GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-05-03 13:53:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

media: lirc: improve locking

Browse source 
Once rc_unregister_device() has been called, no driver function
should be called.

This prevents some nasty race conditions with an ioctl calls
driver functions when the driver specific data has been freed.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This commit is contained in:
Sean Young 2017-11-04 08:30:45 -04:00 committed by Mauro Carvalho Chehab
parent 7e45d660e4
commit 4957133fe3
1 changed files with 136 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
drivers/media/rc/lirc_dev.c
View file

@ -233,15 +233,21 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
struct rc_dev *dev = fh->rc; struct rc_dev *dev = fh->rc;
unsigned int *txbuf = NULL; unsigned int *txbuf = NULL;
struct ir_raw_event *raw = NULL; struct ir_raw_event *raw = NULL;
ssize_t ret = -EINVAL; ssize_t ret;
size_t count; size_t count;
ktime_t start; ktime_t start;
s64 towait; s64 towait;
unsigned int duration = 0; /* signal duration in us */ unsigned int duration = 0; /* signal duration in us */
int i; int i;
if (!dev->registered) ret = mutex_lock_interruptible(&dev->lock);
return -ENODEV; if (ret)
return ret;
if (!dev->registered) {
ret = -ENODEV;
goto out;
}
start = ktime_get(); start = ktime_get();
@ -253,14 +259,20 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
if (fh->send_mode == LIRC_MODE_SCANCODE) { if (fh->send_mode == LIRC_MODE_SCANCODE) {
struct lirc_scancode scan; struct lirc_scancode scan;
if (n != sizeof(scan)) if (n != sizeof(scan)) {
return -EINVAL; ret = -EINVAL;
goto out;
}
if (copy_from_user(&scan, buf, sizeof(scan))) if (copy_from_user(&scan, buf, sizeof(scan))) {
return -EFAULT; ret = -EFAULT;
goto out;
}
if (scan.flags || scan.keycode || scan.timestamp) if (scan.flags || scan.keycode || scan.timestamp) {
return -EINVAL; ret = -EINVAL;
goto out;
}
/* /*
* The scancode field in lirc_scancode is 64-bit simply * The scancode field in lirc_scancode is 64-bit simply
@ -269,12 +281,16 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
* are supported. * are supported.
*/ */
if (scan.scancode > U32_MAX || if (scan.scancode > U32_MAX ||
!rc_validate_scancode(scan.rc_proto, scan.scancode)) !rc_validate_scancode(scan.rc_proto, scan.scancode)) {
return -EINVAL; ret = -EINVAL;
goto out;
}
raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL); raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);
if (!raw) if (!raw) {
return -ENOMEM; ret = -ENOMEM;
goto out;
}
ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode, ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
raw, LIRCBUF_SIZE); raw, LIRCBUF_SIZE);
@ -300,16 +316,22 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
dev->s_tx_carrier(dev, carrier); dev->s_tx_carrier(dev, carrier);
} }
} else { } else {
if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {
return -EINVAL; ret = -EINVAL;
goto out;
}
count = n / sizeof(unsigned int); count = n / sizeof(unsigned int);
if (count > LIRCBUF_SIZE || count % 2 == 0) if (count > LIRCBUF_SIZE || count % 2 == 0) {
return -EINVAL; ret = -EINVAL;
goto out;
}
txbuf = memdup_user(buf, n); txbuf = memdup_user(buf, n);
