user/sven/linux.git/include/media, branch v4.4.261

media: fix media devnode ioctl/syscall and unregister race

2020-05-27T14:40:25Z

commit 6f0dd24a084a17f9984dd49dffbf7055bf123993 upstream. Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan Suggested-by: Sakari Ailus Reported-by: Mauro Carvalho Chehab Tested-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: adjut filename, context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

media-device: dynamically allocate struct media_devnode

2020-05-27T14:40:25Z

commit a087ce704b802becbb4b0f2a20f2cb3f6911802e upstream. struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: - Drop change in au0828 - Include in media-device.c - Adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

media-devnode: fix namespace mess

2020-05-27T14:40:25Z

commit 163f1e93e995048b894c5fc86a6034d16beed740 upstream. Along all media controller code, "mdev" is used to represent a pointer to struct media_device, and "devnode" for a pointer to struct media_devnode. However, inside media-devnode.[ch], "mdev" is used to represent a pointer to struct media_devnode. This is very confusing and may lead to development errors. So, let's change all occurrences at media-devnode.[ch] to also use "devnode" for such pointers. This patch doesn't make any functional changes. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 4.4: adjust filename, context] Signed-off-by: Ben Hutchings Signed-off-by: Sasha Levin

media: davinci/vpbe: array underflow in vpbe_enum_outputs()

2020-01-29T09:21:43Z

[ Upstream commit b72845ee5577b227131b1fef23f9d9a296621d7b ] In vpbe_enum_outputs() we check if (temp_index >= cfg->num_outputs) but the problem is that "temp_index" can be negative. This patch changes the types to unsigned to address this array underflow bug. Fixes: 66715cdc3224 ("[media] davinci vpbe: VPBE display driver") Signed-off-by: Dan Carpenter Acked-by: "Lad, Prabhakar" Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin

media: v4l: event: Prevent freeing event subscriptions while accessed

2018-10-10T06:52:10Z

commit ad608fbcf166fec809e402d548761768f602702c upstream. The event subscriptions are added to the subscribed event list while holding a spinlock, but that lock is subsequently released while still accessing the subscription object. This makes it possible to unsubscribe the event --- and freeing the subscription object's memory --- while the subscription object is simultaneously accessed. Prevent this by adding a mutex to serialise the event subscription and unsubscription. This also gives a guarantee to the callback ops that the add op has returned before the del op is called. This change also results in making the elems field less special: subscriptions are only added to the event list once they are fully initialised. Signed-off-by: Sakari Ailus Reviewed-by: Hans Verkuil Reviewed-by: Laurent Pinchart Cc: stable@vger.kernel.org # for 4.14 and up Fixes: c3b5b0241f62 ("V4L/DVB: V4L: Events: Add backend") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman

videobuf2-core: Check user space planes array in dqbuf

2016-05-04T21:48:50Z

commit e7e0c3e26587749b62d17b9dd0532874186c77f7 upstream. The number of planes in videobuf2 is specific to a buffer. In order to verify that the planes array provided by the user is long enough, a new vb2_buf_op is required. Call __verify_planes_array() when the dequeued buffer is known. Return an error to the caller if there was one, otherwise remove the buffer from the done list. Signed-off-by: Sakari Ailus Acked-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman

[media] v4l2: add support for SDR transmitter

2015-10-20T17:40:50Z

New IOCTL ops: vidioc_enum_fmt_sdr_out vidioc_g_fmt_sdr_out vidioc_s_fmt_sdr_out vidioc_try_fmt_sdr_out New vb2 buffertype: V4L2_BUF_TYPE_SDR_OUTPUT New v4l2 capability: V4L2_CAP_SDR_OUTPUT Signed-off-by: Antti Palosaari Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab

[media] media: videobuf2: Move v4l2-specific stuff to videobuf2-v4l2

2015-10-20T17:14:28Z

Move v4l2-specific stuff from videobu2-core to videobuf2-v4l2 without doing any functional changes. Signed-off-by: Junghak Sung Signed-off-by: Geunyoung Kim Acked-by: Seung-Woo Kim Acked-by: Inki Dae Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab

[media] media: videobuf2: Prepare to divide videobuf2

2015-10-20T17:12:45Z

Prepare to divide videobuf2 - Separate vb2 trace events from v4l2 trace event. - Make wrapper functions that will move to v4l2-side. - Make vb2_core_* functions that will remain in core-side. - Add a callback function table for buffer operation which makes vb2-core to be able to invoke a v4l2-side functions. - Rename internal functions as vb2_*. Signed-off-by: Junghak Sung Signed-off-by: Geunyoung Kim Acked-by: Seung-Woo Kim Acked-by: Inki Dae Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab

[media] media: videobuf2: Replace v4l2-specific data with vb2 data

2015-10-20T16:49:39Z

Simple changes that replace v4l2-specific data with vb2 data in videobuf2-core. enum v4l2_buf_type --> int enum v4l2_memory --> enum vb2_memory VIDEO_MAX_FRAME --> VB2_MAX_FRAME VIDEO_MAX_PLANES --> VB2_MAX_PLANES struct v4l2_fh *owner --> void *owner V4L2_TYPE_IS_MULTIPLANAR() --> is_multiplanar V4L2_TYPE_IS_OUTPUT() --> is_output Signed-off-by: Junghak Sung Signed-off-by: Geunyoung Kim Acked-by: Seung-Woo Kim Acked-by: Inki Dae Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab