Use the irctl mutex for all device operations and only use lirc_dev_lock
to protect the irctls array. Also, make sure that the device is alive
early in each fops function before doing anything else.
Since this patch touches nearly every line where the irctl mutex is
taken/released, it also renames the mutex at the same time (the name
irctl_lock will be misleading once struct irctl goes away in later
patches).
[mchehab@s-opensource.com: fix a merge conflict]
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
The "attached" member of struct irctl is a boolean value, so let the code
reflect that.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Make setting chunk_size and buffer_size mandatory for drivers which
expect lirc_dev to allocate the lirc_buffer (i.e. ir-lirc-codec) and
don't set them in lirc-zilog (which creates its own buffer).
Also remove an unnecessary copy of chunk_size in struct irctl (the
same information is already available from struct lirc_buffer).
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
By making better use of file->private_data in lirc_dev we can avoid
digging around in the irctls[] array, thereby simplifying the code.
External drivers need to use lirc_get_pdata() instead of mucking around
in file->private_data.
The newly introduced lirc_init_pdata() function isn't very elegant, but
it's a stopgap measure which can be removed once lirc_zilog is converted
to rc-core.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Replace calls to cdev_add() and device_add() with the cdev_device_add()
helper function.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
All users of lirc_register_driver() uses dynamic minor allocation,
therefore we can remove the ability to explicitly request a given number.
This changes the function prototype of lirc_unregister_driver() to also
take a struct lirc_driver pointer as the sole argument.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
If an error is generated, it is more logical to error out ASAP.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This reverts commit 5be2b76a9c.
Only when the lirc device is freed, should we drop our reference to
rc_dev, else we the rc_dev is freed to early. If userspace has
a file descriptor open during unplug, it goes bang.
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x7bb/0x1e10
Read of size 8 at addr ffff8801d7d61ed0 by task ir-rec/2609
-snip-
mutex_lock_nested+0x1b/0x20
? mutex_lock_nested+0x1b/0x20
rc_close.part.6+0x20/0x60 [rc_core]
rc_close+0x13/0x20 [rc_core]
lirc_dev_fop_close+0x62/0xd0 [lirc_dev]
__fput+0x236/0x410
? fput+0xb0/0xb0
? do_raw_spin_trylock+0x110/0x110
? set_rq_offline.part.70+0xa0/0xa0
____fput+0xe/0x10
task_work_run+0x116/0x180
? task_work_cancel+0x170/0x170
? _raw_spin_unlock+0x27/0x40
? switch_task_namespaces+0x5f/0x90
do_exit+0x68b/0xe80
Cc: stable@vger.kernel.org # For Kernel 4.13
Fixes: 5be2b76a9c ("[media] lirc_dev: remove superfluous get/put_device() calls")
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Remove superfluous includes and defines.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Most drivers return both values when the device is gone.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The "debug" parameter isn't actually used anywhere.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
device_add() and friends already manage the references to the parent
device so these calls aren't necessary.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
These two functions only make the logic in lirc_register_driver()
harder to follow.
(Note that almost no other driver calls kobject_set_name() on their cdev
so I simply removed that part).
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Merging the two means that lirc_allocate_buffer() is called before
device_add() and cdev_add() which makes more sense. This also
simplifies the locking slightly because lirc_allocate_buffer() will
always be called with lirc_dev_lock held.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Every caller of lirc_register_driver() passes their own fops and there
are no users of lirc_dev_fop_write() in the kernel tree. Thus we can
make fops mandatory and remove lirc_dev_fop_write().
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
out_sysfs is misleading, sysfs only comes into play after device_add().
Also, calling device_init() before the rest of struct dev is filled out
is clearer.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
There are no drivers which use this functionality.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Since there are no users of this functionality, it can be removed
altogether.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
ir_lirc_register() currently creates its own lirc_buffer before
passing the lirc_driver to lirc_register_driver().
When a module is later unloaded, ir_lirc_unregister() gets called
which performs a call to lirc_unregister_driver() and then free():s
the lirc_buffer.
The problem is that:
a) there can still be a userspace app holding an open lirc fd
when lirc_unregister_driver() returns; and
b) the lirc_buffer contains "wait_queue_head_t wait_poll" which
is potentially used as long as any userspace app is still around.
The result is an oops which can be triggered quite easily by a
userspace app monitoring its lirc fd using epoll() and not closing
the fd promptly on device removal.
