1. 19 Aug, 2019 22 commits
  2. 15 Aug, 2019 13 commits
  3. 14 Aug, 2019 5 commits
    • Colin Ian King's avatar
      media: vsp1: fix memory leak of dl on error return path · 70c55c1a
      Colin Ian King authored
      Currently when the call vsp1_dl_body_get fails and returns null the
      error return path leaks the allocation of dl. Fix this by kfree'ing
      dl before returning.
      
      Addresses-Coverity: ("Resource leak")
      
      Fixes: 5d7936b8 ("media: vsp1: Convert display lists to use new body pool")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarKieran Bingham <kieran.bingham+renesas@ideasonboard.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      70c55c1a
    • Darius Rad's avatar
      media: rc: imon: Allow iMON RC protocol for ffdc 7e device · b20a6e29
      Darius Rad authored
      Allow selecting the IR protocol, MCE or iMON, for a device that
      identifies as follows (with config id 0x7e):
      
      15c2:ffdc SoundGraph Inc. iMON PAD Remote Controller
      
      As the driver is structured to default to iMON when both RC
      protocols are supported, existing users of this device (using MCE
      protocol) will need to manually switch to MCE (RC-6) protocol from
      userspace (with ir-keytable, sysfs).
      Signed-off-by: default avatarDarius Rad <alpha@area49.net>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      b20a6e29
    • Sean Young's avatar
      media: tm6000: double free if usb disconnect while streaming · 699bf941
      Sean Young authored
      The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
      to NULL after each free.
      
      stop stream
      urb killing
      urb buffer free
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start stream request tm6000_start_stream
      tm6000: pipe reset
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: IR URB failure: status: -71, length 0
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      tm6000:  error tm6000_urb_received
      usb 1-2: USB disconnect, device number 5
      tm6000: disconnecting tm6000 #0
      ==================================================================
      BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
      Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
      
      CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G        W         5.3.0-rc4+ #1
      Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack+0x9a/0xf0
       print_address_description.cold+0xae/0x34f
       __kasan_report.cold+0x75/0x93
       ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
       ? dvb_fini+0x75/0x140 [tm6000_dvb]
       kasan_report+0xe/0x12
       dvb_fini+0x75/0x140 [tm6000_dvb]
       tm6000_close_extension+0x51/0x80 [tm6000]
       tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
       usb_unbind_interface+0xe4/0x390
       device_release_driver_internal+0x121/0x250
       bus_remove_device+0x197/0x260
       device_del+0x268/0x550
       ? __device_links_no_driver+0xd0/0xd0
       ? usb_remove_ep_devs+0x30/0x3b
       usb_disable_device+0x122/0x400
       usb_disconnect+0x153/0x430
       hub_event+0x800/0x1e40
       ? trace_hardirqs_on_thunk+0x1a/0x20
       ? hub_port_debounce+0x1f0/0x1f0
       ? retint_kernel+0x10/0x10
       ? lock_is_held_type+0xf1/0x130
       ? hub_port_debounce+0x1f0/0x1f0
       ? process_one_work+0x4ae/0xa00
       process_one_work+0x4ba/0xa00
       ? pwq_dec_nr_in_flight+0x160/0x160
       ? do_raw_spin_lock+0x10a/0x1d0
       worker_thread+0x7a/0x5c0
       ? process_one_work+0xa00/0xa00
       kthread+0x1d5/0x200
       ? kthread_create_worker_on_cpu+0xd0/0xd0
       ret_from_fork+0x3a/0x50
      
