- 26 Feb, 2023 2 commits
-
-
Marek Vasut authored
The find_csis_format() may return NULL in case supported format is not found, check the return value of find_csis_format() before using the result to avoid NULL pointer dereference. Fixes: 11927d0f ("media: imx-mipi-csis: Use V4L2 subdev active state") Signed-off-by:
Marek Vasut <marex@denx.de> Signed-off-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
Both userspace and kernelspace can pass structs with an uninitialized 'stream' field. Since the check_state() function checks for a non-zero stream field, suddenly these calls will fails with -EINVAL. So check in the wrapper functions in v4l2-subdev.c (which are used by both the kernel and userspace API) if V4L2_SUBDEV_FL_STREAMS is set, and if not, then zero the stream field. Currently no drivers set V4L2_SUBDEV_FL_STREAMS, so the stream field will always be set to 0. This patch might well be reverted in the future when streams support is fully enabled and we finalized the userspace API support for this feature. Signed-off-by:
Hans Verkuil <hverkuil-cisco@xs4all.nl> Reviewed-by:
-
- 15 Feb, 2023 1 commit
-
-
git://git.linuxtv.org/media_stageMauro Carvalho Chehab authored
* git://git.linuxtv.org/media_stage: (216 commits) media: v4l2-ctrls-api.c: move ctrl->is_new = 1 to the correct line media: Revert "media: saa7146: deprecate hexium_gemini/orion, mxb and ttpci" media: Revert "media: av7110: move to staging/media/deprecated/saa7146" media: imx-pxp: convert to regmap media: imx-pxp: Use non-threaded IRQ media: imx-pxp: Introduce pxp_read() and pxp_write() wrappers media: imx-pxp: Implement frame size enumeration media: imx-pxp: Pass pixel format value to find_format() media: imx-pxp: Add media controller support media: imx-pxp: Don't set bus_info manually in .querycap() media: imx-pxp: Sort headers alphabetically media: imx-pxp: add support for i.MX7D media: imx-pxp: make data_path_ctrl0 platform dependent media: imx-pxp: disable LUT block media: imx-pxp: explicitly disable unused blocks media: imx-pxp: extract helper function to setup data path media: imx-pxp: detect PXP version media: dt-bindings: media: fsl-pxp: convert to yaml media: imx-mipi-csis: Implement .init_cfg() using .set_fmt() media: imx-mipi-csis: Use V4L2 subdev active state ... Signed-off-by:
-
- 09 Feb, 2023 3 commits
-
-
Hans Verkuil authored
The patch that fixed string control support somehow got mangled when it was merged in mainline: the added line ended up in the wrong place. Fix this. Fixes: 73278d48 ("media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1") Signed-off-by:
-
Hans Verkuil authored
This reverts commit e33fdb5a. The saa7146-based devices are still in use, esp. for DVB. So move these drivers back to mainline. Signed-off-by:
-
Hans Verkuil authored
This reverts commit 3e9ad662. The av7110 is still in use, so it can't be deprecated. Move it back to staging/media for now. Signed-off-by:
-
- 08 Feb, 2023 34 commits
-
-
Mauro Carvalho Chehab authored
Linux 6.2-rc7 * tag 'v6.2-rc7': (1549 commits) Linux 6.2-rc7 fbcon: Check font dimension limits efi: fix potential NULL deref in efi_mem_reserve_persistent kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() HV: hv_balloon: fix memory leak with using debugfs_lookup() mtk_sgmii: enable PCS polling to allow SFP work net: mediatek: sgmii: fix duplex configuration net: mediatek: sgmii: ensure the SGMII PHY is powered down on configuration MAINTAINERS: update SCTP maintainers MAINTAINERS: ipv6: retire Hideaki Yoshifuji mailmap: add John Crispin's entry MAINTAINERS: bonding: move Veaceslav Falico to CREDITS net: openvswitch: fix flow memory leak in ovs_flow_cmd_new net: ethernet: mtk_eth_soc: disable hardware DSA untagging for second MAC virtio-net: Keep stop() to follow mirror sequence of open() efi: Accept version 2 of memory attributes table ceph: blocklist the kclient when receiving corrupted snap trace ceph: move mount state enum to super.h selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs ...
