1. 14 Aug, 2019 13 commits
    • Sean Young's avatar
      media: tm6000: double free if usb disconnect while streaming · 699bf941
      Sean Young authored
      The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
      to NULL after each free.
      
      stop stream
      urb killing
      urb buffer free
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start stream request tm6000_start_stream
      tm6000: pipe reset
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: IR URB failure: status: -71, length 0
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      tm6000:  error tm6000_urb_received
      usb 1-2: USB disconnect, device number 5
      tm6000: disconnecting tm6000 #0
      ==================================================================
      BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
      Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
      
      CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G        W         5.3.0-rc4+ #1
      Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack+0x9a/0xf0
       print_address_description.cold+0xae/0x34f
       __kasan_report.cold+0x75/0x93
       ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
       ? dvb_fini+0x75/0x140 [tm6000_dvb]
       kasan_report+0xe/0x12
       dvb_fini+0x75/0x140 [tm6000_dvb]
       tm6000_close_extension+0x51/0x80 [tm6000]
       tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
       usb_unbind_interface+0xe4/0x390
       device_release_driver_internal+0x121/0x250
       bus_remove_device+0x197/0x260
       device_del+0x268/0x550
       ? __device_links_no_driver+0xd0/0xd0
       ? usb_remove_ep_devs+0x30/0x3b
       usb_disable_device+0x122/0x400
       usb_disconnect+0x153/0x430
       hub_event+0x800/0x1e40
       ? trace_hardirqs_on_thunk+0x1a/0x20
       ? hub_port_debounce+0x1f0/0x1f0
       ? retint_kernel+0x10/0x10
       ? lock_is_held_type+0xf1/0x130
       ? hub_port_debounce+0x1f0/0x1f0
       ? process_one_work+0x4ae/0xa00
       process_one_work+0x4ba/0xa00
       ? pwq_dec_nr_in_flight+0x160/0x160
       ? do_raw_spin_lock+0x10a/0x1d0
       worker_thread+0x7a/0x5c0
       ? process_one_work+0xa00/0xa00
       kthread+0x1d5/0x200
       ? kthread_create_worker_on_cpu+0xd0/0xd0
       ret_from_fork+0x3a/0x50
      
      Allocated by task 2682:
       save_stack+0x1b/0x80
       __kasan_kmalloc.constprop.0+0xc2/0xd0
       usb_alloc_urb+0x28/0x60
       tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
       dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
       dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
       dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
       dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
       dvb_usercopy+0x97/0x1f0 [dvb_core]
       dvb_demux_ioctl+0x11/0x20 [dvb_core]
       do_vfs_ioctl+0x5d8/0x9d0
       ksys_ioctl+0x5e/0x90
       __x64_sys_ioctl+0x3d/0x50
       do_syscall_64+0x74/0xe0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 22:
       save_stack+0x1b/0x80
       __kasan_slab_free+0x12c/0x170
       kfree+0xfd/0x3a0
       xhci_giveback_urb_in_irq+0xfe/0x230
       xhci_td_cleanup+0x276/0x340
       xhci_irq+0x1129/0x3720
       __handle_irq_event_percpu+0x6e/0x420
       handle_irq_event_percpu+0x6f/0x100
       handle_irq_event+0x55/0x84
       handle_edge_irq+0x108/0x3b0
       handle_irq+0x2e/0x40
       do_IRQ+0x83/0x1a0
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      699bf941
    • Sean Young's avatar
      media: rc: imon-rsc keymap has incorrect mappings · 6fb71958
      Sean Young authored
      KEY_MAX is not a key but designates the highest value a linux keycode
      can ever have.
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      6fb71958
    • Sean Young's avatar
      media: em28xx: modules workqueue not inited for 2nd device · 46e4a266
      Sean Young authored
      syzbot reports an error on flush_request_modules() for the second device.
      This workqueue was never initialised so simply remove the offending line.
      
