Commit Graph

18 Commits

Author SHA1 Message Date
Sean Young c268e7adea media: dvb-frontends: use ida for pll number
KASAN: global-out-of-bounds Read in dvb_pll_attach

Syzbot reported global-out-of-bounds Read in dvb_pll_attach, while
accessing id[dvb_pll_devcount], because dvb_pll_devcount was 65,
that is more than size of 'id' which is DVB_PLL_MAX(64).

Rather than increasing dvb_pll_devcount every time, use ida so that
numbers are allocated correctly. This does mean that no more than
64 devices can be attached at the same time, but this is more than
sufficient.

usb 1-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the
software demuxer
dvbdev: DVB: registering new adapter (774 Friio White ISDB-T USB2.0)
usb 1-1: media controller created
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
tc90522 0-0018: Toshiba TC90522 attached.
usb 1-1: DVB: registering adapter 0 frontend 0 (Toshiba TC90522 ISDB-T
module)...
dvbdev: dvb_create_media_entity: media entity 'Toshiba TC90522 ISDB-T
module' registered.
==================================================================
BUG: KASAN: global-out-of-bounds in dvb_pll_attach+0x6c5/0x830
drivers/media/dvb-frontends/dvb-pll.c:798
Read of size 4 at addr ffffffff89c9e5e0 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #13
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x67/0x231 mm/kasan/report.c:188
  __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
  kasan_report+0xe/0x20 mm/kasan/common.c:614
  dvb_pll_attach+0x6c5/0x830 drivers/media/dvb-frontends/dvb-pll.c:798
  dvb_pll_probe+0xfe/0x174 drivers/media/dvb-frontends/dvb-pll.c:877
  i2c_device_probe+0x790/0xaa0 drivers/i2c/i2c-core-base.c:389
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  i2c_new_client_device+0x5b3/0xc40 drivers/i2c/i2c-core-base.c:778
  i2c_new_device+0x19/0x50 drivers/i2c/i2c-core-base.c:821
  dvb_module_probe+0xf9/0x220 drivers/media/dvb-core/dvbdev.c:985
  friio_tuner_attach+0x125/0x1d0 drivers/media/usb/dvb-usb-v2/gl861.c:536
  dvb_usbv2_adapter_frontend_init
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:675 [inline]
  dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:804
[inline]
  dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:865 [inline]
  dvb_usbv2_probe.cold+0x24dc/0x255d
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:980
  usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
  generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
  usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
  really_probe+0x281/0x660 drivers/base/dd.c:509
  driver_probe_device+0x104/0x210 drivers/base/dd.c:670
  __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
  bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
  __device_attach+0x217/0x360 drivers/base/dd.c:843
  bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
  device_add+0xae6/0x16f0 drivers/base/core.c:2111
  usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
  hub_port_connect drivers/usb/core/hub.c:5089 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
  port_event drivers/usb/core/hub.c:5350 [inline]
  hub_event+0x1ada/0x3590 drivers/usb/core/hub.c:5432
  process_one_work+0x905/0x1570 kernel/workqueue.c:2269
  process_scheduled_works kernel/workqueue.c:2331 [inline]
  worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
  kthread+0x30b/0x410 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the variable:
  id+0x100/0x120

Memory state around the buggy address:
  ffffffff89c9e480: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 00 00
  ffffffff89c9e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff89c9e580: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
                                                        ^
  ffffffff89c9e600: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
  ffffffff89c9e680: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
==================================================================

Reported-by: syzbot+8a8f48672560c8ca59dd@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-08-21 18:39:54 -03:00
Thomas Gleixner c942fddf87 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157
Based on 3 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version this program is distributed in the
  hope that it will be useful but without any warranty without even
  the implied warranty of merchantability or fitness for a particular
  purpose see the gnu general public license for more details

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version [author] [kishon] [vijay] [abraham]
  [i] [kishon]@[ti] [com] this program is distributed in the hope that
  it will be useful but without any warranty without even the implied
  warranty of merchantability or fitness for a particular purpose see
  the gnu general public license for more details

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version [author] [graeme] [gregory]
  [gg]@[slimlogic] [co] [uk] [author] [kishon] [vijay] [abraham] [i]
  [kishon]@[ti] [com] [based] [on] [twl6030]_[usb] [c] [author] [hema]
  [hk] [hemahk]@[ti] [com] this program is distributed in the hope
  that it will be useful but without any warranty without even the
  implied warranty of merchantability or fitness for a particular
  purpose see the gnu general public license for more details

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 1105 file(s).

