1. 24 Jun, 2016 4 commits
    • Mauro Carvalho Chehab's avatar
      m5602_core: move skeletons to the .c file · 511ebc09
      Mauro Carvalho Chehab authored
      The mc5602_brigde.h is included at m5602 submodules. This
      causes Gcc 6.1 to complain:
      
      drivers/media/usb/gspca/m5602/m5602_bridge.h:124:28: warning: 'sensor_urb_skeleton' defined but not used [-Wunused-const-variable=]
       static const unsigned char sensor_urb_skeleton[] = {
                                  ^~~~~~~~~~~~~~~~~~~
      drivers/media/usb/gspca/m5602/m5602_bridge.h:119:28: warning: 'bridge_urb_skeleton' defined but not used [-Wunused-const-variable=]
       static const unsigned char bridge_urb_skeleton[] = {
                                 ^~~~~~~~~~~~~~~~~~~
      
      Let's shut up gcc 6.1 warnings by moving those data structures
      to the core, as they're used only there.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      511ebc09
    • Mauro Carvalho Chehab's avatar
      cx18: use macros instead of static const vars · 318de791
      Mauro Carvalho Chehab authored
      Gcc 6.1 now complains about unused vars:
      
      drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
       static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
                        ^~~~~~~~~~~~~~~~~~~~~~~
      drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
       static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
                        ^~~~~~~~~~~~~~~~~~~~~~~
      In file included from drivers/media/pci/cx18/cx18-cards.c:25:0:
      drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
       static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
                        ^~~~~~~~~~~~~~~~~~~~~~~
      drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
       static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
                        ^~~~~~~~~~~~~~~~~~~~~~~
      drivers/media/pci/cx18/cx18-driver.h:495:18: warning: 'vbi_active_samples' defined but not used [-Wunused-const-variable=]
       static const u32 vbi_active_samples = 1444; /* 4 byte SAV + 720 Y + 720 U/V */
                        ^~~~~~~~~~~~~~~~~~
      
      In this specific case, this is somewhat intentional, as those
      values are actually used in parts of the driver. The code assumes
      that gcc optimizer it and not actually create any var, but convert
      it to immediate access at the routines.
      
      Yet, as we want to shut up gcc warnings, let's use #define, with
      is the standard way to store values that will use assembler's
      immediate access code.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      318de791
    • Mauro Carvalho Chehab's avatar
      exynos4-is: remove some unused vars · 21ed2034
      Mauro Carvalho Chehab authored
      Gcc 6.1 warns about some unused vars and functions. Remove them:
      
      drivers/media/platform/exynos4-is/mipi-csis.c:665:46: warning: 's5pcsis_sd_internal_ops' defined but not used [-Wunused-const-variable=]
       static const struct v4l2_subdev_internal_ops s5pcsis_sd_internal_ops = {
                                                    ^~~~~~~~~~~~~~~~~~~~~~~
      
      drivers/media/platform/exynos4-is/mipi-csis.c:652:12: warning: 's5pcsis_open' defined but not used [-Wunused-function]
       static int s5pcsis_open(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
                  ^~~~~~~~~~~~
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      21ed2034
    • Mauro Carvalho Chehab's avatar
      usbvision: remove some unused vars · d69bb093
      Mauro Carvalho Chehab authored
      Gcc 6.1 warns about some unused vars. Remove them:
      
      drivers/media/usb/usbvision/usbvision-core.c:94:18: warning: 'min_imgheight' defined but not used [-Wunused-const-variable=]
       static const int min_imgheight = MIN_FRAME_HEIGHT;
                        ^~~~~~~~~~~~~
      drivers/media/usb/usbvision/usbvision-core.c:93:18: warning: 'min_imgwidth' defined but not used [-Wunused-const-variable=]
       static const int min_imgwidth = MIN_FRAME_WIDTH;
                        ^~~~~~~~~~~~
      drivers/media/usb/usbvision/usbvision-core.c:92:18: warning: 'max_imgheight' defined but not used [-Wunused-const-variable=]
       static const int max_imgheight = MAX_FRAME_HEIGHT;
                        ^~~~~~~~~~~~~
      drivers/media/usb/usbvision/usbvision-core.c:91:18: warning: 'max_imgwidth' defined but not used [-Wunused-const-variable=]
       static const int max_imgwidth = MAX_FRAME_WIDTH;
                        ^~~~~~~~~~~~
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      d69bb093
  2. 16 Jun, 2016 5 commits
  3. 15 Jun, 2016 4 commits
    • Shuah Khan's avatar
      [media] media: fix media devnode ioctl/syscall and unregister race · 6f0dd24a
      Shuah Khan authored
      Media devnode open/ioctl could be in progress when media device unregister
      is initiated. System calls and ioctls check media device registered status
      at the beginning, however, there is a window where unregister could be in
      progress without changing the media devnode status to unregistered.
      
