| Age | Commit message (Collapse) | Author |
|---|
|
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 42e64117d3b4a759013f77bbcf25ab6700e55de7 ]
If saa7146_register_device() fails, no cleanup is executed, leading to
memory/resource leaks. To fix this issue, perform necessary cleanup work
before returning the error.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
Two saa7146/hexium files contain a construct that causes a warning
when built with clang:
drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
[-Werror,-Wframe-larger-than=]
static int hexium_probe(struct saa7146_dev *dev)
^
drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
[-Werror,-Wframe-larger-than=]
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
^
This one happens regardless of KASAN, and the problem is that a
constructor to initialize a dynamically allocated structure leads
to a copy of that structure on the stack, whereas gcc initializes
it in place.
Link: https://bugs.llvm.org/show_bug.cgi?id=40776
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
There are a lot of places where sequences of space/tabs are
found. Get rid of all spaces before tabs.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Using the ARRAY_SIZE macro improves the readability of the code. Also,
it is not always useful to use a variable to store this constant
calculated at compile time.
Found with Coccinelle with the following semantic patch:
@r depends on (org || report)@
type T;
T[] E;
position p;
@@
(
(sizeof(E)@p /sizeof(*E))
|
(sizeof(E)@p /sizeof(E[...]))
|
(sizeof(E)@p /sizeof(T))
)
Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Reviewed-by: Michael Ira Krufky <mkrufky@linuxtv.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Replace the specification of a data structure by a pointer dereference
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer according to the Linux coding style convention.
This issue was detected by using the Coccinelle software.
[mchehab@s-opensoure.com: merge similar patches into one]
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
|
|
Omit an extra message for a memory allocation failure in this function.
This issue was detected by using the Coccinelle software.
[mchehab@s-opensource.com: fold several similar patches into one]
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
pci_device_id are not supposed to change at runtime. All functions
working with pci_device_id provided by <media/drv-intf/saa7146.h>
and <linux/pci.h> work with const pci_device_id. So mark the non-const
structs as const.
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Let's not mix headers used by the core with those headers that
are needed by some driver-specific interface header.
The headers used on drivers were manually moved using:
mkdir include/media/drv-intf/
git mv include/media/cx2341x.h include/media/cx25840.h \
include/media/exynos-fimc.h include/media/msp3400.h \
include/media/s3c_camif.h include/media/saa7146.h \
include/media/saa7146_vv.h include/media/sh_mobile_ceu.h \
include/media/sh_mobile_csi2.h include/media/sh_vou.h \
include/media/si476x.h include/media/soc_mediabus.h \
include/media/tea575x.h include/media/drv-intf/
And the references for those headers were corrected using:
MAIN_DIR="media/"
PREV_DIR="media/"
DIRS="drv-intf/"
echo "Checking affected files" >&2
for i in $DIRS; do
for j in $(find include/$MAIN_DIR/$i -type f -name '*.h'); do
n=`basename $j`
git grep -l $n
done
done|sort|uniq >files && (
echo "Handling files..." >&2;
echo "for i in \$(cat files|grep -v Documentation); do cat \$i | \\";
(
cd include/$MAIN_DIR;
for j in $DIRS; do
for i in $(ls $j); do
echo "perl -ne 's,(include [\\\"\\<])$PREV_DIR($i)([\\\"\\>]),\1$MAIN_DIR$j\2\3,; print \$_' |\\";
done;
done;
echo "cat > a && mv a \$i; done";
);
echo "Handling documentation..." >&2;
echo "for i in MAINTAINERS \$(cat files); do cat \$i | \\";
(
cd include/$MAIN_DIR;
for j in $DIRS; do
for i in $(ls $j); do
echo " perl -ne 's,include/$PREV_DIR($i)\b,include/$MAIN_DIR$j\1,; print \$_' |\\";
done;
done;
echo "cat > a && mv a \$i; done"
);
) >script && . ./script
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
|
|
Embed the video_device struct to simplify the error handling and in
order to (eventually) get rid of video_device_alloc/release.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Instead of having them under drivers/media/video, move them
to their own directory.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
Zhou Qingyang
Wenwen Wang
Arnd Bergmann
Mauro Carvalho Chehab
Jérémy Lefaure
Markus Elfring
Arvind Yadav
Mauro Carvalho Chehab
Hans Verkuil
Mauro Carvalho Chehab