1. 25 Mar, 2019 16 commits
  2. 20 Mar, 2019 15 commits
  3. 19 Mar, 2019 9 commits
    • Colin Ian King's avatar
      media: em28xx-input: make const array addr_list static · 6fe59b7e
      Colin Ian King authored
      Don't populate the array addr_list on the stack but instead make it
      static. Makes the object code smaller by 20 bytes
      
      Before:
         text    data     bss     dec     hex filename^M
        16929    3626     384   20939    51cb ../usb/em28xx/em28xx-input.o
      
      After:
         text    data     bss     dec     hex filename^M
        16829    3706     384   20919    51b7 ../usb/em28xx/em28xx-input.o
      
      (gcc version 8.3.0, aarch64)
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      6fe59b7e
    • Jose Alberto Reguero's avatar
      media: dvb: Add support for the Avermedia TD310 · c51f3b7f
      Jose Alberto Reguero authored
      This patch add support for Avermedia TD310 usb stick.
      Signed-off-by: default avatarJose Alberto Reguero <jose.alberto.reguero@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      c51f3b7f
    • Andreas Kemnade's avatar
      media: dvb: init i2c already in it930x_frontend_attach · 1cb11bfa
      Andreas Kemnade authored
      i2c bus is already needed when the frontend is probed, so init it already
      in it930x_frontend_attach. That prevents errors like:
      
      si2168: probe of 6-0067 failed with error -5
      Signed-off-by: default avatarAndreas Kemnade <andreas@kemnade.info>
      Signed-off-by: default avatarJose Alberto Reguero <jose.alberto.reguero@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      1cb11bfa
    • Kangjie Lu's avatar
      media: si2165: fix a missing check of return value · 0ab34a08
      Kangjie Lu authored
      si2165_readreg8() may fail. Looking into si2165_readreg8(), we will find
      that "val_tmp" will be an uninitialized value when regmap_read() fails.
      "val_tmp" is then assigned to "val". So if si2165_readreg8() fails,
      "val" will be a random value. Further use will lead to undefined
      behaviors. The fix checks if si2165_readreg8() fails, and if so, returns
      its error code upstream.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Reviewed-by: default avatarMatthias Schwarzott <zzam@gentoo.org>
      Tested-by: default avatarMatthias Schwarzott <zzam@gentoo.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      0ab34a08
    • YueHaibing's avatar
      media: serial_ir: Fix use-after-free in serial_ir_init_module · 56cd26b6
      YueHaibing authored
      Syzkaller report this:
      
      BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
      Read of size 8 at addr ffff8881dc7ae030 by task syz-executor.0/6249
      
      CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xfa/0x1ce lib/dump_stack.c:113
       print_address_description+0x65/0x270 mm/kasan/report.c:187
       kasan_report+0x149/0x18d mm/kasan/report.c:317
       ? 0xffffffffc1728000
       sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
       sysfs_remove_file include/linux/sysfs.h:519 [inline]
       driver_remove_file+0x40/0x50 drivers/base/driver.c:122
       remove_bind_files drivers/base/bus.c:585 [inline]
       bus_remove_driver+0x186/0x220 drivers/base/bus.c:725
       driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
       serial_ir_init_module+0x169/0x1000 [serial_ir]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f9450132c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00007f9450132c70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94501336bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      
      Allocated by task 6249:
       set_track mm/kasan/common.c:85 [inline]
       __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
       kmalloc include/linux/slab.h:545 [inline]
       kzalloc include/linux/slab.h:740 [inline]
       bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
       driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
       serial_ir_init_module+0xe8/0x1000 [serial_ir]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 6249:
       set_track mm/kasan/common.c:85 [inline]
       __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
       slab_free_hook mm/slub.c:1430 [inline]
       slab_free_freelist_hook mm/slub.c:1457 [inline]
       slab_free mm/slub.c:3005 [inline]
       kfree+0xe1/0x270 mm/slub.c:3957
       kobject_cleanup lib/kobject.c:662 [inline]
       kobject_release lib/kobject.c:691 [inline]
       kref_put include/linux/kref.h:67 [inline]
       kobject_put+0x146/0x240 lib/kobject.c:708
       bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
       driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
       serial_ir_init_module+0x14c/0x1000 [serial_ir]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8881dc7ae000
       which belongs to the cache kmalloc-256 of size 256
      The buggy address is located 48 bytes inside of
       256-byte region [ffff8881dc7ae000, ffff8881dc7ae100)
      The buggy address belongs to the page:
      page:ffffea000771eb80 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
      flags: 0x2fffc0000000200(slab)
      raw: 02fffc0000000200 ffffea0007d14800 0000000400000002 ffff8881f6c02e00
      raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8881dc7adf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff8881dc7adf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff8881dc7ae000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
       ffff8881dc7ae080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8881dc7ae100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
      
      There are already cleanup handlings in serial_ir_init error path,
      no need to call serial_ir_exit do it again in serial_ir_init_module,
      otherwise will trigger a use-after-free issue.
      
