aboutsummaryrefslogtreecommitdiffstats
path: root/include/media/dvbdev.h
AgeCommit message (Collapse)Author
2023-06-21media: dvb-core: Fix use-after-free due to race at dvb_register_device()Hyunwoo Kim
commit 627bb528b086b4136315c25d6a447a98ea9448d3 upstream. dvb_register_device() dynamically allocates fops with kmemdup() to set the fops->owner. And these fops are registered in 'file->f_ops' using replace_fops() in the dvb_device_open() process, and kfree()d in dvb_free_device(). However, it is not common to use dynamically allocated fops instead of 'static const' fops as an argument of replace_fops(), and UAF may occur. These UAFs can occur on any dvb type using dvb_register_device(), such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. So, instead of kfree() the fops dynamically allocated in dvb_register_device() in dvb_free_device() called during the .disconnect() process, kfree() it collectively in exit_dvbdev() called when the dvbdev.c module is removed. Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-14media: dvbdev: fix build warning due to commentsLin Ma
commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream. Previous commit that introduces reference counter does not add proper comments, which will lead to warning when building htmldocs. Fix them. Reported-by: "Stephen Rothwell" <sfr@canb.auug.org.au> Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-14media: dvbdev: adopts refcnt to avoid UAFLin Ma
[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ] dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object. Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn Signed-off-by: Lin Ma <linma@zju.edu.cn> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-07-19media: dvbdev.h: keep * together with the typeHans Verkuil
Having the '*' in the next line separated from the type makes it hard to see that these functions return a pointer to that type. Instead, keep it next to the type name so it is clear that it is a pointer to that type. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2020-07-19media: dvbdev.h: fix duplicated word in commentRandy Dunlap
Change the doubled word "the" in a comment to "to the". Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2019-06-05media: docs: fix minor typosMarc Gonzalez
Fix minor typos in the DVB demux documentation. Signed-off-by: Marc Gonzalez <marc.w.gonzalez@free.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-11media: dvbdev: add a mutex protecting the "mdev" pointerMax Kellermann
During destruction, a race condition in dvb_media_controller_disable_source() can cause a kernel crash, because the "mdev" pointer has been read successfully while another task executes dvb_usb_media_device_unregister(), which destroys the object. Example for such a crash: general protection fault: 0000 [#1] SMP CPU: 1 PID: 301 Comm: vdr Not tainted 4.8.1-nuc+ #102 [142B blob data] task: ffff8802301f2040 task.stack: ffff880233728000 RIP: 0010:[<ffffffff816c296b>] [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120 RSP: 0018:ffff88023372bdd8 EFLAGS: 00010202 RAX: 001fd55c000000da RBX: ffff880236bad810 RCX: 0000000000000000 RDX: ffff880235bd81f0 RSI: 0000000000000246 RDI: ffff880235bd81e8 RBP: ffff88023372be00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: ffff88022f009910 R12: 0000000000000000 R13: ffff880235a21a80 R14: ffff880235bd8000 R15: ffff880235bb8a78 FS: 0000000000000000(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f96edd69818 CR3: 0000000002406000 CR4: 00000000001006e0 Stack: ffff88022f009900 0000000000000008 ffff880235bb8a78 ffff8802344fbb20 ffff880236437b40 ffff88023372be48 ffffffff8117a81e ffff880235bb8a78 ffff88022f009910 ffff8802335a7400 ffff8802301f2040 ffff88022f009900 Call Trace: [<ffffffff8117a81e>] __fput+0xde/0x1d0 [<ffffffff8117a949>] ____fput+0x9/0x10 [<ffffffff810a9fce>] task_work_run+0x7e/0xa0 [<ffffffff81094bab>] do_exit+0x27b/0xa50 [<ffffffff810407e3>] ? __do_page_fault+0x1c3/0x430 [<ffffffff81095402>] do_group_exit+0x42/0xb0 [<ffffffff8109547f>] SyS_exit_group+0xf/0x10 [<ffffffff8108bedb>] entry_SYSCALL_64_fastpath+0x13/0x8f Code: 31 c9 49 8d be e8 01 00 00 ba 01 00 00 00 be 03 00 00 00 e8 68 2d a0 ff 48 8b 83 10 03 00 00 48 8b 80 88 00 00 00 48 85 c0 74 12 <48> 8b 80 88 02 00 00 48 85 c0 74 06 49 8b 7d RIP [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120 [mchehab+samsung@kernel.org: fix a Coding Style issue] Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-03-07media: dvbdev: fix building on ia64Mauro Carvalho Chehab
Not sure why, but, on ia64, with Linaro's gcc 7.3 compiler, using #ifdef (CONFIG_I2C) is not OK. So, replace it by IS_ENABLED(CONFIG_I2C), in order to fix the builds there. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2018-03-06media: dvb-core: add helper functions for I2C bindingMauro Carvalho Chehab
The dvb_attach()/dvb_detach() methods are ugly hacks designed to keep using the I2C low-level API. The proper way is to do I2C bus bindings instead. Several modules were already converted to use it. Yet, it is painful to use it, as lots of code need to be duplicated. Make it easier by providing two new helper functions: - dvb_module_probe() - dvb_module_release() Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2018-01-04media: fix usage of whitespaces and on indentationMauro Carvalho Chehab
On several places, whitespaces are being used for indentation, or even at the end of the line. Fix them. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-12-28media: move dvb kAPI headers to include/mediaMauro Carvalho Chehab
Except for DVB, all media kAPI headers are at include/media. Move the headers to it. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-27 01:23:10 +0000