if (IS_ERR(txbuf)) if (IS_ERR(txbuf)) {
return PTR_ERR(txbuf); ret = PTR_ERR(txbuf);
goto out;
}
} }
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
@ -347,6 +369,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
} }
out: out:
mutex_unlock(&dev->lock);
kfree(txbuf); kfree(txbuf);
kfree(raw); kfree(raw);
return ret; return ret;
@ -358,8 +381,8 @@ static long ir_lirc_ioctl(struct file *file, unsigned int cmd,
struct lirc_fh *fh = file->private_data; struct lirc_fh *fh = file->private_data;
struct rc_dev *dev = fh->rc; struct rc_dev *dev = fh->rc;
u32 __user *argp = (u32 __user *)(arg); u32 __user *argp = (u32 __user *)(arg);
int ret = 0; u32 val = 0;
__u32 val = 0, tmp; int ret;
if (_IOC_DIR(cmd) & _IOC_WRITE) { if (_IOC_DIR(cmd) & _IOC_WRITE) {
ret = get_user(val, argp); ret = get_user(val, argp);
@ -367,8 +390,14 @@ static long ir_lirc_ioctl(struct file *file, unsigned int cmd,
return ret; return ret;
} }
if (!dev->registered) ret = mutex_lock_interruptible(&dev->lock);
return -ENODEV; if (ret)
return ret;
if (!dev->registered) {
ret = -ENODEV;
goto out;
}
switch (cmd) { switch (cmd) {
case LIRC_GET_FEATURES: case LIRC_GET_FEATURES:
@ -409,155 +438,161 @@ static long ir_lirc_ioctl(struct file *file, unsigned int cmd,
/* mode support */ /* mode support */
case LIRC_GET_REC_MODE: case LIRC_GET_REC_MODE:
if (dev->driver_type == RC_DRIVER_IR_RAW_TX) if (dev->driver_type == RC_DRIVER_IR_RAW_TX)
return -ENOTTY; ret = -ENOTTY;
else
val = fh->rec_mode; val = fh->rec_mode;
break; break;
case LIRC_SET_REC_MODE: case LIRC_SET_REC_MODE:
switch (dev->driver_type) { switch (dev->driver_type) {
case RC_DRIVER_IR_RAW_TX: case RC_DRIVER_IR_RAW_TX:
return -ENOTTY; ret = -ENOTTY;
break;
case RC_DRIVER_SCANCODE: case RC_DRIVER_SCANCODE:
if (val != LIRC_MODE_SCANCODE) if (val != LIRC_MODE_SCANCODE)
return -EINVAL; ret = -EINVAL;
break; break;
case RC_DRIVER_IR_RAW: case RC_DRIVER_IR_RAW:
if (!(val == LIRC_MODE_MODE2 || if (!(val == LIRC_MODE_MODE2 ||
val == LIRC_MODE_SCANCODE)) val == LIRC_MODE_SCANCODE))
return -EINVAL; ret = -EINVAL;
break; break;
} }
if (!ret)
fh->rec_mode = val; fh->rec_mode = val;
return 0; break;
case LIRC_GET_SEND_MODE: case LIRC_GET_SEND_MODE:
if (!dev->tx_ir) if (!dev->tx_ir)
return -ENOTTY; ret = -ENOTTY;
else
val = fh->send_mode; val = fh->send_mode;
break; break;
case LIRC_SET_SEND_MODE: case LIRC_SET_SEND_MODE:
if (!dev->tx_ir) if (!dev->tx_ir)
return -ENOTTY; ret = -ENOTTY;
else if (!(val == LIRC_MODE_PULSE || val == LIRC_MODE_SCANCODE))
if (!(val == LIRC_MODE_PULSE || val == LIRC_MODE_SCANCODE)) ret = -EINVAL;
return -EINVAL; else
fh->send_mode = val; fh->send_mode = val;
return 0; break;
/* TX settings */ /* TX settings */
case LIRC_SET_TRANSMITTER_MASK: case LIRC_SET_TRANSMITTER_MASK:
if (!dev->s_tx_mask) if (!dev->s_tx_mask)
return -ENOTTY; ret = -ENOTTY;
else
return dev->s_tx_mask(dev, val); ret = dev->s_tx_mask(dev, val);
break;
case LIRC_SET_SEND_CARRIER: case LIRC_SET_SEND_CARRIER:
if (!dev->s_tx_carrier) if (!dev->s_tx_carrier)
return -ENOTTY; ret = -ENOTTY;
else
return dev->s_tx_carrier(dev, val); ret = dev->s_tx_carrier(dev, val);
break;
case LIRC_SET_SEND_DUTY_CYCLE: case LIRC_SET_SEND_DUTY_CYCLE:
if (!dev->s_tx_duty_cycle) if (!dev->s_tx_duty_cycle)
