linux/drivers/media/usb/dvb-usb/dvb-usb-dvb.c
Max Kellermann f17c403af9 media: dvbdev: add a mutex protecting the "mdev" pointer
During destruction, a race condition in
dvb_media_controller_disable_source() can cause a kernel crash,
because the "mdev" pointer has been read successfully while another
task executes dvb_usb_media_device_unregister(), which destroys the
object.  Example for such a crash:

    general protection fault: 0000 [#1] SMP
    CPU: 1 PID: 301 Comm: vdr Not tainted 4.8.1-nuc+ #102
    [142B blob data]
    task: ffff8802301f2040 task.stack: ffff880233728000
    RIP: 0010:[<ffffffff816c296b>]  [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120
    RSP: 0018:ffff88023372bdd8  EFLAGS: 00010202
    RAX: 001fd55c000000da RBX: ffff880236bad810 RCX: 0000000000000000
    RDX: ffff880235bd81f0 RSI: 0000000000000246 RDI: ffff880235bd81e8
    RBP: ffff88023372be00 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: ffff88022f009910 R12: 0000000000000000
    R13: ffff880235a21a80 R14: ffff880235bd8000 R15: ffff880235bb8a78
    FS:  0000000000000000(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f96edd69818 CR3: 0000000002406000 CR4: 00000000001006e0
    Stack:
     ffff88022f009900 0000000000000008 ffff880235bb8a78 ffff8802344fbb20
     ffff880236437b40 ffff88023372be48 ffffffff8117a81e ffff880235bb8a78
     ffff88022f009910 ffff8802335a7400 ffff8802301f2040 ffff88022f009900
    Call Trace:
     [<ffffffff8117a81e>] __fput+0xde/0x1d0
     [<ffffffff8117a949>] ____fput+0x9/0x10
     [<ffffffff810a9fce>] task_work_run+0x7e/0xa0
     [<ffffffff81094bab>] do_exit+0x27b/0xa50
     [<ffffffff810407e3>] ? __do_page_fault+0x1c3/0x430
     [<ffffffff81095402>] do_group_exit+0x42/0xb0
     [<ffffffff8109547f>] SyS_exit_group+0xf/0x10
     [<ffffffff8108bedb>] entry_SYSCALL_64_fastpath+0x13/0x8f
    Code: 31 c9 49 8d be e8 01 00 00 ba 01 00 00 00 be 03 00 00 00 e8 68 2d a0 ff 48 8b 83 10 03 00 00 48 8b 80 88 00 00 00 48 85 c0 74 12 <48> 8b 80 88 02 00 00 48 85 c0 74 06 49 8b 7d
    RIP  [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120

[mchehab+samsung@kernel.org: fix a Coding Style issue]
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-11 12:09:59 -04:00

352 lines
9.3 KiB
C

// SPDX-License-Identifier: GPL-2.0
/* dvb-usb-dvb.c is part of the DVB USB library.
*
* Copyright (C) 2004-6 Patrick Boettcher (patrick.boettcher@posteo.de)
* see dvb-usb-init.c for copyright information.
*
* This file contains functions for initializing and handling the
* linux-dvb API.
*/
#include "dvb-usb-common.h"
#include <media/media-device.h>
/* does the complete input transfer handling */
static int dvb_usb_ctrl_feed(struct dvb_demux_feed *dvbdmxfeed, int onoff)
{
struct dvb_usb_adapter *adap = dvbdmxfeed->demux->priv;
int newfeedcount, ret;
if (adap == NULL)
return -ENODEV;
if ((adap->active_fe < 0) ||
(adap->active_fe >= adap->num_frontends_initialized)) {
return -EINVAL;
}
newfeedcount = adap->feedcount + (onoff ? 1 : -1);
/* stop feed before setting a new pid if there will be no pid anymore */
if (newfeedcount == 0) {
deb_ts("stop feeding\n");
usb_urb_kill(&adap->fe_adap[adap->active_fe].stream);
if (adap->props.fe[adap->active_fe].streaming_ctrl != NULL) {
ret = adap->props.fe[adap->active_fe].streaming_ctrl(adap, 0);
if (ret < 0) {
err("error while stopping stream.");
return ret;
}
}
}
adap->feedcount = newfeedcount;
/* activate the pid on the device specific pid_filter */
deb_ts("setting pid (%s): %5d %04x at index %d '%s'\n",
adap->fe_adap[adap->active_fe].pid_filtering ?
"yes" : "no", dvbdmxfeed->pid, dvbdmxfeed->pid,
dvbdmxfeed->index, onoff ? "on" : "off");
if (adap->props.fe[adap->active_fe].caps & DVB_USB_ADAP_HAS_PID_FILTER &&
adap->fe_adap[adap->active_fe].pid_filtering &&
adap->props.fe[adap->active_fe].pid_filter != NULL)
adap->props.fe[adap->active_fe].pid_filter(adap, dvbdmxfeed->index, dvbdmxfeed->pid, onoff);
/* start the feed if this was the first feed and there is still a feed
* for reception.