      process 1				process 2
      fd = open(/dev/media0)
      media_devnode_is_registered()
      	(returns true here)
      
      					media_device_unregister()
      						(unregister is in progress
      						and devnode isn't
      						unregistered yet)
      					...
      ioctl(fd, ...)
      __media_ioctl()
      media_devnode_is_registered()
      	(returns true here)
      					...
      					media_devnode_unregister()
      					...
      					(driver releases the media device
      					memory)
      
      media_device_ioctl()
      	(By this point
      	devnode->media_dev does not
      	point to allocated memory.
      	use-after free in in mutex_lock_nested)
      
      BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr
      ffff8801ebe914f0
      
      Fix it by clearing register bit when unregister starts to avoid the race.
      
      process 1                               process 2
      fd = open(/dev/media0)
      media_devnode_is_registered()
              (could return true here)
      
                                              media_device_unregister()
                                                      (clear the register bit,
      						 then start unregister.)
                                              ...
      ioctl(fd, ...)
      __media_ioctl()
      media_devnode_is_registered()
              (return false here, ioctl
      	 returns I/O error, and
      	 will not access media
      	 device memory)
                                              ...
                                              media_devnode_unregister()
                                              ...
                                              (driver releases the media device
      					 memory)
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Suggested-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Reported-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Tested-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      6f0dd24a
    • Shuah Khan's avatar
      [media] media: fix use-after-free in cdev_put() when app exits after driver unbind · 5b28dde5
      Shuah Khan authored
      When driver unbinds while media_ioctl is in progress, cdev_put() fails with
      when app exits after driver unbinds.
      
      Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets
      a reference to it and releases it in cdev_del() ensuring that the devnode
      is not deallocated as long as the application has the device file open.
      
      media_devnode_register() initializes the struct device kobj before calling
      cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the
      device. devnode is released when the last reference to the struct device is
      gone.
      
      This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has
      been tested on all three.
      
      kernel: [  193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50
      kernel: [  193.599745] Read of size 8 by task media_device_te/1851
      kernel: [  193.599792] INFO: Allocated in __media_device_register+0x54
      kernel: [  193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0
      
      kernel: [  193.601083] Call Trace:
      kernel: [  193.601093]  [<ffffffff81aecac3>] dump_stack+0x67/0x94
      kernel: [  193.601102]  [<ffffffff815359b2>] print_trailer+0x112/0x1a0
      kernel: [  193.601111]  [<ffffffff8153b5e4>] object_err+0x34/0x40
      kernel: [  193.601119]  [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530
      kernel: [  193.601128]  [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40
      kernel: [  193.601137]  [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0
      kernel: [  193.601154]  [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50
      kernel: [  193.601162]  [<ffffffff8157ca7e>] cdev_put+0x4e/0x50
      kernel: [  193.601170]  [<ffffffff815767eb>] __fput+0x52b/0x6c0
      kernel: [  193.601179]  [<ffffffff8117743a>] ? switch_task_namespaces+0x2a
      kernel: [  193.601188]  [<ffffffff815769ee>] ____fput+0xe/0x10
      kernel: [  193.601196]  [<ffffffff81170023>] task_work_run+0x133/0x1f0
      kernel: [  193.601204]  [<ffffffff8117746e>] ? switch_task_namespaces+0x5e
      kernel: [  193.601213]  [<ffffffff8111b50c>] do_exit+0x72c/0x2c20
      kernel: [  193.601224]  [<ffffffff8111ade0>] ? release_task+0x1250/0x1250
      -
      -
      -
      kernel: [  193.601360]  [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7
      kernel: [  193.601368]  [<ffffffff810035c0>] exit_to_usermode_loop+0x120
      kernel: [  193.601376]  [<ffffffff810061da>] syscall_return_slowpath+0x16a
      kernel: [  193.601386]  [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Tested-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      5b28dde5
    • Mauro Carvalho Chehab's avatar
      [media] media-device: dynamically allocate struct media_devnode · a087ce70
      Mauro Carvalho Chehab authored
      struct media_devnode is currently embedded at struct media_device.
      
      While this works fine during normal usage, it leads to a race
      condition during devnode unregister. the problem is that drivers
      assume that, after calling media_device_unregister(), the struct
      that contains media_device can be freed. This is not true, as it
      can't be freed until userspace closes all opened /dev/media devnodes.
      
      In other words, if the media devnode is still open, and media_device
      gets freed, any call to an ioctl will make the core to try to access
      struct media_device, with will cause an use-after-free and even GPF.
      
      Fix this by dynamically allocating the struct media_devnode and only
      freeing it when it is safe.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      a087ce70
    • Mauro Carvalho Chehab's avatar
      [media] media-devnode: fix namespace mess · 163f1e93
      Mauro Carvalho Chehab authored
      Along all media controller code, "mdev" is used to represent
      a pointer to struct media_device, and "devnode" for a pointer
      to struct media_devnode.
      
      However, inside media-devnode.[ch], "mdev" is used to represent
      a pointer to struct media_devnode.
      
      This is very confusing and may lead to development errors.
      
      So, let's change all occurrences at media-devnode.[ch] to
      also use "devnode" for such pointers.
      
      This patch doesn't make any functional changes.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      163f1e93
  4. 14 Jun, 2016 1 commit
  5. 10 Jun, 2016 2 commits
  6. 09 Jun, 2016 6 commits
  7. 07 Jun, 2016 18 commits