return -ENOTTY; ret = -ENOTTY;
else if (val <= 0 || val >= 100)
if (val <= 0 || val >= 100) ret = -EINVAL;
return -EINVAL; else
ret = dev->s_tx_duty_cycle(dev, val);
return dev->s_tx_duty_cycle(dev, val); break;
/* RX settings */ /* RX settings */
case LIRC_SET_REC_CARRIER: case LIRC_SET_REC_CARRIER:
if (!dev->s_rx_carrier_range) if (!dev->s_rx_carrier_range)
return -ENOTTY; ret = -ENOTTY;
else if (val <= 0)
if (val <= 0) ret = -EINVAL;
return -EINVAL; else
ret = dev->s_rx_carrier_range(dev, fh->carrier_low,
return dev->s_rx_carrier_range(dev,
fh->carrier_low,
val); val);
break;
case LIRC_SET_REC_CARRIER_RANGE: case LIRC_SET_REC_CARRIER_RANGE:
if (!dev->s_rx_carrier_range) if (!dev->s_rx_carrier_range)
return -ENOTTY; ret = -ENOTTY;
else if (val <= 0)
if (val <= 0) ret = -EINVAL;
return -EINVAL; else
fh->carrier_low = val; fh->carrier_low = val;
return 0; break;
case LIRC_GET_REC_RESOLUTION: case LIRC_GET_REC_RESOLUTION:
if (!dev->rx_resolution) if (!dev->rx_resolution)
return -ENOTTY; ret = -ENOTTY;
else
val = dev->rx_resolution / 1000; val = dev->rx_resolution / 1000;
break; break;
case LIRC_SET_WIDEBAND_RECEIVER: case LIRC_SET_WIDEBAND_RECEIVER:
if (!dev->s_learning_mode) if (!dev->s_learning_mode)
return -ENOTTY; ret = -ENOTTY;
else
return dev->s_learning_mode(dev, !!val); ret = dev->s_learning_mode(dev, !!val);
break;
case LIRC_SET_MEASURE_CARRIER_MODE: case LIRC_SET_MEASURE_CARRIER_MODE:
if (!dev->s_carrier_report) if (!dev->s_carrier_report)
return -ENOTTY; ret = -ENOTTY;
else
return dev->s_carrier_report(dev, !!val); ret = dev->s_carrier_report(dev, !!val);
break;
/* Generic timeout support */ /* Generic timeout support */
case LIRC_GET_MIN_TIMEOUT: case LIRC_GET_MIN_TIMEOUT:
if (!dev->max_timeout) if (!dev->max_timeout)
return -ENOTTY; ret = -ENOTTY;
else
val = DIV_ROUND_UP(dev->min_timeout, 1000); val = DIV_ROUND_UP(dev->min_timeout, 1000);
break; break;
case LIRC_GET_MAX_TIMEOUT: case LIRC_GET_MAX_TIMEOUT:
if (!dev->max_timeout) if (!dev->max_timeout)
return -ENOTTY; ret = -ENOTTY;
else
val = dev->max_timeout / 1000; val = dev->max_timeout / 1000;
break; break;
case LIRC_SET_REC_TIMEOUT: case LIRC_SET_REC_TIMEOUT:
if (!dev->max_timeout) if (!dev->max_timeout) {
return -ENOTTY; ret = -ENOTTY;
} else if (val > U32_MAX / 1000) {
/* Check for multiply overflow */ /* Check for multiply overflow */
if (val > U32_MAX / 1000) ret = -EINVAL;
return -EINVAL; } else {
u32 tmp = val * 1000;
tmp = val * 1000;
if (tmp < dev->min_timeout || tmp > dev->max_timeout) if (tmp < dev->min_timeout || tmp > dev->max_timeout)
return -EINVAL; ret = -EINVAL;
else if (dev->s_timeout)
if (dev->s_timeout)
ret = dev->s_timeout(dev, tmp); ret = dev->s_timeout(dev, tmp);
if (!ret) else if (!ret)
dev->timeout = tmp; dev->timeout = tmp;
}
break; break;
case LIRC_SET_REC_TIMEOUT_REPORTS: case LIRC_SET_REC_TIMEOUT_REPORTS:
if (!dev->timeout) if (!dev->timeout)
return -ENOTTY; ret = -ENOTTY;
else
fh->send_timeout_reports = !!val; fh->send_timeout_reports = !!val;
break; break;
default: default:
return -ENOTTY; ret = -ENOTTY;
} }
if (_IOC_DIR(cmd) & _IOC_READ) if (!ret && _IOC_DIR(cmd) & _IOC_READ)
ret = put_user(val, argp); ret = put_user(val, argp);
out:
mutex_unlock(&dev->lock);
return ret; return ret;
} }