      usb 1-1: USB disconnect, device number 2
      em28xx 1-1:1.153: Disconnecting em28xx #1
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 12 at kernel/workqueue.c:3031
      __flush_work.cold+0x2c/0x36 kernel/workqueue.c:3031
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc2+ #25
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        panic+0x2a3/0x6da kernel/panic.c:219
        __warn.cold+0x20/0x4a kernel/panic.c:576
        report_bug+0x262/0x2a0 lib/bug.c:186
        fixup_bug arch/x86/kernel/traps.c:179 [inline]
        fixup_bug arch/x86/kernel/traps.c:174 [inline]
        do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
        do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
        invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
      RIP: 0010:__flush_work.cold+0x2c/0x36 kernel/workqueue.c:3031
      Code: 9a 22 00 48 c7 c7 20 e4 c5 85 e8 d9 3a 0d 00 0f 0b 45 31 e4 e9 98 86
      ff ff e8 51 9a 22 00 48 c7 c7 20 e4 c5 85 e8 be 3a 0d 00 <0f> 0b 45 31 e4
      e9 7d 86 ff ff e8 36 9a 22 00 48 c7 c7 20 e4 c5 85
      RSP: 0018:ffff8881da20f720 EFLAGS: 00010286
      RAX: 0000000000000024 RBX: dffffc0000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffffffff8128a0fd RDI: ffffed103b441ed6
      RBP: ffff8881da20f888 R08: 0000000000000024 R09: fffffbfff11acd9a
      R10: fffffbfff11acd99 R11: ffffffff88d66ccf R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8881c6685df8 R15: ffff8881d2a85b78
        flush_request_modules drivers/media/usb/em28xx/em28xx-cards.c:3325 [inline]
        em28xx_usb_disconnect.cold+0x280/0x2a6
      drivers/media/usb/em28xx/em28xx-cards.c:4023
        usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
        __device_release_driver drivers/base/dd.c:1120 [inline]
        device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
        bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
        device_del+0x420/0xb10 drivers/base/core.c:2288
        usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
        usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
        hub_port_connect drivers/usb/core/hub.c:4949 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        process_scheduled_works kernel/workqueue.c:2331 [inline]
        worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      Fixes: be7fd3c3 ("media: em28xx: Hauppauge DualHD second tuner functionality)
      Reviewed-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Reviewed-by: default avatarBrad Love <brad@nextdimension.cc>
      Reported-by: syzbot+b7f57261c521087d89bb@syzkaller.appspotmail.com
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      46e4a266
    • Sean Young's avatar
      media: selftests: ir: fix ir_loopback test failure · f1409116
      Sean Young authored
      The decoder is called rc-mm, not rcmm. This was renamed late in the cycle
      so this bug crept in.
      Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      f1409116
    • Sean Young's avatar
      media: imon_raw: prevent "nonsensical timing event of duration 0" · 494fce16
      Sean Young authored
      Sometimes the device sends IR data which is all space, no pulses
      whatsoever. Add the end of this the driver will put the rc device into
      idle mode when it already is in idle mode. The following will be logged:
      
      rc rc0: nonsensical timing event of duration 0
      rc rc0: two consecutive events of type space
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      494fce16
    • Sean Young's avatar
      media: imon_raw: simplify and explain bit operations · e70d13f7
      Sean Young authored
      This code needs some explanation.
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      e70d13f7
    • Wolfram Sang's avatar
      media: ir-kbd-i2c: convert to i2c_new_dummy_device() · 1b09a2af
      Wolfram Sang authored
      Convert this driver to use the new i2c_new_dummy_device() call and bail
      out if the dummy device cannot be registered to make failure more
      visible to the user.
      Signed-off-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      1b09a2af
    • Masahiro Yamada's avatar
      media: rc: add include guard to rc-map.h · 92ffdb61
      Masahiro Yamada authored
      Add a header include guard just in case.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      92ffdb61
    • Colin Ian King's avatar
      media: stv0900_core: remove redundant assignment to variables mclk, div and ad_div · 247d46b3
      Colin Ian King authored
      The variables mclk, div and ad_div are being assigned with a values
      that are never read and are being updated later with a new values.
      The assignments are redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      247d46b3
    • Luke Nowakowski-Krijger's avatar
      media: dvb_frontend.h: Fix shifting signed 32-bit value problem · 5532c628
      Luke Nowakowski-Krijger authored
      Fix DVBFE_ALGO_RECOVERY and DVBFE_ALGO_SEARCH_ERROR use BIT macro which
      fixes undefined behavior error by certain compilers.
      
      Also changed all other bit shifted definitions to use macro for better
      readability.
      Signed-off-by: default avatarLuke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      5532c628
    • Fuqian Huang's avatar
      media: media/dvb: Use kmemdup rather than duplicating its implementation · f6af820e
      Fuqian Huang authored
      kmemdup is introduced to duplicate a region of memory in a neat way.
      Rather than kmalloc/kzalloc + memcpy, which the programmer needs to
      write the size twice (sometimes lead to mistakes), kmemdup improves
      readability, leads to smaller code and also reduce the chances of mistakes.
      Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy.
      Signed-off-by: default avatarFuqian Huang <huangfq.daxian@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      f6af820e
    • Fuqian Huang's avatar
      media: media/tuners: Use kmemdup rather than duplicating its implementation · 48059784
      Fuqian Huang authored
      kmemdup is introduced to duplicate a region of memory in a neat way.
      Rather than kmalloc/kzalloc + memcpy, which the programmer needs to
      write the size twice (sometimes lead to mistakes), kmemdup improves
      readability, leads to smaller code and also reduce the chances of mistakes.
      Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy.
      Signed-off-by: default avatarFuqian Huang <huangfq.daxian@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      48059784
    • Fuqian Huang's avatar
      media: media/usb: Use kmemdup rather than duplicating its implementation · 771560e5
      Fuqian Huang authored
      kmemdup is introduced to duplicate a region of memory in a neat way.
      Rather than kmalloc/kzalloc + memcpy, which the programmer needs to
      write the size twice (sometimes lead to mistakes), kmemdup improves
      readability, leads to smaller code and also reduce the chances of mistakes.
      Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy.
      Signed-off-by: default avatarFuqian Huang <huangfq.daxian@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      771560e5
  2. 13 Aug, 2019 27 commits