Age | Commit message (Collapse) | Author | Files | Lines |
|
* patchwork: (496 commits)
[media] v4l: tvp5150: Add missing break in set control handler
[media] v4l: tvp5150: Don't inline the tvp5150_selmux() function
[media] v4l: tvp5150: Compile tvp5150_link_setup out if !CONFIG_MEDIA_CONTROLLER
[media] em28xx: don't store usb_device at struct em28xx
[media] em28xx: use usb_interface for dev_foo() calls
[media] em28xx: don't change the device's name
[media] mn88472: fix chip id check on probe
[media] mn88473: fix chip id check on probe
[media] lirc: fix error paths in lirc_cdev_add()
[media] s5p-mfc: Add support for MFC v8 available in Exynos 5433 SoCs
[media] s5p-mfc: Rework clock handling
[media] s5p-mfc: Don't keep clock prepared all the time
[media] s5p-mfc: Kill all IS_ERR_OR_NULL in clocks management code
[media] s5p-mfc: Remove dead conditional code
[media] s5p-mfc: Ensure that clock is disabled before turning power off
[media] s5p-mfc: Remove special clock rate management
[media] s5p-mfc: Use printk_ratelimited for reporting ioctl errors
[media] s5p-mfc: Set DMA_ATTR_ALLOC_SINGLE_PAGES
[media] vivid: Set color_enc on HSV formats
[media] v4l2-tpg: Init hv_enc field with a valid value
...
|
|
The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.
However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
if (!firmware_name[0] && p->fname &&
priv->fname && strcmp(p->fname, priv->fname))
free_firmware(priv);
where priv->fname points to the previous file name, and this was
already freed by kfree().
For fixing the bug properly, this patch does the following:
- Keep the copy of firmware file name in only priv->fname,
priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly
Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
It is not clear what this return value means. All implemenations
return 0, and the one caller ignores the value. Let's remove this
useless return value completely.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Due to the 80-cols checkpatch warnings, several strings
were broken into multiple lines. This is not considered
a good practice anymore, as it makes harder to grep for
strings at the source code. So, join those continuation
lines.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This driver has a lot of printk continuation lines for
debugging purposes. Since commit 563873318d32
("Merge branch 'printk-cleanups"), this won't work as expected
anymore. So, let's add KERN_CONT to those lines.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Bellow is yelling. Ok, sometimes the code is yells a lot, but
but this is not the case there ;)
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
As reported by cocinelle:
drivers/media/tuners/tuner-xc2028.c:182:2-18: code aligned with following code on line 183
drivers/media/tuners/tuner-xc2028.c:184:2-19: code aligned with following code on line 185
drivers/media/tuners/tuner-xc2028.c:186:2-19: code aligned with following code on line 187
drivers/media/tuners/tuner-xc2028.c:188:2-17: code aligned with following code on line 189
drivers/media/tuners/tuner-xc2028.c:190:2-19: code aligned with following code on line 191
drivers/media/tuners/tuner-xc2028.c:192:2-19: code aligned with following code on line 193
drivers/media/tuners/tuner-xc2028.c:194:2-18: code aligned with following code on line 195
drivers/media/tuners/tuner-xc2028.c:196:2-17: code aligned with following code on line 197
drivers/media/tuners/tuner-xc2028.c:198:2-18: code aligned with following code on line 199
drivers/media/tuners/tuner-xc2028.c:200:2-19: code aligned with following code on line 201
drivers/media/tuners/tuner-xc2028.c:202:2-18: code aligned with following code on line 203
drivers/media/tuners/tuner-xc2028.c:204:2-16: code aligned with following code on line 205
drivers/media/tuners/tuner-xc2028.c:206:2-20: code aligned with following code on line 207
drivers/media/tuners/tuner-xc2028.c:208:2-17: code aligned with following code on line 209
drivers/media/tuners/tuner-xc2028.c:210:2-18: code aligned with following code on line 211
drivers/media/tuners/tuner-xc2028.c:212:2-18: code aligned with following code on line 213
drivers/media/tuners/tuner-xc2028.c:214:2-18: code aligned with following code on line 215
drivers/media/tuners/tuner-xc2028.c:216:2-16: code aligned with following code on line 217
drivers/media/tuners/tuner-xc2028.c:218:2-18: code aligned with following code on line 219
drivers/media/tuners/tuner-xc2028.c:220:2-20: code aligned with following code on line 221
drivers/media/tuners/tuner-xc2028.c:222:2-21: code aligned with following code on line 223
drivers/media/tuners/tuner-xc2028.c:224:2-20: code aligned with following code on line 225
drivers/media/tuners/tuner-xc2028.c:226:2-23: code aligned with following code on line 227
drivers/media/tuners/tuner-xc2028.c:228:2-23: code aligned with following code on line 229
drivers/media/tuners/tuner-xc2028.c:230:2-22: code aligned with following code on line 231
drivers/media/tuners/tuner-xc2028.c:232:2-24: code aligned with following code on line 233
drivers/media/tuners/tuner-xc2028.c:234:2-19: code aligned with following code on line 235
drivers/media/tuners/tuner-xc2028.c:236:2-19: code aligned with following code on line 237
drivers/media/tuners/tuner-xc2028.c:238:2-20: code aligned with following code on line 239
drivers/media/tuners/tuner-xc2028.c:240:2-19: code aligned with following code on line 241
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
Coverity CID 1196501: Missing break in switch (MISSING_BREAK)
I introduced that bug recently by commit
96a5b3a869e3dc7d55bf04a48a8dca8a4025787e.
