commit bd7e31bbade02bc1e92aa00d5cf2cee2da66838a upstream.
gcc-7 suggests that an expression using a bitwise not and a bitmask
on a 'bool' variable is better written using boolean logic:
drivers/media/rc/imon.c: In function 'imon_incoming_scancode':
drivers/media/rc/imon.c:1725:22: error: '~' on a boolean expression [-Werror=bool-operation]
ictx->pad_mouse = ~(ictx->pad_mouse) & 0x1;
^
drivers/media/rc/imon.c:1725:22: note: did you mean to use logical not?
I agree.
Fixes: 21677cfc56 ("V4L/DVB: ir-core: add imon driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit f9c85ee67164b37f9296eab3b754e543e4e96a1c upstream.
Reported as a Kaffeine bug:
https://bugs.kde.org/show_bug.cgi?id=375811
The USB control messages require DMA to work. We cannot pass
a stack-allocated buffer, as it is not warranted that the
stack would be into a DMA enabled area.
On Kernel 4.9, the default is to not accept DMA on stack anymore
on x86 architecture. On other architectures, this has been a
requirement since Kernel 2.2. So, after this patch, this driver
should likely work fine on all archs.
Tested with USB ID 2040:5510: Hauppauge Windham
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream.
The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.
However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
if (!firmware_name[0] && p->fname &&
priv->fname && strcmp(p->fname, priv->fname))
free_firmware(priv);
where priv->fname points to the previous file name, and this was
already freed by kfree().
For fixing the bug properly, this patch does the following:
- Keep the copy of firmware file name in only priv->fname,
priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly
Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d upstream.
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 7ec03e60ef81c19b5d3a46dd070ee966774b860f upstream.
Function ite_set_carrier_params() uses variable use_demodulator after
having initialized it to false in some if branches, but this variable is
never set to true otherwise.
This bug has been found using clang -Wsometimes-uninitialized warning
flag.
Fixes: 620a32bba4 ("[media] rc: New rc-based ite-cir driver for
several ITE CIRs")
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
The pointer qbuf_buf comes from userspace.
qbuf_buf->num_planes is used with no bound check,
which if set to a large value, it will overflow
buf_info->mapped_info and qbuf_buf->planes
CRs-Fixed: 2003798
Change-Id: I332e0424e57bb14b481a740604a09350e6f029a8
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Issue:
i2c_reg_tbl may be null under error condition when set param.
then, other actuator function still may use the i2c_reg_tbl as null.
Fix:
1) the assignment total_steps follow on kmalloc buffer.
2) Add NULL pointer check for i2c tbl.
CRs-Fixed: 2152401
Change-Id: Ieec3d88e6dae0177787da0906f53d59ac4f5a624
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
If userspace issues write with string of length 21 or more then
there is a chance that kernel will overread lbuf array.
This change makes sure that lbuf is NULL terminated.
Change-Id: I9ad6d5a607b2ff1f293512be9746ee554b076b10
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Variable "slave_info->sensor_name", "slave_info->eeprom_name",
"slave_info->actuator_name" and "slave_info->ois_name" are
from user input, which may be not NULL terminated.
OOB will be possible when accessing these variable.
Add a validation for these name length.
Change-Id: I9a570372707b7f8365a625d6b0662e87d1b4926e
Signed-off-by: Depeng Shao <dshao@codeaurora.org>
The 32-bit compat v4l2 ioctl is implemented based on its 64-bit
equivalent. It converts 32-bit data structures into its 64-bit
equivalents and needs to provide the data to the 64-bit ioctl in user
space memory which is commonly allocated using
compat_alloc_user_space(). However, due to how that function is
implemented, it can only be called a single time for every syscall
invocation. Supposedly to avoid this limitation, the existing code uses
a mix of memory from the kernel stack and memory allocated through
compat_alloc_user_space(). Under normal circumstances, this would not
work, because the 64-bit ioctl expects all pointers to point to user
space memory. As a workaround, set_fs(KERNEL_DS) is called to
temporarily disable this extra safety check and allow kernel pointers.
However, this might introduce a security vulnerability: The
result of the 32-bit to 64-bit conversion is writeable by user space
because the output buffer has been allocated via
compat_alloc_user_space(). A malicious user space process could then
manipulate pointers inside this output buffer, and due to the previous
set_fs(KERNEL_DS) call, functions like get_user() or put_user() no longer
prevent kernel memory access.
The new approach is to pre-calculate the total amount of user space
memory that is needed, allocate it using compat_alloc_user_space() and
then divide up the allocated memory to accommodate all data structures
that need to be converted.
