1. 19 11月, 2016 1 次提交
    • M
      [media] rc-main: clear rc_map.name in ir_free_table() · c183d358
      Max Kellermann 提交于
      rc_unregister_device() will first call ir_free_table(), and later
      device_del(); however, the latter causes a call to rc_dev_uevent(),
      which prints rc_map.name, which at this point has already bee freed.
      
      This fixes a use-after-free bug found with KASAN.
      
      As reported by Shuah:
      
       "I am seeing the following when I do rmmod on au0828
      
        BUG: KASAN: use-after-free in string+0x170/0x1f0 at addr ffff8801bd513000
        Read of size 1 by task rmmod/1831
        CPU: 1 PID: 1831 Comm: rmmod Tainted: G        W       4.9.0-rc5 #5
        Hardware name: Hewlett-Packard HP ProBook 6475b/180F, BIOS 68TTU Ver. F.04 08/03/2012
        ffff8801aea2f680 ffffffff81b37ad3 ffff8801fa403b80 ffff8801bd513000
        ffff8801aea2f6a8 ffffffff8156c301 ffff8801aea2f738 ffff8801bd513000
        ffff8801fa403b80 ffff8801aea2f728 ffffffff8156c59a ffff8801aea2f770
        Call Trace:
        dump_stack+0x67/0x94
        [<ffffffff8156c301>] kasan_object_err+0x21/0x70
        [<ffffffff8156c59a>] kasan_report_error+0x1fa/0x4d0
        [<ffffffffa116f05f>] ? au0828_exit+0x10/0x21 [au0828]
        [<ffffffff8156c8b3>] __asan_report_load1_noabort+0x43/0x50
        [<ffffffff81b58b20>] ? string+0x170/0x1f0
        [<ffffffff81b58b20>] string+0x170/0x1f0
        [<ffffffff81b621c4>] vsnprintf+0x374/0x1c50
        [<ffffffff81b61e50>] ? pointer+0xa80/0xa80
        [<ffffffff8156b676>] ? save_stack+0x46/0xd0
        [<ffffffff81566faa>] ? __kmalloc+0x14a/0x2a0
        [<ffffffff81b3d70a>] ? kobject_get_path+0x9a/0x200
        [<ffffffff81b408c2>] ? kobject_uevent_env+0x282/0xca0
        [<ffffffff81b412eb>] ? kobject_uevent+0xb/0x10
        [<ffffffff81f10104>] ? device_del+0x434/0x6d0
        [<ffffffffa0fea717>] ? rc_unregister_device+0x177/0x240 [rc_core]
        [<ffffffffa116eeb0>] ? au0828_rc_unregister+0x60/0xb0 [au0828]
      
       The problem is fixed with this patch on Linux 4.9-rc4"
      Signed-off-by: NMax Kellermann <max.kellermann@gmail.com>
      Tested-by: NShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
      c183d358
  2. 18 11月, 2016 1 次提交
  3. 25 10月, 2016 1 次提交
  4. 21 10月, 2016 1 次提交
    • M
      [media] rc: don't break long lines · 25ec587c
      Mauro Carvalho Chehab 提交于
      Due to the 80-cols restrictions, and latter due to checkpatch
      warnings, several strings were broken into multiple lines. This
      is not considered a good practice anymore, as it makes harder
      to grep for strings at the source code.
      
      As we're right now fixing other drivers due to KERN_CONT, we need
      to be able to identify what printk strings don't end with a "\n".
      It is a way easier to detect those if we don't break long lines.
      
      So, join those continuation lines.
      
      The patch was generated via the script below, and manually
      adjusted if needed.
      
