Memory allocated for maxiradio device is not deallocated when
the device is removed.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
If *nplanes is not zero, it should use the requested size if valid
Signed-off-by: Helen Koike <helen.koike@collabora.co.uk>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The dv_timings_cap() and enum_dv_timings() pad operations take a pad
number as an input argument and return the DV timings capabilities and
list of supported DV timings for that pad.
Commit bd3e275f3e ("[media] media: i2c: adv7604: Use v4l2-dv-timings
helpers") broke this as it started ignoring the pad number, always
returning the information associated with the currently selected input.
Fix it.
Fixes: bd3e275f3e ("[media] media: i2c: adv7604: Use v4l2-dv-timings helpers")
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This patch adds V4L2 controls for Auto Exposure Control and Auto Gain
Control settings. These settings include low pass filter, update
frequency of these settings and the update interval for those units.
[Avoid forward declarations]
[Fix 80 columns limit violation]
[Rename controls to avoid underscores in names]
[Fix the AEC maximum shutter width on MT9V032]
Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The power_on function of the driver resets the chip and sets the
CHIP_CONTROL register to 0. This switches the operating mode to slave.
The s_stream function sets the correct mode. But this caused problems on
a board where the camera chip is operated as master. The camera started
after a random amount of time streaming an image, I observed between 10
and 300 seconds.
The STRFM_OUT and STLN_OUT pins are not connected on this board which
may cause some issues in slave mode. I could not find any documentation
about this.
Keeping the chip in master mode after the reset helped to fix this
issue for me.
Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Since commit b42261078a ("regmap: i2c: fallback to SMBus if the adapter
does not support standard I2C"), regmap-i2c will check the
I2C_FUNC_SMBUS_[BYTE|WORD]_DATA functionality based on the regmap_config
setting if the adapter does not support standard I2C.
So remove the I2C_FUNC_SMBUS_WORD_DATA functionality check in the driver code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
If the driver fails to reset the camera or to set up control handlers, it
has to power the camera back off.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This v4l2_subdev_internal_ops structure is never modified. All other
v4l2_subdev_internal_ops structures are declared as const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The value is not used after the assignment.
Signed-off-by: Sakari Ailus <sakari.ailus@iki.fi>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Users won't know what to put in this module option if it isn't
described.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Audio hw params are shared across all DMA channels,
so if the user changes any of these while any DMA channel is
enabled, it will impact the enabled channels, potentially causing
serious instability issues.
This commit avoids such situation, by preventing any hw param
change (on any DMA channel) if any other DMA audio channel is capturing.
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Currently, the driver has a fixed period size of 4096 bytes
(2048 frames). Since this hardware can configure the audio
capture size, this commit allows a period size range of [512-4096].
This is very useful to reduce the audio latency.
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Now that we've introduced the dma_mode parameter to pick the
DMA operation, let's use it to also select the audio DMA
operation.
When dma_mode != memcpy, the driver will avoid using memcpy
in the audio capture path, and the DMA hardware operation
will act directly on the ALSA buffers.
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Now that the driver has the infrastructure to support more
DMA modes, let's add the DMA scatter-gather mode.
In this mode, the device delivers sequential top-bottom
frames. The scatter-gather logic is based on staging's
tw686x-kh driver (by Krzysztof Ha?asa).
Tested-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Now that the driver has the infrastructure to support more
DMA modes, let's add the DMA contiguous interlaced frame mode.
In this mode, the DMA P and B buffers are programmed with
the user-provided buffers. When a P (or B) frame is ready,
a new buffer is dequeued into P (or B).
In addition to interlaced fields, the device can also be
programmed to deliver alternate fields. Only interlaced
mode is supported for now.
Tested-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Let's set the corner stone to support all the DMA modes
available on this device.
For stability reasons, the driver is currently setting DMA frame
mode, and using single DMA buffers to get the P and B buffers.
Each frame is then memcpy'ed into the user buffer.
However, other platforms might be interested in avoiding this
memcpy, or in taking advantage of the chip's DMA scatter-gather
capabilities.
To achieve this, this commit introduces a "dma_mode" module parameter,
and a tw686x_dma_ops struct. This will allow to define functions to
alloc/free DMA buffers, and to return the frames to userspace.
