1. 21 Aug, 2019 14 commits
    • Wenwen Wang's avatar
      media: dvb-core: fix a memory leak bug · fcd5ce4b
      Wenwen Wang authored
      In dvb_create_media_entity(), 'dvbdev->entity' is allocated through
      kzalloc(). Then, 'dvbdev->pads' is allocated through kcalloc(). However, if
      kcalloc() fails, the allocated 'dvbdev->entity' is not deallocated, leading
      to a memory leak bug. To fix this issue, free 'dvbdev->entity' before
      returning -ENOMEM.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      fcd5ce4b
    • Sean Young's avatar
      media: ttpci: unknown protocol is rc-mm-32 · b1da86fc
      Sean Young authored
      This protocol responds to a real philips rc-mm remote; it does not respond
      to IR encoded with the encoder in ir-rcmm-decoder.c.
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      b1da86fc
    • Wenwen Wang's avatar
      media: dvb-frontends: fix a memory leak bug · 2f6451ed
      Wenwen Wang authored
      In cx24117_load_firmware(), 'buf' is allocated through kmalloc() to hold
      the firmware. However, if i2c_transfer() fails, it is not deallocated,
      leading to a memory leak bug.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      2f6451ed
    • Wenwen Wang's avatar
      media: dvb-frontends: fix memory leaks · 8c3d3cdb
      Wenwen Wang authored
      In dib7000pc_detection(), 'tx' and 'rx' are allocated through kzalloc()
      respectively. However, if DiB7000PC is detected, they are not deallocated,
      leading to memory leaks. To fix this issue, create a label to free 'tx' and
      'rx' before returning from the function.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      8c3d3cdb
    • A Sun's avatar
      media: mceusb: fix (eliminate) TX IR signal length limit · 9fc3ce31
      A Sun authored
      Fix and eliminate mceusb's IR length limit for IR signals transmitted to
      the MCE IR blaster ports.
      
      An IR signal TX exceeding 306 pulse/space samples presently causes -EINVAL
      return error. There's no such limitation nor error with the MCE device
      hardware. And valid IR signals exist with more than 400 pulse/space for the
      control of certain appliances (eg Panasonic ACXA75C00600 air conditioner).
      
      The scope of this patch is limited to the mceusb driver. There are still
      IR signal TX length and time constraints that related modules of rc core
      (eg LIRC) impose, further up the driver stack.
      
      Changes for mceusb_tx_ir():
      
      Converts and sends LIRC IR pulse/space sequence to MCE device IR
      pulse/space format.
      
      Break long length LIRC sequence into multiple (unlimited number of) parts
      for sending to the MCE device.
      Reduce kernel stack IR buffer size: 128 (was 384)
      Increase MCE IR data packet size: 31 (was 5)
      Zero time LIRC pulse/space no longer copied to MCE IR data.
      Eliminate overwriting the source/input LIRC IR data in txbuf[].
      Eliminate -EINVAL return; return number of IR samples sent (>0) or
      MCE write error code (<0).
      
      New mce_write() and mce_write_callback():
      
      Implements synchronous blocking I/O, with timeout, for writing/sending
      data to the MCE device.
      
      An unlimited multipart IR signal sent to the MCE device faster than real
      time requires flow control absent with the original mce_request_packet()
      and mce_async_callback() asynchronous I/O implementation. Also absent is
      TX error feedback.
      
      mce_write() combines and replaces mce_request_packet() and
      mce_async_callback() with conversion to synchronous I/O.
      mce_write() returns bytes sent (>0) or MCE device write error (<0).
      Debug hex dump TX data before processing.
      
      Rename mce_async_out() -> mce_command_out():
      
      The original name is misleading with underlying synchronous I/O
      implementation. Function renamed to mce_command_out().
      
      Changes in mceusb_handle_command():
      
      Add support for MCE device error case MCE_RSP_TX_TIMEOUT
      "IR TX timeout (TX buffer underrun)"
      
      Changes in mceusb_dev_printdata():
      
      Changes support test and debug of multipart TX IR.
      
      Add buffer boundary information (offset and buffer size) to TX hex dump.
      Correct TX trace bug "Raw IR data, 0 pulse/space samples"
      Add trace for MCE_RSP_TX_TIMEOUT "IR TX timeout (TX buffer underrun)"
      
      Other changes:
      
      The driver's write to USB device architecture change (async to sync I/O)
      is significant so we bump DRIVER_VERSION to "1.95" (from "1.94").
      