      Allocated by task 2682:
       save_stack+0x1b/0x80
       __kasan_kmalloc.constprop.0+0xc2/0xd0
       usb_alloc_urb+0x28/0x60
       tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
       dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
       dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
       dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
       dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
       dvb_usercopy+0x97/0x1f0 [dvb_core]
       dvb_demux_ioctl+0x11/0x20 [dvb_core]
       do_vfs_ioctl+0x5d8/0x9d0
       ksys_ioctl+0x5e/0x90
       __x64_sys_ioctl+0x3d/0x50
       do_syscall_64+0x74/0xe0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 22:
       save_stack+0x1b/0x80
       __kasan_slab_free+0x12c/0x170
       kfree+0xfd/0x3a0
       xhci_giveback_urb_in_irq+0xfe/0x230
       xhci_td_cleanup+0x276/0x340
       xhci_irq+0x1129/0x3720
       __handle_irq_event_percpu+0x6e/0x420
       handle_irq_event_percpu+0x6f/0x100
       handle_irq_event+0x55/0x84
       handle_edge_irq+0x108/0x3b0
       handle_irq+0x2e/0x40
       do_IRQ+0x83/0x1a0
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      699bf941
    • Sean Young's avatar
      media: rc: imon-rsc keymap has incorrect mappings · 6fb71958
      Sean Young authored
      KEY_MAX is not a key but designates the highest value a linux keycode
      can ever have.
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      6fb71958
    • Sean Young's avatar
      media: em28xx: modules workqueue not inited for 2nd device · 46e4a266
      Sean Young authored
      syzbot reports an error on flush_request_modules() for the second device.
      This workqueue was never initialised so simply remove the offending line.
      
      usb 1-1: USB disconnect, device number 2
      em28xx 1-1:1.153: Disconnecting em28xx #1
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 12 at kernel/workqueue.c:3031
      __flush_work.cold+0x2c/0x36 kernel/workqueue.c:3031
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc2+ #25
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        panic+0x2a3/0x6da kernel/panic.c:219
        __warn.cold+0x20/0x4a kernel/panic.c:576
        report_bug+0x262/0x2a0 lib/bug.c:186
        fixup_bug arch/x86/kernel/traps.c:179 [inline]
        fixup_bug arch/x86/kernel/traps.c:174 [inline]
        do_error_trap+0x12b/0x1e0 arch/x86/kernel/traps.c:272
        do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:291
        invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
      RIP: 0010:__flush_work.cold+0x2c/0x36 kernel/workqueue.c:3031
      Code: 9a 22 00 48 c7 c7 20 e4 c5 85 e8 d9 3a 0d 00 0f 0b 45 31 e4 e9 98 86
      ff ff e8 51 9a 22 00 48 c7 c7 20 e4 c5 85 e8 be 3a 0d 00 <0f> 0b 45 31 e4
      e9 7d 86 ff ff e8 36 9a 22 00 48 c7 c7 20 e4 c5 85
      RSP: 0018:ffff8881da20f720 EFLAGS: 00010286
      RAX: 0000000000000024 RBX: dffffc0000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffffffff8128a0fd RDI: ffffed103b441ed6
      RBP: ffff8881da20f888 R08: 0000000000000024 R09: fffffbfff11acd9a
      R10: fffffbfff11acd99 R11: ffffffff88d66ccf R12: 0000000000000000
      R13: 0000000000000001 R14: ffff8881c6685df8 R15: ffff8881d2a85b78
        flush_request_modules drivers/media/usb/em28xx/em28xx-cards.c:3325 [inline]
        em28xx_usb_disconnect.cold+0x280/0x2a6
      drivers/media/usb/em28xx/em28xx-cards.c:4023
        usb_unbind_interface+0x1bd/0x8a0 drivers/usb/core/driver.c:423
        __device_release_driver drivers/base/dd.c:1120 [inline]
        device_release_driver_internal+0x404/0x4c0 drivers/base/dd.c:1151
        bus_remove_device+0x2dc/0x4a0 drivers/base/bus.c:556
        device_del+0x420/0xb10 drivers/base/core.c:2288
        usb_disable_device+0x211/0x690 drivers/usb/core/message.c:1237
        usb_disconnect+0x284/0x8d0 drivers/usb/core/hub.c:2199
        hub_port_connect drivers/usb/core/hub.c:4949 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1454/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        process_scheduled_works kernel/workqueue.c:2331 [inline]
        worker_thread+0x7ab/0xe20 kernel/workqueue.c:2417
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      Kernel Offset: disabled
      Rebooting in 86400 seconds..
      
      Fixes: be7fd3c3 ("media: em28xx: Hauppauge DualHD second tuner functionality)
      Reviewed-by: default avatarEzequiel Garcia <ezequiel@collabora.com>
      Reviewed-by: default avatarBrad Love <brad@nextdimension.cc>
      Reported-by: syzbot+b7f57261c521087d89bb@syzkaller.appspotmail.com
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      46e4a266