The memcpy-based method described above is named as dma_mode="memcpy".
Current alloc/free functions are renamed as tw686x_memcpy_xxx,
and are now used through a memcpy_dma_ops.
Tested-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Those structs are used only at bdisp-hw, so they shouldn't be
there in a header file that it is used elsewhere.
This fixes the following Gcc 6.1 warnings:
In file included from drivers/media/platform/sti/bdisp/bdisp-debug.c:11:0:
drivers/media/platform/sti/bdisp/bdisp-filter.h:207:65: warning: ‘bdisp_v_spec’ defined but not used [-Wunused-const-variable=]
static const struct __maybe_unused bdisp_filter_v_spec bdisp_v_spec[] = {
^~~~~~~~~
In file included from drivers/media/platform/sti/bdisp/bdisp-debug.c:11:0:
drivers/media/platform/sti/bdisp/bdisp-filter.h:23:65: warning: ‘bdisp_h_spec’ defined but not used [-Wunused-const-variable=]
static const struct __maybe_unused bdisp_filter_h_spec bdisp_h_spec[] = {
^~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about an unused table:
drivers/media/i2c/adv7842.c:2400:27: warning: 'prim_mode_txt' defined but not used [-Wunused-const-variable=]
static const char * const prim_mode_txt[] = {
^~~~~~~~~~~~~
That seems to be useful for debug, and likely were used before.
While we could simply remove, let's comment it out, for now.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about an unused table:
drivers/media/usb/em28xx/em28xx-dvb.c:907:38: warning: 'pctv_461e_m88ds3103_config' defined but not used [-Wunused-const-variable=]
static const struct m88ds3103_config pctv_461e_m88ds3103_config = {
^~~~~~~~~~~~~~~~~~~~~~~~~~
That's a left over of patch 76b91be3d3 ('em28xx: PCTV 461e use I2C
client for demod and SEC').
Remove the dead code.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about some unused vars. Remove them:
drivers/media/platform/vivid/vivid-vid-cap.c:40:2: warning: 'tpf_default' defined but not used [-Wunused-const-variable=]
tpf_default = {.numerator = 1, .denominator = 30};
^~~~~~~~~~~
drivers/media/platform/vivid/vivid-sdr-cap.c:54:27: warning: 'NUM_FORMATS' defined but not used [-Wunused-const-variable=]
static const unsigned int NUM_FORMATS = ARRAY_SIZE(formats);
^~~~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about some unused tables:
drivers/media/pci/zoran/zr36016.c:251:18: warning: 'zr016_yoff' defined but not used [-Wunused-const-variable=]
static const int zr016_yoff[] = { 8, 9, 7 };
^~~~~~~~~~
drivers/media/pci/zoran/zr36016.c:250:18: warning: 'zr016_xoff' defined but not used [-Wunused-const-variable=]
static const int zr016_xoff[] = { 20, 20, 20 };
^~~~~~~~~~
Those tables aren't used anywere. So, remove them.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
As Gcc6.1 warned, those tables are currently unused:
drivers/media/tuners/r820t.c:349:18: warning: 'r820t_mixer_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_mixer_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~~~
drivers/media/tuners/r820t.c:345:18: warning: 'r820t_lna_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_lna_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~
They're actually used only by a routine that it is currently
commented out. So, move those tables to be together with such
code and comment them out.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Those tables are currently unused, so comment them out:
drivers/media/dvb-frontends/dib0090.c:852:18: warning: 'rf_ramp_pwm_sband' defined but not used [-Wunused-const-variable=]
static const u16 rf_ramp_pwm_sband[] = {
^~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/dib0090.c:800:18: warning: 'bb_ramp_pwm_boost' defined but not used [-Wunused-const-variable=]
static const u16 bb_ramp_pwm_boost[] = {
^~~~~~~~~~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Avoid this warning:
drivers/media/dvb-frontends/drx39xyj/drxj.c:1243:18: warning: 'nicam_presc_table_val' defined but not used [-Wunused-const-variable=]
static const u16 nicam_presc_table_val[43] = {
^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The PCI device ID table is only used if compiled with modules
support. When compiled with modules disabled, this is now
producing this bogus warning:
drivers/media/pci/cx25821/cx25821-alsa.c:696:35: warning: 'cx25821_audio_pci_tbl' defined but not used [-Wunused-const-variable=]
