1. 13 Dec, 2017 3 commits
  2. 12 Dec, 2017 17 commits
  3. 11 Dec, 2017 20 commits
    • Andrey Konovalov's avatar
      media: pvrusb2: properly check endpoint types · 72c27a68
      Andrey Konovalov authored
      As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
      the the endpoint type is actually blunk. Add a check.
      
      usb 1-1: BOGUS urb xfer, pipe 3 != type 1
      ------------[ cut here ]------------
      WARNING: CPU: 1 PID: 2713 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
      Modules linked in:
      CPU: 1 PID: 2713 Comm: pvrusb2-context Not tainted
      4.14.0-rc1-42251-gebb2c243 #210
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      task: ffff88006b7a18c0 task.stack: ffff880069978000
      RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
      RSP: 0018:ffff88006997f990 EFLAGS: 00010286
      RAX: 0000000000000029 RBX: ffff880063661900 RCX: 0000000000000000
      RDX: 0000000000000029 RSI: ffffffff86876d60 RDI: ffffed000d32ff24
      RBP: ffff88006997fa90 R08: 1ffff1000d32fdca R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000d32ff39
      R13: 0000000000000001 R14: 0000000000000003 R15: ffff880068bbed68
      FS:  0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000001032000 CR3: 000000006a0ff000 CR4: 00000000000006f0
      Call Trace:
       pvr2_send_request_ex+0xa57/0x1d80 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:3645
       pvr2_hdw_check_firmware drivers/media/usb/pvrusb2/pvrusb2-hdw.c:1812
       pvr2_hdw_setup_low drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2107
       pvr2_hdw_setup drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2250
       pvr2_hdw_initialize+0x548/0x3c10 drivers/media/usb/pvrusb2/pvrusb2-hdw.c:2327
       pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:118
       pvr2_context_thread_func+0x361/0x8c0 drivers/media/usb/pvrusb2/pvrusb2-context.c:167
       kthread+0x3a1/0x470 kernel/kthread.c:231
       ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
      e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
      ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
      ---[ end trace 6919030503719da6 ]---
      Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      72c27a68
    • Mauro Carvalho Chehab's avatar
      media: led-class-flash: better handle NULL flash struct · 09db1a46
      Mauro Carvalho Chehab authored
      The logic at V4L2 led core assumes that the flash struct
      can be null. However, it doesn't check for null while
      trying to set, causing some smatch  to warn:
      
      	drivers/media/v4l2-core/v4l2-flash-led-class.c:210 v4l2_flash_s_ctrl() error: we previously assumed 'fled_cdev' could be null (see line 200)
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      09db1a46
    • Mauro Carvalho Chehab's avatar
      media: dvb_frontend: be sure to init dvb_frontend_handle_ioctl() return code · a9cb97c3
      Mauro Carvalho Chehab authored
      As smatch warned:
      	drivers/media/dvb-core/dvb_frontend.c:2468 dvb_frontend_handle_ioctl() error: uninitialized symbol 'err'.
      
      The ioctl handler actually got a regression here: before changeset
      d73dcf0c ("media: dvb_frontend: cleanup ioctl handling logic"),
      the code used to return -EOPNOTSUPP if an ioctl handler was not
      implemented on a driver. After the change, it may return a random
      value.
      
      Fixes: d73dcf0c ("media: dvb_frontend: cleanup ioctl handling logic")
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Tested-by: default avatarDaniel Scheller <d.scheller@gmx.net>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      a9cb97c3
    • Mauro Carvalho Chehab's avatar
      media: xc5000: better handle I2C error messages · 7621b8c4
      Mauro Carvalho Chehab authored
      As warned by smatch, there are several places where the I2C
      transfer may fail, leading into inconsistent behavior:
      
      	drivers/media/tuners/xc5000.c:689 xc_debug_dump() error: uninitialized symbol 'regval'.
      	drivers/media/tuners/xc5000.c:841 xc5000_is_firmware_loaded() error: uninitialized symbol 'id'.
      	drivers/media/tuners/xc5000.c:939 xc5000_set_tv_freq() error: uninitialized symbol 'pll_lock_status'.
      	drivers/media/tuners/xc5000.c:1195 xc_load_fw_and_init_tuner() error: uninitialized symbol 'pll_lock_status'.
      
      Handle the return codes from the I2C transfer, in order to
      address those issues.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      7621b8c4
    • Mauro Carvalho Chehab's avatar
      media: mxl111sf: improve error handling logic · ad7b57d5
      Mauro Carvalho Chehab authored
      As reported by smatch:
      	drivers/media/usb/dvb-usb-v2/mxl111sf-demod.c:485 mxl111sf_demod_read_signal_strength() error: uninitialized symbol 'modulation'.
      
