- 16 6月, 2016 6 次提交
-
-
由 Sakari Ailus 提交于
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer which will be dequeued is not known until the buffer has been removed from the queue. The number of planes is specific to a buffer, not to the queue. This does lead to the situation where multi-plane buffers may be requested and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument struct with fewer planes. __fill_v4l2_buffer() however uses the number of planes from the dequeued videobuf2 buffer, overwriting kernel memory (the m.planes array allocated in video_usercopy() in v4l2-ioctl.c) if the user provided fewer planes than the dequeued buffer had. Oops! Fixes: b0e0e1f8 ("[media] media: videobuf2: Prepare to divide videobuf2") Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com> Acked-by: NHans Verkuil <hans.verkuil@cisco.com> Cc: stable@vger.kernel.org # for v4.4 and later Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
由 Sakari Ailus 提交于
An earlier patch fixing an input validation issue introduced another issue: vb2_core_dqbuf() is called with pb argument value NULL in some cases, causing a NULL pointer dereference. Fix this by skipping the verification as there's nothing to verify. Fixes: e7e0c3e2 ("[media] videobuf2-core: Check user space planes array in dqbuf") Signed-off-by: NDavid R <david@unsolicited.net> Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: NHans Verkuil <hans.verkuil@cisco.com> Cc: stable@vger.kernel.org # for v4.4 and later Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
由 Shuah Khan 提交于
Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: NShuah Khan <shuahkh@osg.samsung.com> Suggested-by: NSakari Ailus <sakari.ailus@linux.intel.com> Reported-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Tested-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
由 Shuah Khan 提交于
When driver unbinds while media_ioctl is in progress, cdev_put() fails with when app exits after driver unbinds. Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets a reference to it and releases it in cdev_del() ensuring that the devnode is not deallocated as long as the application has the device file open. media_devnode_register() initializes the struct device kobj before calling cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the device. devnode is released when the last reference to the struct device is gone. This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has been tested on all three. kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50 kernel: [ 193.599745] Read of size 8 by task media_device_te/1851 kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54 kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0 kernel: [ 193.601083] Call Trace: kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94 kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0 kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40 kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530 kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40 kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0 kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50 kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50 kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0 kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10 kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0 kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20 kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250 - - - kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7 kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120 kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6 Signed-off-by: NShuah Khan <shuahkh@osg.samsung.com> Tested-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
由 Mauro Carvalho Chehab 提交于
struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
由 Mauro Carvalho Chehab 提交于
Along all media controller code, "mdev" is used to represent a pointer to struct media_device, and "devnode" for a pointer to struct media_devnode. However, inside media-devnode.[ch], "mdev" is used to represent a pointer to struct media_devnode. This is very confusing and may lead to development errors. So, let's change all occurrences at media-devnode.[ch] to also use "devnode" for such pointers. This patch doesn't make any functional changes. Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 15 6月, 2016 1 次提交
-
-
由 Mauro Carvalho Chehab 提交于
For the third time in three years, I'm changing my e-mail at Samsung. That's bad, as it may stop communications with me for a while. So, this time, I'll also the mchehab@kernel.org e-mail, as it remains stable since ever. Cc: stable@vger.kernel.org Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 10 6月, 2016 3 次提交
-
-
由 Colin Ian King 提交于
status is not initialized so it can contain garbage. The check for status containing the FE_HAS_LOCK bit may randomly pass or fail if the read of register 0x8c fails to set status after 25 read attempts. Fix this by initializing status to 0. Issue found with CoverityScan, CID#986738 Signed-off-by: NColin Ian King <colin.king@canonical.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Dan Carpenter 提交于
The code is checking for negative returns but it should be checking for zero. Fixes: aab3125c ('[media] em28xx: add support for registering multiple i2c buses') Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Zhaoxiu Zeng 提交于
This patch removes the local MT2063_gcd function, uses lib gcd instead Signed-off-by: NZhaoxiu Zeng <zhaoxiu.zeng@gmail.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
- 09 6月, 2016 4 次提交
-
-
由 Martin Blumenstingl 提交于
The rtl2832 demod has 2 sets of PID filters. This patch enables the filter support when using a slave demod. Signed-off-by: NBenjamin Larsson <benjamin@southpole.se> Signed-off-by: NMartin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Antti Palosaari 提交于
Remove __func__ and KBUILD_MODNAME from logging formatters and pass USB interface device instead, so logging can be done correctly. Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Alessandro Radicati 提交于