*/
if (adap->feedcount == onoff && adap->feedcount > 0) {
deb_ts("submitting all URBs\n");
usb_urb_submit(&adap->fe_adap[adap->active_fe].stream);
deb_ts("controlling pid parser\n");
if (adap->props.fe[adap->active_fe].caps & DVB_USB_ADAP_HAS_PID_FILTER &&
adap->props.fe[adap->active_fe].caps &
DVB_USB_ADAP_PID_FILTER_CAN_BE_TURNED_OFF &&
adap->props.fe[adap->active_fe].pid_filter_ctrl != NULL) {
ret = adap->props.fe[adap->active_fe].pid_filter_ctrl(adap,
adap->fe_adap[adap->active_fe].pid_filtering);
if (ret < 0) {
err("could not handle pid_parser");
return ret;
}
}
deb_ts("start feeding\n");
if (adap->props.fe[adap->active_fe].streaming_ctrl != NULL) {
ret = adap->props.fe[adap->active_fe].streaming_ctrl(adap, 1);
if (ret < 0) {
err("error while enabling fifo.");
return ret;
}
}
}
return 0;
}
static int dvb_usb_start_feed(struct dvb_demux_feed *dvbdmxfeed)
{
deb_ts("start pid: 0x%04x, feedtype: %d\n", dvbdmxfeed->pid,
dvbdmxfeed->type);
return dvb_usb_ctrl_feed(dvbdmxfeed, 1);
}
static int dvb_usb_stop_feed(struct dvb_demux_feed *dvbdmxfeed)
{
deb_ts("stop pid: 0x%04x, feedtype: %d\n", dvbdmxfeed->pid, dvbdmxfeed->type);
return dvb_usb_ctrl_feed(dvbdmxfeed, 0);
}
static int dvb_usb_media_device_init(struct dvb_usb_adapter *adap)
{
#ifdef CONFIG_MEDIA_CONTROLLER_DVB
struct media_device *mdev;
struct dvb_usb_device *d = adap->dev;
struct usb_device *udev = d->udev;
mdev = kzalloc(sizeof(*mdev), GFP_KERNEL);
if (!mdev)
return -ENOMEM;
media_device_usb_init(mdev, udev, d->desc->name);
dvb_register_media_controller(&adap->dvb_adap, mdev);
dev_info(&d->udev->dev, "media controller created\n");
#endif
return 0;
}
static int dvb_usb_media_device_register(struct dvb_usb_adapter *adap)
{
#ifdef CONFIG_MEDIA_CONTROLLER_DVB
return media_device_register(adap->dvb_adap.mdev);
#else
return 0;
#endif
}
static void dvb_usb_media_device_unregister(struct dvb_usb_adapter *adap)
{
#ifdef CONFIG_MEDIA_CONTROLLER_DVB
if (!adap->dvb_adap.mdev)
return;
mutex_lock(&adap->dvb_adap.mdev_lock);
media_device_unregister(adap->dvb_adap.mdev);
media_device_cleanup(adap->dvb_adap.mdev);
kfree(adap->dvb_adap.mdev);
adap->dvb_adap.mdev = NULL;
mutex_unlock(&adap->dvb_adap.mdev_lock);
#endif
}
int dvb_usb_adapter_dvb_init(struct dvb_usb_adapter *adap, short *adapter_nums)
{
int i;
int ret = dvb_register_adapter(&adap->dvb_adap, adap->dev->desc->name,
adap->dev->owner, &adap->dev->udev->dev,
adapter_nums);
if (ret < 0) {
deb_info("dvb_register_adapter failed: error %d", ret);
goto err;
}
adap->dvb_adap.priv = adap;
ret = dvb_usb_media_device_init(adap);
if (ret < 0) {
deb_info("dvb_usb_media_device_init failed: error %d", ret);
goto err_mc;
}
if (adap->dev->props.read_mac_address) {
if (adap->dev->props.read_mac_address(adap->dev, adap->dvb_adap.proposed_mac) == 0)
info("MAC address: %pM", adap->dvb_adap.proposed_mac);
else
err("MAC address reading failed.");
}
adap->demux.dmx.capabilities = DMX_TS_FILTERING | DMX_SECTION_FILTERING;
adap->demux.priv = adap;
adap->demux.filternum = 0;
for (i = 0; i < adap->props.num_frontends; i++) {
if (adap->demux.filternum < adap->fe_adap[i].max_feed_count)
adap->demux.filternum = adap->fe_adap[i].max_feed_count;
}
adap->demux.feednum = adap->demux.filternum;
adap->demux.start_feed = dvb_usb_start_feed;
adap->demux.stop_feed = dvb_usb_stop_feed;
adap->demux.write_to_decoder = NULL;
if ((ret = dvb_dmx_init(&adap->demux)) < 0) {
err("dvb_dmx_init failed: error %d", ret);
goto err_dmx;
}
adap->dmxdev.filternum = adap->demux.filternum;
adap->dmxdev.demux = &adap->demux.dmx;
adap->dmxdev.capabilities = 0;