      </script>
      use Text::Tabs;
      while (<>) {
      	if ($next ne "") {
      		$c=$_;
      		if ($c =~ /^\s+\"(.*)/) {
      			$c2=$1;
      			$next =~ s/\"\n$//;
      			$n = expand($next);
      			$funpos = index($n, '(');
      			$pos = index($c2, '",');
      			if ($funpos && $pos > 0) {
      				$s1 = substr $c2, 0, $pos + 2;
      				$s2 = ' ' x ($funpos + 1) . substr $c2, $pos + 2;
      				$s2 =~ s/^\s+//;
      
      				$s2 = ' ' x ($funpos + 1) . $s2 if ($s2 ne "");
      
      				print unexpand("$next$s1\n");
      				print unexpand("$s2\n") if ($s2 ne "");
      			} else {
      				print "$next$c2\n";
      			}
      			$next="";
      			next;
      		} else {
      			print $next;
      		}
      		$next="";
      	} else {
      		if (m/\"$/) {
      			if (!m/\\n\"$/) {
      				$next=$_;
      				next;
      			}
      		}
      	}
      	print $_;
      }
      </script>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
      25ec587c
  5. 22 9月, 2016 2 次提交
  6. 09 7月, 2016 1 次提交
    • H
      [media] rc-main: fix kernel oops after unloading keymap module · d54fc3bb
      Hans Verkuil 提交于
      When the rc_map table is created the char pointer of the name of the keymap
      is copied to the rc_map->name field. However, this pointer points to memory
      from the keymap module itself.
      
      Since these keymap modules are not refcounted, that means anyone can call
      rmmod to unload that module. Which is not a big deal because the contents of
      the map is all copied to rc_map, except for the keymap name.
      
      So after a keymap module is unloaded the name pointer has become stale. Unloading
      the rc-core module will now cause a kernel oops in rc_dev_uevent().
      
      The solution is to kstrdup the name so there are no more references to the
      keymap module remaining.
      Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
      d54fc3bb
  7. 22 6月, 2016 1 次提交
  8. 07 5月, 2016 2 次提交
  9. 03 3月, 2016 1 次提交
  10. 16 2月, 2016 1 次提交
    • M
      [media] rc-core: don't lock device at rc_register_device() · c73bbaa4
      Mauro Carvalho Chehab 提交于
      The mutex lock at rc_register_device() was added by commit 08aeb7c9
      ("[media] rc: add locking to fix register/show race").
      
      It is meant to avoid race issues when trying to open a sysfs file while
      the RC register didn't complete.
      
      Adding a lock there causes troubles, as detected by the Kernel lock
      debug instrumentation at the Kernel:
      
          ======================================================
          [ INFO: possible circular locking dependency detected ]
          4.5.0-rc3+ #46 Not tainted
          -------------------------------------------------------
          systemd-udevd/2681 is trying to acquire lock:
           (s_active#171){++++.+}, at: [<ffffffff8171a115>] kernfs_remove_by_name_ns+0x45/0xa0
      
          but task is already holding lock:
           (&dev->lock){+.+.+.}, at: [<ffffffffa0724def>] rc_register_device+0xb2f/0x1450 [rc_core]
      
          which lock already depends on the new lock.
      
          the existing dependency chain (in reverse order) is:
      
          -> #1 (&dev->lock){+.+.+.}:
                 [<ffffffff8124817d>] lock_acquire+0x13d/0x320
                 [<ffffffff822de966>] mutex_lock_nested+0xb6/0x860
                 [<ffffffffa0721f2b>] show_protocols+0x3b/0x3f0 [rc_core]
                 [<ffffffff81cdaba5>] dev_attr_show+0x45/0xc0
                 [<ffffffff8171f1b3>] sysfs_kf_seq_show+0x203/0x3c0
                 [<ffffffff8171a6a1>] kernfs_seq_show+0x121/0x1b0
                 [<ffffffff81617c71>] seq_read+0x2f1/0x1160
                 [<ffffffff8171c911>] kernfs_fop_read+0x321/0x460
                 [<ffffffff815abc20>] __vfs_read+0xe0/0x3d0
                 [<ffffffff815ae90e>] vfs_read+0xde/0x2d0
                 [<ffffffff815b1d01>] SyS_read+0x111/0x230
                 [<ffffffff822e8636>] entry_SYSCALL_64_fastpath+0x16/0x76
      
