Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.15.185 2023-06-09T08:32:24Z 2023-06-09T08:32:24Z Hyunwoo Kim imv4bel@gmail.com 2022-11-17T04:59:24Z urn:sha1:a47a3f7a9bf6a350d41f06c232d7c3468bce1b9a [ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ] dvb_register_device() dynamically allocates fops with kmemdup() to set the fops->owner. And these fops are registered in 'file->f_ops' using replace_fops() in the dvb_device_open() process, and kfree()d in dvb_free_device(). However, it is not common to use dynamically allocated fops instead of 'static const' fops as an argument of replace_fops(), and UAF may occur. These UAFs can occur on any dvb type using dvb_register_device(), such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. So, instead of kfree() the fops dynamically allocated in dvb_register_device() in dvb_free_device() called during the .disconnect() process, kfree() it collectively in exit_dvbdev() called when the dvbdev.c module is removed. Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:14:47Z Lin Ma linma@zju.edu.cn 2022-11-28T08:39:03Z urn:sha1:579fb0a3320b44be9c2636161ea2a3472edd8290 commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream. Previous commit that introduces reference counter does not add proper comments, which will lead to warning when building htmldocs. Fix them. Reported-by: "Stephen Rothwell" <sfr@canb.auug.org.au> Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-12-31T12:14:43Z Lin Ma linma@zju.edu.cn 2022-08-07T14:59:52Z urn:sha1:88a6f8a72d167294c0931c7874941bf37a41b6dd [ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ] dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object. Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn Signed-off-by: Lin Ma <linma@zju.edu.cn> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-03-11T10:59:45Z Jonathan Neuschäfer j.neuschaefer@gmx.net 2021-01-01T16:02:11Z urn:sha1:6f097ddb8072323b688f8fbd6729e70fcc26ff5c The syntax without dots is available since commit 43756e347f21 ("scripts/kernel-doc: Add support for named variable macro arguments"). The same HTML output is produced with and without this patch. Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2020-11-16T09:31:16Z Mauro Carvalho Chehab mchehab+huawei@kernel.org 2020-10-23T14:08:10Z urn:sha1:b064945517ee368bfb6343bf3fb4613d537c4bbb Some identifiers have different names between their prototypes and the kernel-doc markup. Seome seems to be due to cut-and-paste related issues. Others need to be fixed, as kernel-doc markups should use this format: identifier - description Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> # IPU3 and V4L2 Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2020-07-19T12:26:25Z Hans Verkuil hverkuil-cisco@xs4all.nl 2020-07-17T08:10:07Z urn:sha1:8f2a4a9d5ff5202d0b3e3a144ebb9b67aabadd29 Having the '*' in the next line separated from the type makes it hard to see that these functions return a pointer to that type. Instead, keep it next to the type name so it is clear that it is a pointer to that type. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2020-07-19T12:00:17Z Randy Dunlap rdunlap@infradead.org 2020-07-14T22:05:51Z urn:sha1:ffb189716081ff7dafb0978d31a290adff966d81 Change the doubled word "the" in a comment to "to the". Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2019-06-05T15:31:51Z Marc Gonzalez marc.w.gonzalez@free.fr 2019-06-05T11:59:10Z urn:sha1:e96a8819a6c4fc578809ba79d64abca57145acb7 Fix minor typos in the DVB demux documentation. Signed-off-by: Marc Gonzalez <marc.w.gonzalez@free.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> 2018-05-11T16:09:59Z Max Kellermann max.kellermann@gmail.com 2018-05-03T18:12:59Z urn:sha1:f17c403af9bf3dc19069cb8c10390030ee4c8fb0 During destruction, a race condition in dvb_media_controller_disable_source() can cause a kernel crash, because the "mdev" pointer has been read successfully while another task executes dvb_usb_media_device_unregister(), which destroys the object. Example for such a crash: general protection fault: 0000 [#1] SMP CPU: 1 PID: 301 Comm: vdr Not tainted 4.8.1-nuc+ #102 [142B blob data] task: ffff8802301f2040 task.stack: ffff880233728000 RIP: 0010:[<ffffffff816c296b>] [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120 RSP: 0018:ffff88023372bdd8 EFLAGS: 00010202 RAX: 001fd55c000000da RBX: ffff880236bad810 RCX: 0000000000000000 RDX: ffff880235bd81f0 RSI: 0000000000000246 RDI: ffff880235bd81e8 RBP: ffff88023372be00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88022f009910 R12: 0000000000000000 R13: ffff880235a21a80 R14: ffff880235bd8000 R15: ffff880235bb8a78 FS: 0000000000000000(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f96edd69818 CR3: 0000000002406000 CR4: 00000000001006e0 Stack: ffff88022f009900 0000000000000008 ffff880235bb8a78 ffff8802344fbb20 ffff880236437b40 ffff88023372be48 ffffffff8117a81e ffff880235bb8a78 ffff88022f009910 ffff8802335a7400 ffff8802301f2040 ffff88022f009900 Call Trace: [<ffffffff8117a81e>] __fput+0xde/0x1d0 [<ffffffff8117a949>] ____fput+0x9/0x10 [<ffffffff810a9fce>] task_work_run+0x7e/0xa0 [<ffffffff81094bab>] do_exit+0x27b/0xa50 [<ffffffff810407e3>] ? __do_page_fault+0x1c3/0x430 [<ffffffff81095402>] do_group_exit+0x42/0xb0 [<ffffffff8109547f>] SyS_exit_group+0xf/0x10 [<ffffffff8108bedb>] entry_SYSCALL_64_fastpath+0x13/0x8f Code: 31 c9 49 8d be e8 01 00 00 ba 01 00 00 00 be 03 00 00 00 e8 68 2d a0 ff 48 8b 83 10 03 00 00 48 8b 80 88 00 00 00 48 85 c0 74 12 <48> 8b 80 88 02 00 00 48 85 c0 74 06 49 8b 7d RIP [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120 [mchehab+samsung@kernel.org: fix a Coding Style issue] Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> 2018-03-07T09:11:50Z Mauro Carvalho Chehab mchehab@s-opensource.com 2018-03-07T09:11:50Z urn:sha1:1980bfa67f19d628df30b9b5b76bca37c2a76dde Not sure why, but, on ia64, with Linaro's gcc 7.3 compiler, using #ifdef (CONFIG_I2C) is not OK. So, replace it by IS_ENABLED(CONFIG_I2C), in order to fix the builds there. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>