if ((ret = dvb_dmxdev_init(&adap->dmxdev, &adap->dvb_adap)) < 0) {
err("dvb_dmxdev_init failed: error %d", ret);
goto err_dmx_dev;
}
if ((ret = dvb_net_init(&adap->dvb_adap, &adap->dvb_net,
&adap->demux.dmx)) < 0) {
err("dvb_net_init failed: error %d", ret);
goto err_net_init;
}
adap->state |= DVB_USB_ADAP_STATE_DVB;
return 0;
err_net_init:
dvb_dmxdev_release(&adap->dmxdev);
err_dmx_dev:
dvb_dmx_release(&adap->demux);
err_dmx:
dvb_usb_media_device_unregister(adap);
err_mc:
dvb_unregister_adapter(&adap->dvb_adap);
err:
return ret;
}
int dvb_usb_adapter_dvb_exit(struct dvb_usb_adapter *adap)
{
if (adap->state & DVB_USB_ADAP_STATE_DVB) {
deb_info("unregistering DVB part\n");
dvb_net_release(&adap->dvb_net);
adap->demux.dmx.close(&adap->demux.dmx);
dvb_dmxdev_release(&adap->dmxdev);
dvb_dmx_release(&adap->demux);
dvb_usb_media_device_unregister(adap);
dvb_unregister_adapter(&adap->dvb_adap);
adap->state &= ~DVB_USB_ADAP_STATE_DVB;
}
return 0;
}
static int dvb_usb_set_active_fe(struct dvb_frontend *fe, int onoff)
{
struct dvb_usb_adapter *adap = fe->dvb->priv;
int ret = (adap->props.frontend_ctrl) ?
adap->props.frontend_ctrl(fe, onoff) : 0;
if (ret < 0) {
err("frontend_ctrl request failed");
return ret;
}
if (onoff)
adap->active_fe = fe->id;
return 0;
}
static int dvb_usb_fe_wakeup(struct dvb_frontend *fe)
{
struct dvb_usb_adapter *adap = fe->dvb->priv;
dvb_usb_device_power_ctrl(adap->dev, 1);
dvb_usb_set_active_fe(fe, 1);
if (adap->fe_adap[fe->id].fe_init)
adap->fe_adap[fe->id].fe_init(fe);
return 0;
}
static int dvb_usb_fe_sleep(struct dvb_frontend *fe)
{
struct dvb_usb_adapter *adap = fe->dvb->priv;
if (adap->fe_adap[fe->id].fe_sleep)
adap->fe_adap[fe->id].fe_sleep(fe);
dvb_usb_set_active_fe(fe, 0);
return dvb_usb_device_power_ctrl(adap->dev, 0);
}
int dvb_usb_adapter_frontend_init(struct dvb_usb_adapter *adap)
{
int ret, i;
/* register all given adapter frontends */
for (i = 0; i < adap->props.num_frontends; i++) {
if (adap->props.fe[i].frontend_attach == NULL) {
err("strange: '%s' #%d,%d doesn't want to attach a frontend.",
adap->dev->desc->name, adap->id, i);
return 0;
}
ret = adap->props.fe[i].frontend_attach(adap);
if (ret || adap->fe_adap[i].fe == NULL) {
/* only print error when there is no FE at all */
if (i == 0)
err("no frontend was attached by '%s'",
adap->dev->desc->name);
return 0;
}
adap->fe_adap[i].fe->id = i;
/* re-assign sleep and wakeup functions */
adap->fe_adap[i].fe_init = adap->fe_adap[i].fe->ops.init;
adap->fe_adap[i].fe->ops.init = dvb_usb_fe_wakeup;
adap->fe_adap[i].fe_sleep = adap->fe_adap[i].fe->ops.sleep;
adap->fe_adap[i].fe->ops.sleep = dvb_usb_fe_sleep;
if (dvb_register_frontend(&adap->dvb_adap, adap->fe_adap[i].fe)) {
err("Frontend %d registration failed.", i);
dvb_frontend_detach(adap->fe_adap[i].fe);
adap->fe_adap[i].fe = NULL;
/* In error case, do not try register more FEs,
* still leaving already registered FEs alive. */
if (i == 0)
return -ENODEV;
else
return 0;
}
/* only attach the tuner if the demod is there */
if (adap->props.fe[i].tuner_attach != NULL)
adap->props.fe[i].tuner_attach(adap);
adap->num_frontends_initialized++;
}
ret = dvb_create_media_graph(&adap->dvb_adap, true);
if (ret)
return ret;
ret = dvb_usb_media_device_register(adap);
return ret;
}
int dvb_usb_adapter_frontend_exit(struct dvb_usb_adapter *adap)
{
int i = adap->num_frontends_initialized - 1;
/* unregister all given adapter frontends */
for (; i >= 0; i--) {
if (adap->fe_adap[i].fe != NULL) {
dvb_unregister_frontend(adap->fe_adap[i].fe);
dvb_frontend_detach(adap->fe_adap[i].fe);
}
}
adap->num_frontends_initialized = 0;
return 0;
}