      Tests:
      
      $ cat -n irdata1 | head -3
           1  carrier 36000
           2  pulse 6350
           3  space 6350
      $ cat -n irdata1 | tail -3
          76  pulse 6350
          77  space 6350
          78  pulse 6350
      $ ir-ctl -s irdata1
      
      [1549021.073612] mceusb 1-1.3:1.0: requesting 36000 HZ carrier
      [1549021.073635] mceusb 1-1.3:1.0: tx data[0]: 9f 06 01 45 (len=4 sz=4)
      [1549021.073649] mceusb 1-1.3:1.0: Request carrier of 35714 Hz (period 28us)
      [1549021.073848] mceusb 1-1.3:1.0: tx done status = 4 (wait = 100, expire = 100 (1000ms), urb->actual_length = 4, urb->status = 0)
      [1549021.074689] mceusb 1-1.3:1.0: rx data[0]: 9f 06 01 45 (len=4 sz=4)
      [1549021.074701] mceusb 1-1.3:1.0: Got carrier of 35714 Hz (period 28us)
      [1549021.102023] mceusb 1-1.3:1.0: tx data[0]: 9f 08 03 (len=3 sz=3)
      [1549021.102036] mceusb 1-1.3:1.0: Request transmit blaster mask of 0x03
      [1549021.102219] mceusb 1-1.3:1.0: tx done status = 3 (wait = 100, expire = 100 (1000ms), urb->actual_length = 3, urb->status = 0)
      [1549021.131979] mceusb 1-1.3:1.0: tx data[0]: 9e ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f 9e ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f ff 7f 91 ff (len=81 sz=81)
      [1549021.131992] mceusb 1-1.3:1.0: Raw IR data, 30 pulse/space samples
      [1549021.133592] mceusb 1-1.3:1.0: tx done status = 81 (wait = 100, expire = 100 (1000ms), urb->actual_length = 81, urb->status = 0)
      
      Hex dumps limited to 64 bytes.
      0xff is MCE maximum time pulse, 0x7f is MCE maximum time space.
      
      $ cat -n irdata2 | head -3
           1  carrier 36000
           2  pulse 50
           3  space 50
      $ cat -n irdata2 | tail -3
         254  pulse 50
         255  space 50
         256  pulse 50
      $ ir-ctl -s irdata2
      
      [1549306.586998] mceusb 1-1.3:1.0: tx data[0]: 9f 08 03 (len=3 sz=3)
      [1549306.587015] mceusb 1-1.3:1.0: Request transmit blaster mask of 0x03
      [1549306.587252] mceusb 1-1.3:1.0: tx done status = 3 (wait = 100, expire = 100 (1000ms), urb->actual_length = 3, urb->status = 0)
      [1549306.613275] mceusb 1-1.3:1.0: tx data[0]: 9e 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 9e 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 9e 81 (len=128 sz=128)
      [1549306.613291] mceusb 1-1.3:1.0: Raw IR data, 30 pulse/space samples
      [1549306.614837] mceusb 1-1.3:1.0: tx done status = 128 (wait = 100, expire = 100 (1000ms), urb->actual_length = 128, urb->status = 0)
      [1549306.614861] mceusb 1-1.3:1.0: tx data[0]: 9e 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 9e 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 01 81 9e 01 (len=128 sz=128)
      [1549306.614869] mceusb 1-1.3:1.0: Raw IR data, 30 pulse/space samples
      [1549306.620199] mceusb 1-1.3:1.0: tx done status = 128 (wait = 100, expire = 100 (1000ms), urb->actual_length = 128, urb->status = 0)
      [1549306.620212] mceusb 1-1.3:1.0: tx data[0]: 89 81 01 81 01 81 01 81 01 81 80 (len=11 sz=11)
      [1549306.620221] mceusb 1-1.3:1.0: Raw IR data, 9 pulse/space samples
      [1549306.633294] mceusb 1-1.3:1.0: tx done status = 11 (wait = 98, expire = 100 (1000ms), urb->actual_length = 11, urb->status = 0)
      
      Hex dumps limited to 64 bytes.
      0x81 is MCE minimum time pulse, 0x01 is MCE minimum time space.
      TX IR part 3 sz=11 shows 20msec I/O blocking delay
      (100expire - 98wait = 2jiffies)
      Signed-off-by: default avatarA Sun <as1033x@comcast.net>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      9fc3ce31
    • Christian Hewitt's avatar
      media: rc: add keymap for HardKernel ODROID remote · 8f5f33f7
      Christian Hewitt authored
      This is a simple NEC remote control device shipped with the HardKernel
      ODROID range of SBC devices.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      8f5f33f7
    • Christian Hewitt's avatar
      media: rc: add keymap for WeTeK Play 2 remote · fa992b33
      Christian Hewitt authored
      The WeTek Play 2 Android STB ships with an unusual remote where the
      main up/down/left/right/enter controls are surrounded with an outer
      ring of additional keys which are listed in clockwise order.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      fa992b33
    • Christian Hewitt's avatar
      media: rc: add keymap for WeTek Hub remote · 37307897
      Christian Hewitt authored
      The WeTek Hub Android STB ships with a simple NEC remote.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      37307897
    • Christian Hewitt's avatar
      media: rc: add keymap for Tanix TX5 max remote · 7bb53f36
      Christian Hewitt authored
      The Tanix TX5 max Android STB ships with a simple NEC remote.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      7bb53f36
    • Christian Hewitt's avatar
      media: rc: add keymap for Tanix TX3 mini remote · e30399e1
      Christian Hewitt authored
      The Tanix TX3 mini Android STB ships with a simple NEC remote.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      e30399e1
    • Christian Hewitt's avatar
      media: rc: add keymap for Khadas VIM/EDGE remote · a53dee7b
      Christian Hewitt authored
      Khadas VIM and Edge SBC devices use the same NEC remote device. The
      remote includes a mouse button for Android use. This has been mapped
      to KEY_MUTE.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      a53dee7b
    • Christian Hewitt's avatar
      media: rc: add keymap for Amediatech X96-MAX remote · 9b9e9e5b
      Christian Hewitt authored
      The X96-Max Android STB ships with a simple NEC remote. It includes
      a TV section with preset buttons for controlling a TV. These are not
      configurable, but are noted to aid visual recognition of the device.
      Signed-off-by: default avatarChristian Hewitt <christianshewitt@gmail.com>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      9b9e9e5b
    • Marc Gonzalez's avatar
      media: si2168: Refactor command setup code · 619f6fc3
      Marc Gonzalez authored
      Use cmd_init() to fill a struct si2168_cmd command.
      Signed-off-by: default avatarMarc Gonzalez <marc.w.gonzalez@free.fr>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      619f6fc3
    • Sean Young's avatar
      media: dvb-frontends: use ida for pll number · c268e7ad
      Sean Young authored
      KASAN: global-out-of-bounds Read in dvb_pll_attach
      