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.202006027@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-30 11:26:37 -07:00
Mauro Carvalho Chehab 85709cbf15 media: replace strncpy() by strscpy()
The strncpy() function is being deprecated upstream. Replace
it by the safer strscpy().

While here, replace a few occurences of strlcpy() that were
recently added to also use strscpy().

Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-03-29 10:26:13 -04:00
Mauro Carvalho Chehab 3420f65cbb media: dvb-pll: don't re-validate tuner frequencies
The dvb_frontend core already checks for the frequencies. No
need for any additional check inside the driver.

It is part of the fixes for the following bug:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1116374

Fixes: a3f90c75b8 ("media: dvb: convert tuner_info frequencies to Hz")
Reported-by: Stakanov Schufter <stakanov@eclipso.eu>
Reported-by: Takashi Iwai <tiwai@suse.de>
Cc: stable@vger.kernel.org # For 4.19
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-11-27 13:51:32 -05:00
Mauro Carvalho Chehab 3d8e450f51 media: dvb-pll: fix tuner frequency ranges
Tuners should report frequencies in Hz. That works fine on most
drivers, but, in the case of dvb-pll, some settings are for
satellite tuners, while others are for terrestrial/cable ones.

The code was trying to solve it at probing time, but that doesn't
work, as, when _attach is called, the delivery system may be wrong.

Fix it by ensuring that all frequencies are in Hz at the per-tuner
max/min values.

While here, add a debug message, as this would help to debug any
issues there.

It partially fixes the following bug:
  https://bugzilla.opensuse.org/show_bug.cgi?id=1116374

Fixes: a3f90c75b8 ("media: dvb: convert tuner_info frequencies to Hz")
Reported-by: Stakanov Schufter <stakanov@eclipso.eu>
Reported-by: Takashi Iwai <tiwai@suse.de>
Cc: stable@vger.kernel.org # For 4.19
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-11-27 13:50:58 -05:00
Mauro Carvalho Chehab a3f90c75b8 media: dvb: convert tuner_info frequencies to Hz
Right now, satellite tuner drivers specify frequencies in kHz,
while terrestrial/cable ones specify in Hz. That's confusing
for developers.

However, the main problem is that universal tuners capable
of handling both satellite and non-satelite delivery systems
are appearing. We end by needing to hack the drivers in
order to support such hybrid tuners.

So, convert everything to specify tuner frequencies in Hz.

Plese notice that a similar patch is also needed for frontends.

Tested-by: Katsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
Acked-by: Michael Büsch <m@bues.ch>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-08-02 16:14:50 -04:00
Akihiro Tsukada f917fc0e9b media: dvb-frontends/dvb-pll: fix module ref-counting
dvb-pll module was 'put' twice on exit:
once by dvb_frontend_detach() and another by dvb_module_release().

Signed-off-by: Akihiro Tsukada <tskd08@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-07-30 08:51:06 -04:00
Akihiro Tsukada 648db06dd9 media: dvb-frontends/dvb-pll: add tda6651 ISDB-T pll_desc
This patch adds a PLL "description" of Philips TDA6651 for ISDB-T.
It was extracted from (the former) va1j5jf8007t.c of EarthSoft PT1,
thus the desc might include PT1 specific configs.

Signed-off-by: Akihiro Tsukada <tskd08@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-05 07:19:32 -04:00
Akihiro Tsukada 17459727ba media: dvb-frontends/dvb-pll: add tua6034 ISDB-T tuner used in Friio
This driver already contains tua6034-based device settings,
but they are not for ISDB-T and have different parameters.

Signed-off-by: Akihiro Tsukada <tskd08@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-05 06:42:23 -04:00
Akihiro Tsukada eaa51fee29 media: dvb-frontends/dvb-pll: add i2c driver support
registers the module as an i2c driver,
but keeps dvb_pll_attach() untouched for compatibility.