The MXL5007T tuner will lock-up on some devices after an I2C read transaction. This patch works around this issue by inhibiting such operations and emulating a 0x00 response. The workaround is only applied to USB devices known to exhibit this flaw. Signed-off-by: NAlessandro Radicati <alessandro@radicati.net> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Alessandro Radicati 提交于
This patch will modify the af9035 driver to use the register address fields of the I2C read command for the combined write/read transaction case. Without this change, the firmware issues just a I2C read transaction without the preceding write transaction to select the register. Signed-off-by: NAlessandro Radicati <alessandro@radicati.net> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
- 08 6月, 2016 13 次提交
-
-
由 Max Kellermann 提交于
Prepare for postponing the call until all file handles have been closed. [mchehab@osg.samsung.com: make checkpatch happy] Signed-off-by: NMax Kellermann <max@duempel.org> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Olli Salonen 提交于
Return -EINVAL if ds3000_set_frontend is called with invalid parameters. v1 of the patch series got incorrect subject lines. Signed-off-by: NOlli Salonen <olli.salonen@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Fengguang Wu 提交于
drivers/media/dvb-frontends/helene.c:750:2-3: Unneeded semicolon Remove unneeded semicolon. Generated by: scripts/coccinelle/misc/semicolon.cocci CC: Abylay Ospan <aospan@netup.ru> Signed-off-by: NFengguang Wu <fengguang.wu@intel.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Martin Blumenstingl 提交于
No functional changes. Signed-off-by: NMartin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Martin Blumenstingl 提交于
This adds the missing auto-select bits for DVB-frontends and tuners (if MEDIA_SUBDRV_AUTOSELECT is enabled) which are used by the various rtl28xxu devices. The driver itself probes for three more tuners, but it's not actually using any of them: - MEDIA_TUNER_MT2063 - MEDIA_TUNER_MT2266 - MEDIA_TUNER_MXL5007T Signed-off-by: NMartin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Antti Palosaari 提交于
Move mn88472 DVB-T/T2/C demod driver out of staging to media. v2: Fix build error reported by kbuild test robot: drivers/staging/media/mn88472/Makefile: No such file or directory Reported-by: Nkbuild test robot <fengguang.wu@intel.com> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Antti Palosaari 提交于
Finalize driver in order to move out of staging. Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Antti Palosaari 提交于
1 and 2 wasn't enough for mn88472 chip on Astrometa device, so increase it to 3. Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Julia Lawall 提交于
firmare -> firmware Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Antti Palosaari 提交于
Latest, 3rd, regmap instance should be freed on error case. Signed-off-by: NAntti Palosaari <crope@iki.fi> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 ayaka 提交于
It is a cosmetic commit. Signed-off-by: Nayaka <ayaka@soulik.info> Signed-off-by: NKamil Debski <k.debski@samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 ayaka 提交于
We don't need to request the sizeimage or num_planes in try_fmt. Signed-off-by: Nayaka <ayaka@soulik.info> Signed-off-by: NKamil Debski <k.debski@samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 ayaka 提交于
The encoder forget the work to call hardware to release its buffers. This patch came from chromium project. I just change its code style and make the API match with new kernel. Signed-off-by: Nayaka <ayaka@soulik.info> Signed-off-by: NKamil Debski <k.debski@samsung.com> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
- 07 6月, 2016 13 次提交
-
-
由 Mauro Carvalho Chehab 提交于
drivers/media/dvb-frontends/helene.c: In function 'helene_write_regs': drivers/media/dvb-frontends/helene.c:312:5: warning: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'unsigned int' [-Wformat=] "wr reg=%04x: len=%d vs %lu is too big!\n", ^ Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
correct is CXD2841ER and CXD2854ER incorrect was CXD2441ER and CXD2454ER Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
Old behaviour: frontend0 - DVB-S/S2 frontend1 - DVB-T/T2 frontend2 - DVB-C frontend3 - ISDB-T New behaviour (DVBv5 API compliant): frontend0 - DVB-S/S2 frontend1 - DVB-T/T2/C/ISDB-T DTV standard should be selected by DTV_DELIVERY_SYSTEM call. And DVB-C default bandwidth now 8MHz Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
bandwidth 1.7,5,6,7,8Mhz support for DVB-T2 Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
Fixed HELENE tuner frequency calculation Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Mauro Carvalho Chehab 提交于
now when new tuning parameters specified demod should retune. Also ISDB-T frequency offset calculation added (cxd2841er_get_carrier_offset_i). While here, fix re-tune for DVB-C Annex A, using the desired bandwidth, instead of using 8MHz. Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
Fix offset calculation inside cxd2841er_get_carrier_offset_t Now DVB-T should be tuned correctly Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
Avoid error message: cxd2841er_read_status_s(): invalid state 1 Always force demod to shutdown state before initializing Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
Adding cxd2841er_get_carrier_offset_t to calculate DVB-T offset for Sony demodulators CXD2841ER and CXD2854ER Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
mistakenly membase8_io used instead of membase8_config in this case we can't read/write CAM module memory (TUPLES) Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
New hardware revision of NetUP Universal DVB card (rev 1.4): * changed tuners (CXD2861ER and CXD2832AER) to CXD2858ER * changed demodulator (CXD2841ER) to CXD2854ER card now supports: DVB-S/S2, DVB-T/T2, DVB-C/C2, ISDB-T PCI id's assigned for new hardware revision is: 1b55:18f7 Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
* fix buffer length check * do not rely on ROLLOFF Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-
由 Abylay Ospan 提交于
CXD2854ER is identical to CXD2841ER except ISDB-T/S added. New method 'cxd2841er_attach_i' is added xtal frequency now configurable. Available options: 20.5MHz, 24MHz, 41MHz Signed-off-by: NAbylay Ospan <aospan@netup.ru> Signed-off-by: NMauro Carvalho Chehab <mchehab@osg.samsung.com>
-