The minimalistic fix is to let lirc_dev create the lirc_buffer since
lirc_dev will then also free the buffer once it believes it is safe to
do so.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJY4ZYkAAoJEHm+PkMAQRiGsq4H/R4PMXDoe2XhSSk7IoT97pXV
/A8np/scAPjzEgYUidbb54OSqWwsPRuPGWONTFeSrE2u0L4wln/REI91jg7QetLq
IisncExlYeJ/XQ+iO0ZZh9fLbqwIlEJFdSXmyIFr3m/TBxe8a61C8j93oNgM1tHT
yuwzlq7c3sLq2hsmUG2HyL2kJsEfRasv4Rk0yhFuti12zVsBoTW4qmZuMauq+gdf
f7cSYgiHhPTdb2o+azg5O7uYNHaQQBxdUMlIuhhYtVOUq+pFDO23SLHSFIW2NwOm
Zn5R6CFSrLsCw0Bx0v8Xlc151QUbaRK4h9lhUhkBr6d3uNShU1NQ9JojpSvYwBo=
=vP6E
-----END PGP SIGNATURE-----
Merge tag 'v4.11-rc5' into patchwork
Linux 4.11-rc5
* tag 'v4.11-rc5': (1168 commits)
Linux 4.11-rc5
tty: pl011: fix earlycon work-around for QDF2400 erratum 44
kasan: do not sanitize kexec purgatory
drivers/rapidio/devices/tsi721.c: make module parameter variable name unique
mm/hugetlb.c: don't call region_abort if region_chg fails
kasan: report only the first error by default
hugetlbfs: initialize shared policy as part of inode allocation
mm: fix section name for .data..ro_after_init
mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()
mm: workingset: fix premature shadow node shrinking with cgroups
mm: rmap: fix huge file mmap accounting in the memcg stats
mm: move mm_percpu_wq initialization earlier
mm: migrate: fix remove_migration_pte() for ksm pages
nfs: flexfiles: fix kernel OOPS if MDS returns unsupported DS type
NFSv4.1 fix infinite loop on IO BAD_STATEID error
serial: 8250_EXAR: fix duplicate Kconfig text and add missing help text
tty/serial: atmel: fix TX path in atmel_console_write()
tty/serial: atmel: fix race condition (TX+DMA)
serial: mxs-auart: Fix baudrate calculation
irqchip/mips-gic: Fix Local compare interrupt
...
If a lirc device is unplugged, the struct rc_dev is freed even though
userspace can still have a file descriptor open on the lirc chardev. The
rc_dev structure can be used in a subsequent, or even currently executing
ioctl, read or write.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
We shouldn't be using ENOSYS when a feature is not available. I've tested
lirc; nothing is broken as far as I can make out.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYwLA0AAoJEAhfPr2O5OEVbd0P/0dycXafb2UkwpQiyzN7j62T
95CB3YySddBUecT3WUNA5DIwD0rcImdzd6JSOiB12kREbxzSwTDP+Qpi1+7+ra55
T6F+nYoc4ptTTQtHPhXrgXXJUdqvQEg/zIb6fzRM+VBkEz7qM3WJCuokdbtzyebN
Z2YvwOxsprnZLdUm+loFlnNOHIstE7XcMCtoZFUQwr5lBvVc/SrhypfkJTaKG4Og
qggnaZW+yEu++mILGOPUmbHbKGxr5qKm5Aijj3L73T/XYloNRwHFvxv48/VrJkG6
hfYLV1FAo1Y5kfmUde1vUOhtMH5eNvz4Sg42KkYCOvJgngi78WYP+/YyenT0yMp4
BGSpLjaUML7zgz2TdkwDdfIzLAPPvvOtSoDyyzP9ELM6vUaUZpf8xPBrjHc6ZZy3
Tndu8IOzlOEFc4njcV+jzRBWqzTLRlxGsP8POKzDeZKTHj/DmAs+LzVnWtLHNEWE
rvem/A3zoo919YVolkkN/vdTWExBIplg2xwmdmfDLA/ZDYw8AbHUsGnT4SQM5UAl
7cHhhh+XZ9ORihrghYvHw4yZq6Nky8P/WgREMbD7XHOEW7sydnhI5xvFPVpWS/Uz
7+SfZFerMxoX8N9+E8UZ7aROO/dbzt8RBXdfHrThhEu/7SCHVEk5PzdRArshjtoK
4DnHrEN6evtmY0XrMPiy
=Liea
-----END PGP SIGNATURE-----
Merge tag 'media/v4.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
"Media regression fixes:
- serial_ir: fix a Kernel crash during boot on Kernel 4.11-rc1, due
to an IRQ code called too early
- other IR regression fixes at lirc and at the raw IR decoding
- a deadlock fix at the RC nuvoton driver
- fix another issue with DMA on stack at dw2102 driver
There's an extra patch there that change a driver interface for the
SoC VSP1 driver, with is shared between the DRM and V4L2 driver. The
patch itself is trivial, and was acked by David Arlie"
* tag 'media/v4.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
[media] v4l: vsp1: Adapt vsp1_du_setup_lif() interface to use a structure
[media] dw2102: don't do DMA on stack
[media] rc: protocol is not set on register for raw IR devices
[media] rc: raw decoder for keymap protocol is not loaded on register
[media] rc: nuvoton: fix deadlock in nvt_write_wakeup_codes
[media] lirc: fix dead lock between open and wakeup_filter
[media] serial_ir: ensure we're ready to receive interrupts
Fix up affected files that include this signal functionality via sched.h.