          -> #0 (s_active#171){++++.+}:
                 [<ffffffff81244f24>] __lock_acquire+0x4304/0x5990
                 [<ffffffff8124817d>] lock_acquire+0x13d/0x320
                 [<ffffffff81717d3a>] __kernfs_remove+0x58a/0x810
                 [<ffffffff8171a115>] kernfs_remove_by_name_ns+0x45/0xa0
                 [<ffffffff81721592>] remove_files.isra.0+0x72/0x190
                 [<ffffffff8172174b>] sysfs_remove_group+0x9b/0x150
                 [<ffffffff81721854>] sysfs_remove_groups+0x54/0xa0
                 [<ffffffff81cd97d0>] device_remove_attrs+0xb0/0x140
                 [<ffffffff81cdb27c>] device_del+0x38c/0x6b0
                 [<ffffffffa0724b8b>] rc_register_device+0x8cb/0x1450 [rc_core]
                 [<ffffffffa1326a7b>] dvb_usb_remote_init+0x66b/0x14d0 [dvb_usb]
                 [<ffffffffa1321c81>] dvb_usb_device_init+0xf21/0x1860 [dvb_usb]
                 [<ffffffffa13517dc>] dib0700_probe+0x14c/0x410 [dvb_usb_dib0700]
                 [<ffffffff81dbb1dd>] usb_probe_interface+0x45d/0x940
                 [<ffffffff81ce7e7a>] driver_probe_device+0x21a/0xc30
                 [<ffffffff81ce89b1>] __driver_attach+0x121/0x160
                 [<ffffffff81ce21bf>] bus_for_each_dev+0x11f/0x1a0
                 [<ffffffff81ce6cdd>] driver_attach+0x3d/0x50
                 [<ffffffff81ce5df9>] bus_add_driver+0x4c9/0x770
                 [<ffffffff81cea39c>] driver_register+0x18c/0x3b0
                 [<ffffffff81db6e98>] usb_register_driver+0x1f8/0x440
                 [<ffffffffa074001e>] dib0700_driver_init+0x1e/0x1000 [dvb_usb_dib0700]
                 [<ffffffff810021b1>] do_one_initcall+0x141/0x300
                 [<ffffffff8144d8eb>] do_init_module+0x1d0/0x5ad
                 [<ffffffff812f27b6>] load_module+0x6666/0x9ba0
                 [<ffffffff812f5fe8>] SyS_finit_module+0x108/0x130
                 [<ffffffff822e8636>] entry_SYSCALL_64_fastpath+0x16/0x76
      
          other info that might help us debug this:
      
           Possible unsafe locking scenario:
      
                 CPU0                    CPU1
                 ----                    ----
            lock(&dev->lock);
                                         lock(s_active#171);
                                         lock(&dev->lock);
            lock(s_active#171);
      
           *** DEADLOCK ***
      
          3 locks held by systemd-udevd/2681:
           #0:  (&dev->mutex){......}, at: [<ffffffff81ce8933>] __driver_attach+0xa3/0x160
           #1:  (&dev->mutex){......}, at: [<ffffffff81ce8941>] __driver_attach+0xb1/0x160
           #2:  (&dev->lock){+.+.+.}, at: [<ffffffffa0724def>] rc_register_device+0xb2f/0x1450 [rc_core]
      
      In this specific case, some error happened during device init,
      causing IR to be disabled.
      
      Let's fix it by adding a var that will tell when the device is
      initialized. Any calls before that will return a -EINVAL.
      
      That should prevent the race issues.
      Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
      c73bbaa4
  11. 04 12月, 2015 1 次提交
  12. 19 11月, 2015 4 次提交
  13. 19 8月, 2015 1 次提交
  14. 12 8月, 2015 1 次提交
  15. 06 7月, 2015 3 次提交
  16. 15 5月, 2015 1 次提交
  17. 01 5月, 2015 1 次提交
  18. 24 12月, 2014 1 次提交
    • J
      [media] rc-main: Re-apply filter for no-op protocol change · 983c5bd2
      James Hogan 提交于
      Since commit da6e162d ("[media] rc-core: simplify sysfs code"), when
      the IR protocol is set using the sysfs interface to the same set of
      protocols that are already set, store_protocols() does not refresh the
      scancode filter with the new protocol, even if it has already called the
      change_protocol() callback successfully. This results in the filter
      being disabled in the hardware and not re-enabled until the filter is
      set again using sysfs.
      
