1. 03 Jun, 2019 2 commits
    • Hans Verkuil's avatar
      media: dvb-usb/cxusb-analog.c: fix coccinelle warning, use ktime.h · e867110a
      Hans Verkuil authored
      This patch fixes a coccinelle warning and includes ktime.h instead of
      timekeeping.h. The first includes the latter, but the latter doesn't
      exist before 3.17, causing problems for our compat build. It's easier
      to just use ktime.h instead.
      
      coccinelle warnings: (new ones prefixed by >>)
      
      >> drivers/media/usb/dvb-usb/cxusb-analog.c:1498:41-42: WARNING: Use ARRAY_SIZE
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      e867110a
    • Kefeng Wang's avatar
      media: wl128x: Fix some error handling in fm_v4l2_init_video_device() · 69fbb3f4
      Kefeng Wang authored
      X-Originating-IP: [10.175.113.25]
      X-CFilter-Loop: Reflected
      The fm_v4l2_init_video_device() forget to unregister v4l2/video device
      in the error path, it could lead to UAF issue, eg,
      
        BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
        BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
        BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
        Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
      
        CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0xa9/0x10e lib/dump_stack.c:113
         print_address_description+0x65/0x270 mm/kasan/report.c:187
         kasan_report+0x149/0x18d mm/kasan/report.c:317
         atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
         atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
         __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
         fm_v4l2_fops_open+0xac/0x120 [fm_drv]
         v4l2_open+0x191/0x390 [videodev]
         chrdev_open+0x20d/0x570 fs/char_dev.c:417
         do_dentry_open+0x700/0xf30 fs/open.c:777
         do_last fs/namei.c:3416 [inline]
         path_openat+0x7c4/0x2a90 fs/namei.c:3532
         do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
         do_sys_open+0x302/0x490 fs/open.c:1069
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f8180c17c8e
        ...
        Allocated by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
         fm_drv_init+0x13/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        Freed by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
         slab_free_hook mm/slub.c:1429 [inline]
         slab_free_freelist_hook mm/slub.c:1456 [inline]
         slab_free mm/slub.c:3003 [inline]
         kfree+0xe1/0x270 mm/slub.c:3958
         fm_drv_init+0x1e6/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Add relevant unregister functions to fix it.
      
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      69fbb3f4
  2. 29 May, 2019 38 commits