      The mxl111sf_demod_read_signal_strength() just ignores if something
      gets wrong while reading snr or modulation.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      ad7b57d5
    • Mauro Carvalho Chehab's avatar
      media: drxd_hard: better handle I2C errors · f161544d
      Mauro Carvalho Chehab authored
      As warned by smatch:
      	drivers/media/dvb-frontends/drxd_hard.c:989 HI_Command() error: uninitialized symbol 'waitCmd'.
      	drivers/media/dvb-frontends/drxd_hard.c:1306 SC_WaitForReady() error: uninitialized symbol 'curCmd'.
      	drivers/media/dvb-frontends/drxd_hard.c:1322 SC_SendCommand() error: uninitialized symbol 'errCode'.
      	drivers/media/dvb-frontends/drxd_hard.c:1339 SC_ProcStartCommand() error: uninitialized symbol 'scExec'.
      
      The error handling on several places are somewhat flawed, as
      they don't check if Read16() returns an error.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      f161544d
    • Mauro Carvalho Chehab's avatar
      media: cxd2841er: ensure that status will always be available · 07ade2d0
      Mauro Carvalho Chehab authored
      The loop with read status use a dynamic timeout value, calculated
      from symbol rate. It should run the loop at least one time for
      the status to be handled after the loop.
      
      While this should, in practice, happen every time, it doesn't
      hurt to change the logic to make it explicit.
      
      This solves a smatch warning:
      	drivers/media/dvb-frontends/cxd2841er.c:3350 cxd2841er_set_frontend_s() error: uninitialized symbol 'status'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      07ade2d0
    • Mauro Carvalho Chehab's avatar
      media: cx25821-alsa: fix usage of a pointer printk · 04f849c0
      Mauro Carvalho Chehab authored
      As warned by smatch:
      	drivers/media/pci/cx25821/cx25821-alsa.c:155 cx25821_alsa_dma_init() warn: argument 3 to %08lx specifier is cast from pointer
      
      Use the standard %p to print a pointer.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      04f849c0
    • Mauro Carvalho Chehab's avatar
      media: dvbsky: shut up a bogus warning · 021c01d3
      Mauro Carvalho Chehab authored
      Smatch gives two bogus warnings on this driver:
      	drivers/media/usb/dvb-usb-v2/dvbsky.c:336 dvbsky_s960_attach() error: uninitialized symbol 'i2c_adapter'.
      	drivers/media/usb/dvb-usb-v2/dvbsky.c:459 dvbsky_s960c_attach() error: uninitialized symbol 'i2c_adapter'.
      
      Shut them up.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      021c01d3
    • Mauro Carvalho Chehab's avatar
      media: m88rs2000: handle the case where tuner doesn't have get_frequency · 74a6799c
      Mauro Carvalho Chehab authored
      If the tuner doesn't have get_frequency() callback, the current
      code will place a random value as the frequency offset. That
      doesn't seem right! The better is to just assume that, on such
      case, the tuner was able to set the exact frequency that was
      requested.
      
      Fixes a smatch warning:
      	drivers/media/dvb-frontends/m88rs2000.c:639 m88rs2000_set_frontend() error: uninitialized symbol 'tuner_freq'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      74a6799c
    • Mauro Carvalho Chehab's avatar
      media: pt1: fix logic when pt1_nr_tables is zero or negative · e639c869
      Mauro Carvalho Chehab authored
      pt1_nr_tables is a modprobe parameter. The way the logic
      handles it, it can't be negative. However, user can
      set it to zero.
      
      If set to zero, however, it will cause troubles at
      pt1_init_tables(), as reported by smatch:
      	drivers/media/pci/pt1/pt1.c:468 pt1_init_tables() error: uninitialized symbol 'first_pfn'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      e639c869
    • Mauro Carvalho Chehab's avatar
      media: ov9650: fix bogus warnings · 29236349
      Mauro Carvalho Chehab authored
      The smatch logic gets confused with the syntax used to check if the
      ov9650x_read() reads succedded:
      	drivers/media/i2c/ov9650.c:895 __g_volatile_ctrl() error: uninitialized symbol 'reg2'.
      	drivers/media/i2c/ov9650.c:895 __g_volatile_ctrl() error: uninitialized symbol 'reg1'.
      
      There's nothing wrong with the original logic, except that
      it is a little more harder to review.
      
      So, let's stick with the syntax that won't cause read
      issues.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Reviewed-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      29236349
    • Mauro Carvalho Chehab's avatar
      media: mb86a16: avoid division by zero · f303810c
      Mauro Carvalho Chehab authored
      As warned by smatch:
      	drivers/media/dvb-frontends/mb86a16.c:1690 mb86a16_read_ber() error: uninitialized symbol 'timer'.
      	drivers/media/dvb-frontends/mb86a16.c:1706 mb86a16_read_ber() error: uninitialized symbol 'timer'.
      
      There is a potential risk of doing a division by zero if
      timer is not handled well. Enforce it by setting a bit mask
      for the values used to select the timer.
      
      It should be noticed that I don't have mb86a16 datasheet. So,
      the bitmask was guessed based on the existing checks for
      the field. At worse case scenario, it will just show a
      badly calculated bit error rate, but it won't crash.
      