      Syzbot reported global-out-of-bounds Read in dvb_pll_attach, while
      accessing id[dvb_pll_devcount], because dvb_pll_devcount was 65,
      that is more than size of 'id' which is DVB_PLL_MAX(64).
      
      Rather than increasing dvb_pll_devcount every time, use ida so that
      numbers are allocated correctly. This does mean that no more than
      64 devices can be attached at the same time, but this is more than
      sufficient.
      
      usb 1-1: dvb_usb_v2: will pass the complete MPEG2 transport stream to the
      software demuxer
      dvbdev: DVB: registering new adapter (774 Friio White ISDB-T USB2.0)
      usb 1-1: media controller created
      dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
      tc90522 0-0018: Toshiba TC90522 attached.
      usb 1-1: DVB: registering adapter 0 frontend 0 (Toshiba TC90522 ISDB-T
      module)...
      dvbdev: dvb_create_media_entity: media entity 'Toshiba TC90522 ISDB-T
      module' registered.
      ==================================================================
      BUG: KASAN: global-out-of-bounds in dvb_pll_attach+0x6c5/0x830
      drivers/media/dvb-frontends/dvb-pll.c:798
      Read of size 4 at addr ffffffff89c9e5e0 by task kworker/0:1/12
      
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #13
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x67/0x231 mm/kasan/report.c:188
        __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
        kasan_report+0xe/0x20 mm/kasan/common.c:614
        dvb_pll_attach+0x6c5/0x830 drivers/media/dvb-frontends/dvb-pll.c:798
        dvb_pll_probe+0xfe/0x174 drivers/media/dvb-frontends/dvb-pll.c:877
        i2c_device_probe+0x790/0xaa0 drivers/i2c/i2c-core-base.c:389
        really_probe+0x281/0x660 drivers/base/dd.c:509
        driver_probe_device+0x104/0x210 drivers/base/dd.c:670
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:843
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2111
        i2c_new_client_device+0x5b3/0xc40 drivers/i2c/i2c-core-base.c:778
        i2c_new_device+0x19/0x50 drivers/i2c/i2c-core-base.c:821
        dvb_module_probe+0xf9/0x220 drivers/media/dvb-core/dvbdev.c:985
        friio_tuner_attach+0x125/0x1d0 drivers/media/usb/dvb-usb-v2/gl861.c:536
        dvb_usbv2_adapter_frontend_init
      drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:675 [inline]
        dvb_usbv2_adapter_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:804
      [inline]
        dvb_usbv2_init drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:865 [inline]
        dvb_usbv2_probe.cold+0x24dc/0x255d
      drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:980
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x660 drivers/base/dd.c:509
        driver_probe_device+0x104/0x210 drivers/base/dd.c:670
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:843
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2111
        usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
        generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
        usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
        really_probe+0x281/0x660 drivers/base/dd.c:509
        driver_probe_device+0x104/0x210 drivers/base/dd.c:670
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:843
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2111
        usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2534
        hub_port_connect drivers/usb/core/hub.c:5089 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
        port_event drivers/usb/core/hub.c:5350 [inline]
        hub_event+0x1ada/0x3590 drivers/usb/core/hub.c:5432
        process_one_work+0x905/0x1570 kernel/workqueue.c:2269
        process_scheduled_works kernel/workqueue.c:2331 [inline]
        worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
        kthread+0x30b/0x410 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the variable:
        id+0x100/0x120
      
      Memory state around the buggy address:
        ffffffff89c9e480: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 00 00
        ffffffff89c9e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      > ffffffff89c9e580: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
                                                              ^
        ffffffff89c9e600: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
        ffffffff89c9e680: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
      ==================================================================
      
      Reported-by: syzbot+8a8f48672560c8ca59dd@syzkaller.appspotmail.com
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      c268e7ad
  2. 19 Aug, 2019 26 commits