      Fix in store_protocols() by still re-applying the filter whenever the
      change_protocol() driver callback succeeded.
      
      The problem can be reproduced with the img-ir driver by setting a
      filter, and then setting the protocol to the same protocol that is
      already set:
      $ echo nec > protocols
      $ echo 0xffff > filter_mask
      $ echo nec > protocols
      
      After this, messages which don't match the filter were still being
      received.
      
      Fixes: da6e162d ("[media] rc-core: simplify sysfs code")
      Reported-by: NSifan Naeem <sifan.naeem@imgtec.com>
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Cc: David Härdeman <david@hardeman.nu>
      Cc: <stable@vger.kernel.org> # v3.17+
      Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
      983c5bd2
  19. 25 11月, 2014 1 次提交
  20. 05 11月, 2014 1 次提交
  21. 31 10月, 2014 1 次提交
    • T
      [media] rc-main: fix lockdep splash for rc-main · 37fa8716
      Tomas Melin 提交于
      lockdep reports a potential circular dependecy deadlock when registering input device.
      
      Unlock mutex rc_dev->lock prior to calling ir_raw_event_register to avoid the circular
      dependency since that function also calls input_register_device and rc_open.
      
       ======================================================
       [ INFO: possible circular locking dependency detected ]
       3.17.0-rc7+ #24 Not tainted
       -------------------------------------------------------
       modprobe/647 is trying to acquire lock:
        (input_mutex){+.+.+.}, at: [<ffffffff812ed81c>] input_register_device+0x2ba/0x381
      
       but task is already holding lock:
        (ir_raw_handler_lock){+.+.+.}, at: [<ffffffff813186ed>] ir_raw_event_register+0x102/0x190
      
       which lock already depends on the new lock.
      
      [cut text]
      
       other info that might help us debug this:
      
       Chain exists of:
         input_mutex --> &dev->lock --> ir_raw_handler_lock
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(ir_raw_handler_lock);
                                      lock(&dev->lock);
                                      lock(ir_raw_handler_lock);
         lock(input_mutex);
      
        *** DEADLOCK ***
      
       4 locks held by modprobe/647:
        #0:  (&dev->mutex){......}, at: [<ffffffff812d19f3>] device_lock+0xf/0x11
        #1:  (&dev->mutex){......}, at: [<ffffffff812d19f3>] device_lock+0xf/0x11
        #2:  (&dev->lock){+.+.+.}, at: [<ffffffff81317fff>] rc_register_device+0x55d/0x58a
        #3:  (ir_raw_handler_lock){+.+.+.}, at: [<ffffffff813186ed>] ir_raw_event_register+0x102/0x190
      
       stack backtrace:
       CPU: 0 PID: 647 Comm: modprobe Not tainted 3.17.0-rc7+ #24
      