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Bail out early, otherwise we follow a null pointer.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
tx-only RC devices do not have a receive buffer.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Since "273b902 [media] lirc_dev: use LIRC_CAN_REC() define" these
ioctls no longer work.
Signed-off-by: Sean Young <sean@mess.org>
Cc: <stable@vger.kernel.org> # v4.8+
Reviewed-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Drop the FSF's postal address from the source code files that typically
contain mostly the license text. Of the 628 removed instances, 578 are
outdated.
The patch has been created with the following command without manual edits:
git grep -l "675 Mass Ave\|59 Temple Place\|51 Franklin St" -- \
drivers/media/ include/media|while read i; do i=$i perl -e '
open(F,"< $ENV{i}");
$a=join("", <F>);
$a =~ s/[ \t]*\*\n.*You should.*\n.*along with.*\n.*(\n.*USA.*$)?\n//m
&& $a =~ s/(^.*)Or, (point your browser to) /$1To obtain the license, $2\n$1/m;
close(F);
open(F, "> $ENV{i}");
print F $a;
close(F);'; done
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
"c77d17c0 [media] lirc: use-after free" introduces two problems:
cdev_del() can be called with a NULL argument, and the kobject_put()
path will cause a double free.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Many lirc drivers have their own receive buffers which are freed on
unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll
will be freed directly after unplug so do not remove yourself from the
wait queue.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
If you unplug an lirc device while reading from it, you will get an
use after free as the cdev is freed while still in use.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[ 101.457944] ------------[ cut here ]------------
[ 101.457954] WARNING: CPU: 3 PID: 1819 at kernel/sched/core.c:7708 __might_sleep+0x7e/0x80
[ 101.457960] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffffc0364bc2>] lirc_dev_fop_read+0x292/0x4e0 [lirc_dev]
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
There is no need to check for CONFIG_COMPAT and consequently
assign the compat_ioctl.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The LIRC_CAN_REC() returns a boolean "flag & LIRC_CAN_REC_MASK"
to check whether the device can receive data.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
When opening or closing a lirc character device, the framework
provides to the user the possibility to keep track of opening or
closing of the device by calling two functions:
- set_use_inc() when opening the device
- set_use_dec() when closing the device
if those are not set by the lirc user, the system segfaults.
Check the pointer value before calling the above functions.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
If ioctl is called, it cannot be a case of invalid system call
number (ENOSYS), that is a ENOTTY case which means that the
device doesn't support that specific ioctl command.
So, replace ENOSYS with ENOTTY.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
When comparing a variable with a constant, the comparison should
start from the variable and not from the constant. It's also
written in the human DNA.
Swap the terms of comparisons whenever the constant comes first
and fix the following checkpatch warning:
WARNING: Comparisons should place the constant on the right side of the test
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The three if statements check the same thing, merge them in only
one statement.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
There are two if ... else which check the same thing in different
part of the code, they can be merged in a single check.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The whole function is inside an 'if' statement
("if (ir->d.add_to_buf)").
Check the opposite of that statement at the beginning and exit,
this way we can have one level less of indentation.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
The code can be rearranged so that some goto paths can be removed
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This patch mutes also all the checkpatch warnings related to
printk.
Reword all the printouts so that the string doesn't need to be
split, which fixes the following checkpatch warning:
WARNING: quoted string split across lines
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Transmitters don't necessarily need to have a FIFO managed buffer
for their transfers.
When registering the driver, before allocating the buffer, check
whether the device is a transmitter or receiver. Allocate the
buffer only for receivers.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
During the driver registration, move the buffer allocation on a
separate function.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
We can only unlock if mutex_lock() succeeds.
Fixes the following warning:
drivers/media/rc/lirc_dev.c:535 lirc_dev_fop_close() error: double unlock 'mutex:&lirc_dev_lock'
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
We have to check pointer for NULL and then dereference it.
Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
David Härdeman