Signed-off-by: Akihiro Tsukada <tskd08@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2018-05-05 06:41:12 -04:00
Sean Young b475670715 media: dvb: i2c transfers over usb cannot be done from stack
Since commit 29d2fef8be ("usb: catch attempts to submit urbs
with a vmalloc'd transfer buffer"), the AverMedia AverTV DVB-T
USB 2.0 (a800) fails to probe.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-09-23 07:21:33 -04:00
Sakari Ailus bcb63314e2 [media] media: Drop FSF's postal address from the source code files
Drop the FSF's postal address from the source code files that typically
contain mostly the license text. Of the 628 removed instances, 578 are
outdated.

The patch has been created with the following command without manual edits:

git grep -l "675 Mass Ave\|59 Temple Place\|51 Franklin St" -- \
	drivers/media/ include/media|while read i; do i=$i perl -e '
open(F,"< $ENV{i}");
$a=join("", <F>);
$a =~ s/[ \t]*\*\n.*You should.*\n.*along with.*\n.*(\n.*USA.*$)?\n//m
	&& $a =~ s/(^.*)Or, (point your browser to) /$1To obtain the license, $2\n$1/m;
close(F);
open(F, "> $ENV{i}");
print F $a;
close(F);'; done

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
2017-01-27 11:38:09 -02:00
Mauro Carvalho Chehab f2709c206d Revert "[media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations"
While this patch sounded a good idea, unfortunately, it causes
bad dependencies, as drivers that would otherwise work without
the DVB core will now break:

ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/tea5767.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/tea5761.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/tda827x.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/tda18218.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/qt1010.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/mt2266.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/mt20xx.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/mt2060.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/mc44s803.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/fc0013.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/fc0012.ko] undefined!
ERROR: "dvb_tuner_simple_release" [drivers/media/tuners/fc0011.ko] undefined!

So, we have to revert it.

Note: as the argument for the release ops changed from "int"
to "void", we needed to change it at the revert patch, to
avoid compilation issues like:
	drivers/media/tuners/tea5767.c:437:23: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types]
	  .release           = tea5767_release,
	                       ^~~~~~~~~~~~~~~

This reverts commit 22a613e898.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-18 20:44:33 -02:00
Max Kellermann 22a613e898 [media] dvb_frontend: merge duplicate dvb_tuner_ops.release implementations
Most release callback functions are identical: free the "tuner_priv"
and clear it.  Let's eliminate some bloat by providing this simple
implementation in the dvb_frontend library.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-18 15:05:44 -02:00
Mauro Carvalho Chehab 5479a582de [media] dvb-pll: use pr_foo() macros instead of printk()
Replace printk() macros by their pr_foo() counterparts.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-10-21 08:51:31 -02:00
Julia Lawall 14c4bf3c6f [media] dvb-frontends: constify dvb_tuner_ops structures
These structures are only used to copy into other structures, so declare
them as const.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r disable optional_qualifier@
identifier i;
position p;
@@
static struct dvb_tuner_ops i@p = { ... };

@ok1@
identifier r.i;
expression e;
position p;
@@
e = i@p

@ok2@
identifier r.i;
expression e1, e2;
position p;
@@
memcpy(e1, &i@p, e2)

@bad@
position p != {r.p,ok1.p,ok2.p};
identifier r.i;
struct dvb_tuner_ops e;
@@
e@i@p

@depends on !bad disable optional_qualifier@
identifier r.i;
@@
static
+const
 struct dvb_tuner_ops i = { ... };
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-09-19 16:22:55 -03:00
Joe Perches 548146fbbc [media] dvb-pll: Convert struct dvb_pll_desc uses to const
Convert the struct dvb_pll_desc uses to const and
change the "entries" fixed array size from 12 to []

It saves a couple KB overall and remove ~5KB of data.

$ size drivers/media/dvb-frontends/dvb-pll.o*
   text        data     bss     dec     hex filename
   8520        1552    2120   12192    2fa0 drivers/media/dvb-frontends/dvb-pll.o.new
   5624        6363    2120   14107    371b drivers/media/dvb-frontends/dvb-pll.o.old

[PG] Patch taken from https://lkml.org/lkml/2015/6/24/721 with
commit message updated.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Reviewed-by: Michael Ira Krufky <m.krufky@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-08-11 15:56:27 -03:00
Mauro Carvalho Chehab 9a0bf528b4 [media] move the dvb/frontends to drivers/media/dvb-frontends
Raise the DVB frontends one level up, as the intention is to remove
the drivers/media/dvb directory.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2012-08-13 23:13:41 -03:00