       Call Trace:
        [<ffffffff81489d6a>] dump_stack+0x46/0x58
        [<ffffffff81487699>] print_circular_bug+0x1f8/0x209
        [<ffffffff81074353>] __lock_acquire+0xb54/0xeda
        [<ffffffff81080f17>] ? console_unlock+0x34d/0x399
        [<ffffffff81074c01>] lock_acquire+0xd9/0x111
        [<ffffffff812ed81c>] ? input_register_device+0x2ba/0x381
        [<ffffffff8148e650>] mutex_lock_interruptible_nested+0x57/0x381
        [<ffffffff812ed81c>] ? input_register_device+0x2ba/0x381
        [<ffffffff81124e03>] ? kfree+0x7c/0x96
        [<ffffffff812ed81c>] ? input_register_device+0x2ba/0x381
        [<ffffffff81072531>] ? trace_hardirqs_on+0xd/0xf
        [<ffffffff812ed81c>] input_register_device+0x2ba/0x381
        [<ffffffff8131a537>] ir_mce_kbd_register+0x109/0x139
        [<ffffffff81318728>] ir_raw_event_register+0x13d/0x190
        [<ffffffff81317e40>] rc_register_device+0x39e/0x58a
        [<ffffffff81072531>] ? trace_hardirqs_on+0xd/0xf
        [<ffffffffa00cf2e3>] nvt_probe+0x5ad/0xd52 [nuvoton_cir]
        [<ffffffffa00ced36>] ? nvt_resume+0x80/0x80 [nuvoton_cir]
        [<ffffffff81296003>] pnp_device_probe+0x8c/0xa9
        [<ffffffff812d1b94>] ? driver_sysfs_add+0x6e/0x93
        [<ffffffff812d203a>] driver_probe_device+0xa1/0x1e3
        [<ffffffff812d217c>] ? driver_probe_device+0x1e3/0x1e3
        [<ffffffff812d21ca>] __driver_attach+0x4e/0x6f
        [<ffffffff812d075b>] bus_for_each_dev+0x5a/0x8c
        [<ffffffff812d1b24>] driver_attach+0x19/0x1b
        [<ffffffff812d1879>] bus_add_driver+0xf1/0x1d6
        [<ffffffff812d2817>] driver_register+0x87/0xbe
        [<ffffffffa0120000>] ? 0xffffffffa0120000
        [<ffffffff81295da4>] pnp_register_driver+0x1c/0x1e
        [<ffffffffa0120010>] nvt_init+0x10/0x1000 [nuvoton_cir]
        [<ffffffff8100030e>] do_one_initcall+0xea/0x18c
        [<ffffffff8111497f>] ? __vunmap+0x9d/0xc7
        [<ffffffff810a3ca1>] load_module+0x1c21/0x1f2c
        [<ffffffff810a0bce>] ? show_initstate+0x44/0x44
        [<ffffffff810a404e>] SyS_init_module+0xa2/0xb1
        [<ffffffff81490ed2>] system_call_fastpath+0x16/0x1b
      Signed-off-by: NTomas Melin <tomas.melin@iki.fi>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
      37fa8716
  22. 30 10月, 2014 1 次提交
  23. 31 7月, 2014 1 次提交
  24. 27 7月, 2014 1 次提交
  25. 26 7月, 2014 2 次提交
  26. 24 7月, 2014 2 次提交
  27. 06 4月, 2014 2 次提交
  28. 13 3月, 2014 1 次提交
  29. 12 3月, 2014 2 次提交
    • J
      [media] rc-main: fix missing unlock if no devno left · 26291233
      James Hogan 提交于
      While playing with make coccicheck I noticed this message:
      drivers/media/rc/rc-main.c:1245:3-9: preceding lock on line 1238
      
      It was introduced by commit 587d1b06 ([media] rc-core: reuse device
      numbers) which returns -ENOMEM after a mutex_lock without first
      unlocking it when there are no more device numbers left. The added code
      doesn't depend on the device lock, so move it before the lock is taken.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: NMauro Carvalho Chehab <m.chehab@samsung.com>
      26291233
    • J
      [media] rc-main: automatically refresh filter on protocol change · 6bea25af
      James Hogan 提交于
      When either of the normal or wakeup filter protocols are changed,
      refresh the corresponding scancode filter, i.e. try and set the same
      scancode filter with the new protocol. If that fails clear the filter
      instead.
      
      If no protocol was selected the filter is just cleared, and if no
      s_filter callback exists the filter is left unmodified.
      
      Similarly clear the filter mask when the filter is set if no protocol is
      currently selected.
      
      This simplifies driver code which no longer has to explicitly worry
      about modifying the filter on a protocol change. This also allows the
      change_wakeup_protocol callback to be omitted entirely if there is only
      a single available wakeup protocol at a time, since selecting no
      protocol will automatically clear the wakeup filter, disabling wakeup.
      Signed-off-by: NJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: NAntti Seppälä <a.seppala@gmail.com>
      Signed-off-by: NMauro Carvalho Chehab <m.chehab@samsung.com>
      6bea25af