      While here, optimize the logic to prevent uneeded tests.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      f303810c
    • Mauro Carvalho Chehab's avatar
      media: mb86a16: be more resilient if I2C fails on sync · 15e3145a
      Mauro Carvalho Chehab authored
      If the I2C read fails while check for sync, there's no point
      on doing adjusting the tuner due to a random value that might
      be at VIRM var. So, set VIRM to zero, as that makes the caller
      for check_sync() to return an error.
      
      Fix those smatch warnings:
      	drivers/media/dvb-frontends/mb86a16.c:1460 mb86a16_set_fe() error: uninitialized symbol 'VIRM'.
      	drivers/media/dvb-frontends/mb86a16.c:1461 mb86a16_set_fe() error: uninitialized symbol 'VIRM'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      15e3145a
    • Mauro Carvalho Chehab's avatar
      media: drxj: better handle errors · 452c6446
      Mauro Carvalho Chehab authored
      as reported by smatch:
      	drivers/media/dvb-frontends/drx39xyj/drxj.c:2157 drxj_dap_atomic_read_write_block() error: uninitialized symbol 'word'.
      
      The driver doesn't check if a read error occurred. Add such
      check.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      452c6446
    • Mauro Carvalho Chehab's avatar
      media: imx274: don't randomly return if range_count is zero · 00b4bac7
      Mauro Carvalho Chehab authored
      As smatch reported:
      	drivers/media/i2c/imx274.c:659 imx274_regmap_util_write_table_8() error: uninitialized symbol 'err'.
      
      There is a bug at imx274_regmap_util_write_table_8() with causes
      it to randomly return a random error if range_count is zero.
      
      Worse than that, the logic there starts with range_count
      equal to zero, and periodically resets it to zero again.
      
      As it is a way more likely that err assumes a non-zero value,
      I suspect that the chance of this code to run is very small,
      so, it would be worth to review the entire function.
      
      Anyway, clearly it shouldn't be returning error if range_count
      is zero. So, let's fix it.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      00b4bac7
    • Mauro Carvalho Chehab's avatar
      media: stv090x: Only print tuner lock if get_status is available · ab0625f0
      Mauro Carvalho Chehab authored
      The current code doesn't report tuner lock properly if the
      tuner get_status callback is not available, as reported by
      smatch:
      	drivers/media/dvb-frontends/stv090x.c:2220 stv090x_get_coldlock() error: uninitialized symbol 'reg'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      ab0625f0
    • Mauro Carvalho Chehab's avatar
      media: xc4000: don't ignore error if hwmodel fails · 8a08ef08
      Mauro Carvalho Chehab authored
      If, for some reason, reading the hwmodel register on
      xc4000 fails, it will cause the following logig to
      use a random value, as reported by smatch:
      
      	drivers/media/tuners/xc4000.c:1047 check_firmware() error: uninitialized symbol 'hwmodel'.
      	drivers/media/tuners/xc4000.c:1060 check_firmware() error: uninitialized symbol 'hwmodel'.
      	drivers/media/tuners/xc4000.c:1064 check_firmware() error: uninitialized symbol 'hwmodel'.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      8a08ef08
    • Mauro Carvalho Chehab's avatar
      media: radio-si476x: fix behavior when seek->range* are defined · 02d73243
      Mauro Carvalho Chehab authored
      The logic at si476x_radio_s_hw_freq_seek() checks if the
      frequency range that will be used to handle hardware seek
      has the minimal frequency under rangelow. That works fine
      if userspace zeros both fields. However, if userspace
      fills either seek->rangelow or seek-rangehigh, it won't
      read the corresponding range from the device, causing the
      values to be unitialized, as warned by smatch:
      
      	drivers/media/radio/radio-si476x.c:789 si476x_radio_s_hw_freq_seek() error: uninitialized symbol 'rangelow'.
      	drivers/media/radio/radio-si476x.c:789 si476x_radio_s_hw_freq_seek() error: uninitialized symbol 'rangehigh'.
      
      Fix it by initializing those vars from the values present at
      the struct v4l2_hw_freq_seek.
      
      While here, simplify the logic which reads such values from
      the hardware limits.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      02d73243
    • Mauro Carvalho Chehab's avatar
      media: qt1010: fix bogus warnings · bc3cad2b
      Mauro Carvalho Chehab authored
      The logic at qt1010_init_meas1() and qt1010_init_meas2()
      are too complex for static analizers to identify that
      some vars are always be initialized.
      
      That causes smatch to produce the following warnings:
      	drivers/media/tuners/qt1010.c:248 qt1010_init_meas1() error: uninitialized symbol 'val2'.
      	drivers/media/tuners/qt1010.c:282 qt1010_init_meas2() error: uninitialized symbol 'val'.
      
      So, add annotations to prevent those bogus warnings.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      bc3cad2b