As a result, it will flood unintentionally error message to log.
Reported-by: <scan-admin@coverity.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
There is now new tuner types which are not handled on that switch-case.
Print error if unknown tuner type is meet.
drivers/media/tuners/tuner-xc2028.c: In function ‘generic_set_freq’:
drivers/media/tuners/tuner-xc2028.c:1037:2: warning: enumeration value ‘V4L2_TUNER_ADC’ not handled in switch [-Wswitch]
switch (new_type) {
^
drivers/media/tuners/tuner-xc2028.c:1037:2: warning: enumeration value ‘V4L2_TUNER_RF’ not handled in switch [-Wswitch]
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
That removes those timeout errors:
[ 3675.930940] xc2028 19-0061: Device is Xceive 3028 version 1.0, firmware version 2.7
[ 3676.060487] xc2028 19-0061: divisor= 00 00 8d d0 (freq=567.250)
[ 3676.349449] xc2028 19-0061: Putting xc2028/3028 into poweroff mode.
[ 3698.247645] xc2028 19-0061: xc2028_get_reg 0002 called
[ 3698.253276] em2860 #0: I2C transfer timeout on writing to addr 0xc2
[ 3698.253301] xc2028 19-0061: i2c input error: rc = -121 (should be 2)
[ 3698.253327] xc2028 19-0061: xc2028_signal called
[ 3698.253339] xc2028 19-0061: xc2028_get_reg 0002 called
[ 3698.259283] em2860 #0: I2C transfer timeout on writing to addr 0xc2
[ 3698.259312] xc2028 19-0061: i2c input error: rc = -121 (should be 2)
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
Only send a power down command for the device if it is not already
in power down state. That prevents a timeout when trying to talk
with the device.
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
This macro is not used. remove it.
Reviewed-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
Dynamic static allocation is evil, as Kernel stack is too low, and
compilation complains about it on some archs:
drivers/media/tuners/tuner-xc2028.c:651:1: warning: 'load_firmware' uses dynamic stack allocation [enabled by default]
Instead, let's enforce a limit for the buffer.
In the specific case of this driver, the maximum limit is 80, used only
on tm6000 driver. This limit is due to the size of the USB control URBs.
Ok, it would be theoretically possible to use a bigger size on PCI
devices, but the firmware load time is already good enough. Anyway,
if some usage requires more, it is just a matter of also increasing
the buffer size at load_firmware().
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
drivers/media/tuners/tuner-xc2028.c:575:24: warning: cast to restricted __le16
drivers/media/tuners/tuner-xc2028.c:686:21: warning: cast to restricted __le16
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
|
|
kfree on NULL pointer is a no-op.
Signed-off-by: Syam Sidhardhan <s.syam@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
|
This kind of memcpy() is error-prone. Its replacement with a struct
assignment is prefered because it's type-safe and much easier to read.
Found by coccinelle. Hand patched and reviewed.
Tested by compilation only.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
identifier struct_name;
struct struct_name to;
struct struct_name from;
expression E;
@@
-memcpy(&(to), &(from), E);
+to = from;
// </smpl>
Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
Signed-off-by: Ezequiel Garcia <elezegarcia@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
|
Move the tuners one level up, as the "common" directory will be used
by drivers that are shared between more than one driver.
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|