      Fixes: fa5dc29c ("[media] lirc_serial: move out of staging and rename to serial_ir")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      56cd26b6
    • YueHaibing's avatar
      media: rc: remove unused including <linux/version.h> · 3c73b8a4
      YueHaibing authored
      Remove including <linux/version.h> that don't need it.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      3c73b8a4
    • Nicholas Mc Guire's avatar
      media: cx23885: check allocation return · a3d7f22e
      Nicholas Mc Guire authored
      Checking of kmalloc() seems to have been committed - as
      cx23885_dvb_register() is checking for != 0 return, returning
      -ENOMEM should be fine here.  While at it address the coccicheck
      suggestion to move to kmemdup rather than using kmalloc+memcpy.
      
      Fixes: 46b21bba ("[media] Add support for DViCO FusionHDTV DVB-T Dual Express2")
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      a3d7f22e
    • James Hutchinson's avatar
      media: m88ds3103: serialize reset messages in m88ds3103_set_frontend · 981fbe3d
      James Hutchinson authored
      Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
      
      Users are experiencing problems with the DVBSky S960/S960C USB devices
      since the following commit:
      
      9d659ae1: ("locking/mutex: Add lock handoff to avoid starvation")
      
      The device malfunctions after running for an indeterminable period of
      time, and the problem can only be cleared by rebooting the machine.
      
      It is possible to encourage the problem to surface by blocking the
      signal to the LNB.
      
      Further debugging revealed the cause of the problem.
      
      In the following capture:
      - thread #1325 is running m88ds3103_set_frontend
      - thread #42 is running ts2020_stat_work
      
      a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
      b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
         [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
         [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
         [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
         [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
      
      Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
      
        a. 0x07, 0x80
        b. 0x07, 0x00
      
      However, as shown in the capture, the regmap mutex is being handed over
      to another thread (ts2020_stat_work) in between these two messages.
      
      >From here, the device responds to every i2c message with an 07 message,
      and will only return to normal operation following a power cycle.
      
      Use regmap_multi_reg_write to group the two reset messages, ensuring
      both are processed before the regmap mutex is unlocked.
      Signed-off-by: default avatarJames Hutchinson <jahutchinson99@googlemail.com>
      Reviewed-by: default avatarAntti Palosaari <crope@iki.fi>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      981fbe3d
    • Stefan Brüns's avatar
      media: dvbsky: Avoid leaking dvb frontend · fdfa59cd
      Stefan Brüns authored
      Commit 14f4eaed ("media: dvbsky: fix driver unregister logic") fixed
      a use-after-free by removing the reference to the frontend after deleting
      the backing i2c device.
      
      This has the unfortunate side effect the frontend device is never freed
      in the dvb core leaving a dangling device, leading to errors when the
      dvb core tries to register the frontend after e.g. a replug as reported
      here: https://www.spinics.net/lists/linux-media/msg138181.html
      
      media: dvbsky: issues with DVBSky T680CI
      
      ===
      [  561.119145] sp2 8-0040: CIMaX SP2 successfully attached
      [  561.119161] usb 2-3: DVB: registering adapter 0 frontend 0 (Silicon Labs
      Si2168)...
      [  561.119174] sysfs: cannot create duplicate filename '/class/dvb/
      dvb0.frontend0'
      ===
      
      The use after free happened as dvb_usbv2_disconnect calls in this order:
      - dvb_usb_device::props->exit(...)
      - dvb_usbv2_adapter_frontend_exit(...)
        + if (fe) dvb_unregister_frontend(fe)
        + dvb_usb_device::props->frontend_detach(...)
      
      Moving the release of the i2c device from exit() to frontend_detach()
      avoids the dangling pointer access and allows the core to unregister
      the frontend.
      
      This was originally reported for a DVBSky T680CI, but it also affects
      the MyGica T230C. As all supported devices structure the registration/
      unregistration identically, apply the change for all device types.
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      fdfa59cd