static const struct pci_device_id cx25821_audio_pci_tbl[] = {
^~~~~~~~~~~~~~~~~~~~~
Fix it by annotating that the function may not be used.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The mc5602_s5k4aa.h has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The mc5602_brigde.h is included at m5602 submodules. This
causes Gcc 6.1 to complain:
drivers/media/usb/gspca/m5602/m5602_bridge.h:124:28: warning: 'sensor_urb_skeleton' defined but not used [-Wunused-const-variable=]
static const unsigned char sensor_urb_skeleton[] = {
^~~~~~~~~~~~~~~~~~~
drivers/media/usb/gspca/m5602/m5602_bridge.h:119:28: warning: 'bridge_urb_skeleton' defined but not used [-Wunused-const-variable=]
static const unsigned char bridge_urb_skeleton[] = {
^~~~~~~~~~~~~~~~~~~
Let's shut up gcc 6.1 warnings by moving those data structures
to the core, as they're used only there.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 now complains about unused vars:
drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
In file included from drivers/media/pci/cx18/cx18-cards.c:25:0:
drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:495:18: warning: 'vbi_active_samples' defined but not used [-Wunused-const-variable=]
static const u32 vbi_active_samples = 1444; /* 4 byte SAV + 720 Y + 720 U/V */
^~~~~~~~~~~~~~~~~~
In this specific case, this is somewhat intentional, as those
values are actually used in parts of the driver. The code assumes
that gcc optimizer it and not actually create any var, but convert
it to immediate access at the routines.
Yet, as we want to shut up gcc warnings, let's use #define, with
is the standard way to store values that will use assembler's
immediate access code.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about some unused vars and functions. Remove them:
drivers/media/platform/exynos4-is/mipi-csis.c:665:46: warning: 's5pcsis_sd_internal_ops' defined but not used [-Wunused-const-variable=]
static const struct v4l2_subdev_internal_ops s5pcsis_sd_internal_ops = {
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/platform/exynos4-is/mipi-csis.c:652:12: warning: 's5pcsis_open' defined but not used [-Wunused-function]
static int s5pcsis_open(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
^~~~~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Gcc 6.1 warns about some unused vars. Remove them:
drivers/media/usb/usbvision/usbvision-core.c:94:18: warning: 'min_imgheight' defined but not used [-Wunused-const-variable=]
static const int min_imgheight = MIN_FRAME_HEIGHT;
^~~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:93:18: warning: 'min_imgwidth' defined but not used [-Wunused-const-variable=]
static const int min_imgwidth = MIN_FRAME_WIDTH;
^~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:92:18: warning: 'max_imgheight' defined but not used [-Wunused-const-variable=]
static const int max_imgheight = MAX_FRAME_HEIGHT;
^~~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:91:18: warning: 'max_imgwidth' defined but not used [-Wunused-const-variable=]
static const int max_imgwidth = MAX_FRAME_WIDTH;
^~~~~~~~~~~~
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Two parameters were documented with a wrong name, and a struct
device pointer description was missing.
That caused the following warnings, when building documentation:
include/media/media-devnode.h:102: warning: No description found for parameter 'media_dev'
include/media/media-devnode.h:126: warning: No description found for parameter 'mdev'
include/media/media-devnode.h:126: warning: Excess function parameter 'media_dev' description in 'media_devnode_register'
Rename the description, to match the function parameter and fix
Documentation.
No funcional changes.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/platform/rcar-vin/rcar-core.c: In function 'rvin_graph_notify_complete':
drivers/media/platform/rcar-vin/rcar-core.c:65:22: warning: variable 'sd' set but not used [-Wunused-but-set-variable]
struct v4l2_subdev *sd;
^
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
A V4L2 driver for Renesas R-Car VIN driver that do not depend on
soc_camera. The driver is heavily based on its predecessor and aims to
replace it.
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
which will be dequeued is not known until the buffer has been removed from
the queue. The number of planes is specific to a buffer, not to the queue.