-
Michael Tretter authored
Replace the readl and writel with regmap to ease debugging the registers from userspace. Suggested-by:
Alexander Stein <alexander.stein@ew.tq-group.com> Signed-off-by:
Michael Tretter <m.tretter@pengutronix.de> Reviewed-by:
Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by:
-
Laurent Pinchart authored
There's no need to use threaded IRQs with the PXP, as the interrupt handler doesn't need to sleep and doesn't perform any time-consuming operation. Switch to regular IRQ handler. This fixes lockups of the PXP noticed on i.MX7, where the PXP would stop generating interrupts after a variable number of frames (from a few dozens to a few hundreds). The root cause is however unknown. Signed-off-by:
-
Laurent Pinchart authored
Add pxp_read() and pxp_write() functions to wrap readl() and writel() respectively. This can be useful for debugging register accesses. Signed-off-by:
-
Laurent Pinchart authored
Implement support for the VIDIOC_ENUM_FRAMESIZES ioctl. Signed-off-by:
-
Laurent Pinchart authored
The find_format() function looks up format information for a given pixel format. It takes a v4l2_format pointer, but only uses the contained pixel format value. To prepare it for being used by callers that don't have v4l2_format, modify it to take the pixel format value directly. Signed-off-by:
-
Laurent Pinchart authored
Register a media device for the PXP, using the v4l2-mem2mem MC infrastructure to populate the media graph. No media device operation is implemented, the main use of the MC API is to allow consistent discovery of media devices for userspace. Signed-off-by:
-
Laurent Pinchart authored
The v4l2_capability.bus_info field is set by the V4L2 core when left empty by the .querycap() handler. This is the recommended practice, in order to ensure bus_info coherence between drivers. Don't set it manually. Signed-off-by:
-
Laurent Pinchart authored
Sorting headers alphabetically helps locating duplicates, and make it easier to figure out where to insert new headers. Signed-off-by:
-
Michael Tretter authored
The i.MX7D needs a different data path configuration than the i.MX6ULL. Configure the data path as close as possible to the data path on the i.MX6ULL. Signed-off-by:
-
Michael Tretter authored
Unfortunately, the PXP_HW_VERSION register reports the PXP on the i.MX7D and on the i.MX6ULL as version 3.0, although the PXP versions on these SoCs have significant differences. Use the compatible to configure the ctrl0 register as required dependent on the platform. Signed-off-by:
-
Michael Tretter authored
The LUT block is always configured in bypass mode. Take it entirely out of the pipeline by disabling it and routing the data path around the LUT. Signed-off-by:
-
Michael Tretter authored
Various multiplexers in the pipeline are not used with the currently configured data path. Disable all unused multiplexers by selecting the "no output" (3) option. The datasheet doesn't explicitly require this, but the PXP has been seen to hang after processing a few hundreds of frames otherwise. As at it, add documentation for the multiplexers that are actually relevant for the data path. Signed-off-by:
-
Michael Tretter authored
The driver must configure the data path through the Pixel Pipeline. Currently, the driver is using a fixed setup, but once there are different pipeline configurations, it is helpful to have a dedicated function for determining the register value for the data path. Signed-off-by:
-
Michael Tretter authored
Different versions of the Pixel Pipeline have different blocks and their routing may be different. Read the PXP_HW_VERSION register to determine the version of the PXP and print it to the log for debugging purposes. Signed-off-by:
-
Michael Tretter authored
Convert the bindings of the Freescale Pixel Pipeline to YAML. The conversion drops the previously listed compatibles for several SoCs. It is unclear, if the PXP on these SoCs is compatible to any of the PXPs on the existing SoCs and would allow to reuse the already defined compatibles. The missing compatibles should be brought back when the support for the PXP on these SoCs is added. Reviewed-by:
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by:
-
Laurent Pinchart authored
The .set_fmt() handler is responsible for adjusting the requested format based on the device limitations. Implement .init_cfg() as a wrapper of .set_fmt(), to ensure that the initial configuration always matches the rules implemented in .set_fmt(), should they ever change. Signed-off-by:
Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by:
-
Laurent Pinchart authored
