1. 19 Feb, 2016 37 commits
  2. 16 Feb, 2016 3 commits
    • Mauro Carvalho Chehab's avatar
      [media] siano: use generic function to create MC device · 3d0ccad0
      Mauro Carvalho Chehab authored
      Currently, it is initializing the driver name using the wrong
      name ("usb"). Use the generic function, as its logic works
      best, and avoids repeating the very same code everywhere.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      3d0ccad0
    • Mauro Carvalho Chehab's avatar
      [media] smsusb: don't sleep while atomic · dd47fbd4
      Mauro Carvalho Chehab authored
      smscore_getbuffer() calls internally wait_event(), with can sleep.
      As smsusb_onresponse() is called on interrupt context, this causes
      the following warning:
      
      	BUG: sleeping function called from invalid context at drivers/media/common/siano/smscoreapi.c:1653
      	in_atomic(): 1, irqs_disabled(): 1, pid: 11084, name: systemd-udevd
      	INFO: lockdep is turned off.
      	irq event stamp: 0
      	hardirqs last  enabled at (0): [<          (null)>]           (null)
      	hardirqs last disabled at (0): [<ffffffff811480f7>] copy_process.part.7+0x10e7/0x56d0
      	softirqs last  enabled at (0): [<ffffffff81148193>] copy_process.part.7+0x1183/0x56d0
      	softirqs last disabled at (0): [<          (null)>]           (null)
      	CPU: 2 PID: 11084 Comm: systemd-udevd Tainted: G    B   W       4.5.0-rc3+ #47
      	Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
      	 0000000000000000 ffff8803c6907a80 ffffffff81933901 ffff8802bd916000
      	 ffff8802bd9165c8 ffff8803c6907aa8 ffffffff811c6af5 ffff8802bd916000
      	 ffffffffa0ce9b60 0000000000000675 ffff8803c6907ae8 ffffffff811c6ce5
      	Call Trace:
      	 <IRQ>  [<ffffffff81933901>] dump_stack+0x85/0xc4
      	 [<ffffffff811c6af5>] ___might_sleep+0x245/0x3a0
      	 [<ffffffff811c6ce5>] __might_sleep+0x95/0x1a0
      	 [<ffffffffa0ce020a>] ? list_add_locked+0xca/0x140 [smsmdtv]
      	 [<ffffffffa0ce3b8d>] smscore_getbuffer+0x7d/0x120 [smsmdtv]
      	 [<ffffffff8123819d>] ? trace_hardirqs_off+0xd/0x10
      	 [<ffffffffa0ce3b10>] ? smscore_sendrequest_and_wait.isra.5+0x120/0x120 [smsmdtv]
      	 [<ffffffffa0ce020a>] ? list_add_locked+0xca/0x140 [smsmdtv]
      	 [<ffffffffa0ce13ca>] ? smscore_putbuffer+0x3a/0x40 [smsmdtv]
      	 [<ffffffffa0d107bc>] smsusb_submit_urb+0x2ec/0x4f0 [smsusb]
      	 [<ffffffffa0d10e36>] smsusb_onresponse+0x476/0x720 [smsusb]
      
      Let's add a work queue to handle the bottom half, preventing this
      problem.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      dd47fbd4
    • Mauro Carvalho Chehab's avatar
      [media] siano: firmware buffer is too small · 21cf734c
      Mauro Carvalho Chehab authored
      As pointed by KASAN:
      
      	BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880000038d8c
      	Read of size 128 by task systemd-udevd/2536
      	page:ffffea0000000800 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
      	flags: 0xffff8000004000(head)
      	page dumped because: kasan: bad access detected
      	CPU: 1 PID: 2536 Comm: systemd-udevd Not tainted 4.5.0-rc3+ #47
      	Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
      	  ffff880000038d8c ffff8803b0f1f1e8 ffffffff81933901 0000000000000080
      	  ffff8803b0f1f280 ffff8803b0f1f270 ffffffff815602c5 ffffffff8284cf93
      	  ffffffff822ddc00 0000000000000282 0000000000000001 ffff88009c7c6000
      	Call Trace:
      	  [<ffffffff81933901>] dump_stack+0x85/0xc4
      	  [<ffffffff815602c5>] kasan_report_error+0x525/0x550
      	  [<ffffffff815606e9>] kasan_report+0x39/0x40
      	  [<ffffffff8155f84d>] memcpy+0x1d/0x40
      	  [<ffffffffa120cb90>] smscore_set_device_mode+0xee0/0x2560 [smsmdtv]
      
      Such error happens at the memcpy code below:
      
      0x4bc0 is in smscore_set_device_mode (drivers/media/common/siano/smscoreapi.c:975).
      970					      sizeof(u32) + payload_size));
      971
      972			data_msg->mem_addr = mem_address;
      973			memcpy(data_msg->payload, payload, payload_size);
      974
      975			rc = smscore_sendrequest_and_wait(coredev, data_msg,
      976					data_msg->x_msg_header.msg_length,
      977					&coredev->data_download_done);
      978
      979			payload += payload_size;
      
      The problem is that the Siano driver uses a header to store the firmware,
      with requires a few more bytes than allocated.
      
      Tested with:
      	PCTV 77e (2013:0257)
      	Hauppauge WinTV MiniStick (2040:5510)
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      21cf734c