This does lead to the situation where multi-plane buffers may be requested
and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
struct with fewer planes.
__fill_v4l2_buffer() however uses the number of planes from the dequeued
videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
planes than the dequeued buffer had. Oops!
Fixes: b0e0e1f83d ("[media] media: videobuf2: Prepare to divide videobuf2")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: stable@vger.kernel.org # for v4.4 and later
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
An earlier patch fixing an input validation issue introduced another
issue: vb2_core_dqbuf() is called with pb argument value NULL in some
cases, causing a NULL pointer dereference. Fix this by skipping the
verification as there's nothing to verify.
Fixes: e7e0c3e265 ("[media] videobuf2-core: Check user space planes array in dqbuf")
Signed-off-by: David R <david@unsolicited.net>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: stable@vger.kernel.org # for v4.4 and later
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Media devnode open/ioctl could be in progress when media device unregister
is initiated. System calls and ioctls check media device registered status
at the beginning, however, there is a window where unregister could be in
progress without changing the media devnode status to unregistered.
process 1 process 2
fd = open(/dev/media0)
media_devnode_is_registered()
(returns true here)
media_device_unregister()
(unregister is in progress
and devnode isn't
unregistered yet)
...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
(returns true here)
...
media_devnode_unregister()
...
(driver releases the media device
memory)
media_device_ioctl()
(By this point
devnode->media_dev does not
point to allocated memory.
use-after free in in mutex_lock_nested)
BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr
ffff8801ebe914f0
Fix it by clearing register bit when unregister starts to avoid the race.
process 1 process 2
fd = open(/dev/media0)
media_devnode_is_registered()
(could return true here)
media_device_unregister()
(clear the register bit,
then start unregister.)
...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
(return false here, ioctl
returns I/O error, and
will not access media
device memory)
...
media_devnode_unregister()
...
(driver releases the media device
memory)
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
When driver unbinds while media_ioctl is in progress, cdev_put() fails with
when app exits after driver unbinds.
Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets
a reference to it and releases it in cdev_del() ensuring that the devnode
is not deallocated as long as the application has the device file open.
media_devnode_register() initializes the struct device kobj before calling
cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the
device. devnode is released when the last reference to the struct device is
gone.
This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has
been tested on all three.
kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50
kernel: [ 193.599745] Read of size 8 by task media_device_te/1851
kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54
kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0
kernel: [ 193.601083] Call Trace:
kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94
kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0
kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40
kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530
kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40
kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0
kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50
kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50
kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0
kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a
kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10
kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0
kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e
kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20
kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250
-
-
-
kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7
kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120
kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a
kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
struct media_devnode is currently embedded at struct media_device.
While this works fine during normal usage, it leads to a race
condition during devnode unregister. the problem is that drivers
assume that, after calling media_device_unregister(), the struct
that contains media_device can be freed. This is not true, as it
can't be freed until userspace closes all opened /dev/media devnodes.
In other words, if the media devnode is still open, and media_device
gets freed, any call to an ioctl will make the core to try to access
struct media_device, with will cause an use-after-free and even GPF.
Fix this by dynamically allocating the struct media_devnode and only
freeing it when it is safe.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Along all media controller code, "mdev" is used to represent
a pointer to struct media_device, and "devnode" for a pointer
to struct media_devnode.
However, inside media-devnode.[ch], "mdev" is used to represent
a pointer to struct media_devnode.
This is very confusing and may lead to development errors.
So, let's change all occurrences at media-devnode.[ch] to
also use "devnode" for such pointers.
This patch doesn't make any functional changes.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
For the third time in three years, I'm changing my e-mail at
Samsung. That's bad, as it may stop communications with me for
a while. So, this time, I'll also the mchehab@kernel.org e-mail,
as it remains stable since ever.
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
status is not initialized so it can contain garbage. The
check for status containing the FE_HAS_LOCK bit may randomly pass
or fail if the read of register 0x8c fails to set status after 25
read attempts. Fix this by initializing status to 0.
Issue found with CoverityScan, CID#986738
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
The code is checking for negative returns but it should be checking for
zero.
Fixes: aab3125c43 ('[media] em28xx: add support for registering multiple i2c buses')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>