEDIA_ENT_T_CONNECTOR_BASE
+MEDIA_ENT_F_CONNECTOR_BASE
@@
@@
-MEDIA_ENT_T_V4L2_VIDEO
+MEDIA_ENT_F_IO_V4L
@@
@@
-MEDIA_ENT_T_V4L2_VBI
+MEDIA_ENT_F_IO_VBI
@@
@@
-MEDIA_ENT_T_V4L2_SWRADIO
+MEDIA_ENT_F_IO_SWRADIO
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_UNKNOWN
+MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN
@@
@@
-MEDIA_ENT_T_CONN_RF
+MEDIA_ENT_F_CONN_RF
@@
@@
-MEDIA_ENT_T_CONN_SVIDEO
+MEDIA_ENT_F_CONN_SVIDEO
@@
@@
-MEDIA_ENT_T_CONN_COMPOSITE
+MEDIA_ENT_F_CONN_COMPOSITE
@@
@@
-MEDIA_ENT_T_CONN_TEST
+MEDIA_ENT_F_CONN_TEST
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_SENSOR
+MEDIA_ENT_F_CAM_SENSOR
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_FLASH
+MEDIA_ENT_F_FLASH
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_LENS
+MEDIA_ENT_F_LENS
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_DECODER
+MEDIA_ENT_F_ATV_DECODER
@@
@@
-MEDIA_ENT_T_V4L2_SUBDEV_TUNER
+MEDIA_ENT_F_TUNER
@@
@@
-MEDIA_ENT_T_DVB_DEMOD
+MEDIA_ENT_F_DTV_DEMOD
@@
@@
-MEDIA_ENT_T_DVB_DEMUX
+MEDIA_ENT_F_TS_DEMUX
@@
@@
-MEDIA_ENT_T_DVB_TSOUT
+MEDIA_ENT_F_IO_DTV
@@
@@
-MEDIA_ENT_T_DVB_CA
+MEDIA_ENT_F_DTV_CA
@@
@@
-MEDIA_ENT_T_DVB_NET_DECAP
+MEDIA_ENT_F_DTV_NET_DECAP
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Entities should have one or more functions. Calling it as a
type proofed to not be correct, as an entity could eventually
have more than one type.
So, rename the field as function.
Please notice that this patch doesn't extend support for
multiple function entities. Such change will happen when
we have real case drivers using it.
No functional changes.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Right now, if something gets wrong at dvb_create_media_entity()
or at dvb_create_media_graph(), the device will still be
registered.
Change the logic to properly handle it and free all media graph
objects if something goes wrong at dvb_register_device().
Also, change the logic at dvb_create_media_graph() to return
an error code if something goes wrong. It is up to the
caller to implement the right logic and to call
dvb_unregister_device() to unregister the already-created
objects.
While here, add a missing logic to unregister the created
interfaces.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Interface links are normally enabled, meaning that the interfaces are
bound to the entities. So, any ioctl sent to the interface are reflected
at the entities managed by the interface.
However, when a device is in use, other interfaces for the same hardware
could be decoupled from the entities linked to them, because the
hardware may have some parts busy.
That's for example, what happens when an hybrid TV device is in use.
If it is streaming analog TV or capturing signals from S-Video/Composite
connectors, typically the digital part of the hardware can't be used and
vice-versa.
This is generally due to some internal hardware or firmware limitation,
that it is not easily mapped via data pipelines.
What the Kernel drivers do internally is that they decouple the hardware
from the interface. So, all changes, if allowed, are done only at some
interface cache, but not physically changed at the hardware.
The usage is similar to the usage of the MEDIA_LNK_FL_ENABLED on data
links. So, let's use the same flag to indicate if either the interface
to entity link is bound/enabled or not.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Tuners actually have at least one connector on its input.
Add a PAD to connect it.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