An alternative approach would have been to retain the union type karg
that they allocated on the kernel stack in do_video_ioctl(), copy all
data from user space into karg and then back to user space. However,
we decided against this approach because it does not align with other
compat syscall implementations. Instead, we tried to replicate the
get_user/put_user pairs as found in other places in the kernel:
if (get_user(clipcount, &up->clipcount) ||
put_user(clipcount, &kp->clipcount)) return -EFAULT;
BUG: 34624167
Change-Id: Ica92695d8ddf60c0a067ea2f833f22a71710932e
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Reported-by: C0RE Team
Prevent deadlock between tasklet and delete_stream by stopping
irq during delete_stream
CRs-Fixed: 2076578
Change-Id: Ibcc9fd44403d24112b01150a7d1f3c6e705ea99a
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
CRs-Fixed: 2111672
Change-Id: Ib9dcb182356e2df8078c131edfd0791fa95a35e0
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
memset karg in do_video_ioctl to ensure that stack memory is
not copied to user memory.
Change-Id: Ib892f8cabff1e0076c670496ee6353d00afdf85e
Signed-off-by: Surajit Podder <spodder@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
- num of stream comes from userspace and used without
any bound check.It may result to overflow update_info.
CRs-Fixed: 2006829
Change-Id: I8226e8f7081b28108dbed738ea4579e2051a85f2
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
Make use of mutex lock to access IOCTL so that two threads
can avoid race condition.
Change-Id: I00db78a42c86eef8a157b5b3547e4ca0006b0853
Signed-off-by: annamraj <annamraj@codeaurora.org>
Information leak issue is reported in mpq_sdmx_log_level_write
function. Added check to validate count is not zero and initialize
the string.
Change-Id: Ieb2ed88c2d7d778c56be2ec3b9875270a9c74dce
Signed-off-by: Udaya Bhaskara Reddy Mallavarapu <udaym@codeaurora.org>
Add NULL pointer check for vfe_base of VFE0.
CRs-Fixed: 1032715
Change-Id: I540d9ff831fc9447ecf145f75ea84da3668c4f6f
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
fix one potential out of boundary query of stats info.
Bug: 36264696
Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
Issue:
the invalid slave_info is used by msm_sensor_driver_probe.
This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.
Fix:
1) avoid the same msm_sd_subdev added into the ordered_sd_list.
2) enlarge the buffer size for i2c addr and data.
Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
In msm_buf_mngr_sd_shutdown bufs is a pointer defined
in kernel, and it is printed to userspace using %lx.
changed it to %pK.
Change-Id: Ic2cb1a2ff109364ac2da1bbb3253a2253a0c6be9
Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
Use mutex lock for all VB2 operations, and use separatelock other
than used for stop streaming operation to avoid dead lock.
Change-Id: Idba956e5e3bce48ee57eaa5984786ded218e32d5
Signed-off-by: annamraj <annamraj@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
There is no syncronization between msm_vb2_get_buf
and msm_delete_stream which can lead to use after
free.
Fixed it by using read/write lock.
CRs-Fixed: 2013052
Change-Id: I8e80d70ec866253aab8836457a28ae14175f5d61
Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
In msm_isp_get_bufq, if bufq_index equals buf_mgr->num_buf_q,
it will pass the check, leading to off-by-one overflow
(exceed the length of array by one element).
CRs-Fixed: 2031677
Change-Id: I7ea465897e2c37de6ca0155c3e225f1444b3cf13
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
fix one potential out of boundary query of stats info.
Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
Protecting operations performed during ois powerdown
from race condition by adding mutex lock.
CRs-Fixed: 2081806
Change-Id: I27a735fd69d3e98fdd2ed48456336c560b6f3adc
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Copying the flash initialization parameters from userspace memory to
kernel memory and in turn checking for the validity of the flash
initialization parameters pointer sent from userspace
CRs-Fixed: 2059812
Change-Id: I957c10959108eb08b263d439a9a449b90338b6db
Signed-off-by: kaiwang <kaiwang@codeaurora.org>
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Regulator enable and disable of CSIPHY depends on the CSID module.
Make the enable and disable of clk regulator independent of CSIPHY.
Bug: 33299365
CRs-Fixed: 1107702
Change-Id: Iabb5eb28d63b34a4c3201c53be17054a1907f4fe
Signed-off-by: Ravi Kishore Tanuku <rktanuku@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit b1bb44c9cca61e48ec6158abad6e7969a8e58abf)
Since IOCTLS can come in any order, validating the actuator
function table and methods before accessing them.
CRs-Fixed: 1084177
Change-Id: Ic6fce52fdf4d1420c2b707ec9bc9cba045066a13
Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Add boundary check for cci master in i2c_read.
This value is passed from userpsace. If user sends an
invalid number for master there is a possibility of
accessing unintended buffer.
This change addresses the issue.
Crs-Fixed: 1086764
Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
Change-Id: Ice3bde902aea96382ceb4dfddfd28a5ea89c183d