Use the V4L2 subdev active state API to store the active format. This simplifies the driver not only by dropping the mipi_csis_device csis_fmt and format_mbus fields, but it also allows dropping the device lock, replaced with the state lock. Signed-off-by:
-
Laurent Pinchart authored
To prepare for usage of the subdev active state that will replace the csis_fmt and format_mbus fields stored in the mipi_csis_device structure, pass the format explicitly to the functions called when starting streaming to avoid accessing those two fields. Not functional change intended. Signed-off-by:
-
Laurent Pinchart authored
The runtime PM handlers don't need manual locking as - they are serialized by the runtime PM core - they can't race with other functions taking the same lock, as they don't access any data protect by that lock Drop the locking. Signed-off-by:
-
Laurent Pinchart authored
It is customary to prefix error labels with 'err_' to make their purpose clearer. Do so in the probe function. Signed-off-by:
-
Laurent Pinchart authored
Use the V4L2 subdev active state API to store the active format. This simplifies the driver not only by dropping the state stored in the imx7_csi structure, but also by replacing the manual lock with the state lock. The is_streaming field is now protected by the active state lock, either explicitly in .s_stream(), where the active state is locked manually, or implicitly in .set_fmt(), which is called with the state locked. Signed-off-by:
Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by:
-
Laurent Pinchart authored
The v4l2_subdev_format structure passed to the .get_fmt() subdev operation in imx7_csi_video_validate_fmt() isn't zeroed, which can cause undefined behaviour. Fix it. Signed-off-by:
-
Laurent Pinchart authored
It's good practice for functions to perform error cleanup internally when they fail, in order to not leave the device in a half-initialized state. Move the async notifier cleanup from the probe error path to the imx7_csi_async_register(), and drop the v4l2_async_nf_unregister() call as there is no error path after the async notifier gets registered. Signed-off-by:
-
Laurent Pinchart authored
The subdev core guarantees that the .set_fmt() operation is always called with a valid pad. Drop the unneeded pad checks. Signed-off-by:
-
Laurent Pinchart authored
The .s_stream() and .link_validate() operations can't be called with a NULL src_sd, as subdev nodes are not registered before the async notifier completes. Remove the unneeded checks. Signed-off-by:
-
Laurent Pinchart authored
The .s_stream() operation is guaranteed not to be called to start/stop an already started/stopped subdev. Remove the unneeded check. Signed-off-by:
-
Laurent Pinchart authored
The imx7_csi_video_init_format() function instantiates a v4l2_subdev_format on the stack, to only use the .format field of that structure. Replace it with a v4l2_mbus_framefmt instance. Signed-off-by:
-
Laurent Pinchart authored
The imx7_csi.cc field is set but never used. Drop it. Signed-off-by:
-
Tasos Sahanidis authored
The radio device doesn't use vb2, thus calling vb2_video_unregister_device() which results in the following warning being printed on module unload. WARNING: CPU: 1 PID: 215963 at drivers/media/common/videobuf2/videobuf2-v4l2.c:1236 vb2_video_unregister_device+0xc6/0xe0 [videobuf2_v4l2] Fixes: 11788d9b ("media: media/pci: use vb2_video_unregister_device()") Signed-off-by:
Tasos Sahanidis <tasos@tasossah.com> Signed-off-by:
-
Brent Pappas authored
Replace the macro icap_enabled() with a static function to comply with Linux coding style standards. Signed-off-by:
Brent Pappas <bpappas@pappasbrent.com> Reviewed-by:
Marco Felsch <m.felsch@pengutronix.de> Signed-off-by:
-
Benjamin Roszak authored
Checking if sess->fmt_out->pixfmt is V4L2_PIX_FMT_VP9 was already done as a condition to enter the if statement where this additional check is made. Signed-off-by:
Benjamin Roszak <benjamin545@gmail.com> Signed-off-by:
Christian Hewitt <christianshewitt@gmail.com> Acked-by:
Neil Armstrong <neil.armstrong@linaro.org> Signed-off-by:
-
Duoming Zhou authored
There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237a-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] <TASK> [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] </TASK> [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd4 ("[media] smsusb: don't sleep while atomic") Signed-off-by:
Duoming Zhou <duoming@zju.edu.cn> Signed-off-by:
-
Hans Verkuil authored
If the message length was wrong, the dprintk() after the 'err' label was bypassed. Fix that, and fix a smatch warning at the same time: mb86a16.c:1514 mb86a16_send_diseqc_msg() warn: missing unwind goto? Signed-off-by:
-
