1. 19 Dec, 2017 9 commits
    • Daniel Scheller's avatar
      media: ddbridge: fix resources cleanup for CI hardware · fac37bb1
      Daniel Scheller authored
      Do kfree() on port->en->data instead of port->en. port->en only holds a
      ptr to a struct dvb_ca_en50221, which is a member either of a memalloc'ed
      struct ddb_ci (DuoFlex CI, Octopus CI Duo) or a struct cxd (CXD2099AR
      based Single Flex, allocated by the cxd2099 driver). port->en.data
      though holds the ptr to the allocated memory, which must rather be
      kfree()'d. Change this accordingly.
      
      Cc: Ralph Metzler <rjkm@metzlerbros.de>
      Signed-off-by: default avatarDaniel Scheller <d.scheller@gmx.net>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      fac37bb1
    • Daniel Scheller's avatar
      media: ddbridge: unregister I2C tuner client before detaching fe's · a1c484b3
      Daniel Scheller authored
      Currently, rmmod ddbridge on a KASAN enabled kernel yields this report
      for hardware that utilises the tda18212 tuner driver:
      
        [   50.355229] ==================================================================
        [   50.355271] BUG: KASAN: use-after-free in tda18212_remove+0x5c/0xb0 [tda18212]
        [   50.355290] Write of size 288 at addr ffff8800c235cf18 by task rmmod/285
      
        [   50.355316] CPU: 1 PID: 285 Comm: rmmod Not tainted 4.15.0-rc1-13744-g352a86ad536f #11
        [   50.355318] Hardware name: Gigabyte Technology Co., Ltd. P35-DS3/P35-DS3, BIOS F3 06/11/2007
        [   50.355319] Call Trace:
        [   50.355326]  dump_stack+0x46/0x61
        [   50.355332]  print_address_description+0x79/0x270
        [   50.355336]  ? tda18212_remove+0x5c/0xb0 [tda18212]
        [   50.355339]  kasan_report+0x229/0x340
        [   50.355342]  memset+0x1f/0x40
        [   50.355345]  tda18212_remove+0x5c/0xb0 [tda18212]
        [   50.355350]  i2c_device_remove+0x97/0xe0
        [   50.355355]  device_release_driver_internal+0x267/0x510
        [   50.355358]  bus_remove_device+0x296/0x470
        [   50.355360]  device_del+0x35c/0x890
        [   50.355363]  ? __device_links_no_driver+0x1c0/0x1c0
        [   50.355367]  ? cxd2841er_get_algo+0x10/0x10 [cxd2841er]
        [   50.355371]  ? cxd2841er_get_algo+0x10/0x10 [cxd2841er]
        [   50.355374]  ? __module_text_address+0xe/0x140
        [   50.355377]  device_unregister+0x9/0x20
        [   50.355382]  dvb_input_detach.isra.24+0x286/0x480 [ddbridge]
        [   50.355388]  ddb_ports_detach+0x15f/0x4f0 [ddbridge]
        [   50.355393]  ddb_remove+0x3c/0xb0 [ddbridge]
        [   50.355397]  pci_device_remove+0x93/0x1d0
        [   50.355400]  device_release_driver_internal+0x267/0x510
        [   50.355403]  driver_detach+0xb9/0x1b0
        [   50.355406]  bus_remove_driver+0xd0/0x1f0
        [   50.355410]  pci_unregister_driver+0x25/0x210
        [   50.355415]  module_exit_ddbridge+0xc/0x45 [ddbridge]
        [   50.355418]  SyS_delete_module+0x314/0x440
        [   50.355420]  ? free_module+0x5b0/0x5b0
        [   50.355423]  ? exit_to_usermode_loop+0xa9/0xc0
        [   50.355425]  ? free_module+0x5b0/0x5b0
        [   50.355428]  do_syscall_64+0x179/0x4c0
        [   50.355432]  ? do_page_fault+0x1b/0x60
        [   50.355435]  entry_SYSCALL64_slow_path+0x25/0x25
        [   50.355438] RIP: 0033:0x7fe65d08ade7
        [   50.355439] RSP: 002b:00007fff5a6a09a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
        [   50.355443] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe65d08ade7
        [   50.355445] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000000000f4e268
        [   50.355447] RBP: 0000000000f4e200 R08: 0000000000000000 R09: 1999999999999999
        [   50.355449] R10: 0000000000000891 R11: 0000000000000202 R12: 00007fff5a6a14ef
        [   50.355451] R13: 0000000000000000 R14: 0000000000f4e200 R15: 0000000000f4d010
      
        [   50.355462] Allocated by task 164:
        [   50.355477]  cxd2841er_attach+0xc3/0x7f0 [cxd2841er]
        [   50.355482]  demod_attach_cxd28xx+0x14c/0x3f0 [ddbridge]
        [   50.355486]  dvb_input_attach+0x671/0x1e20 [ddbridge]
        [   50.355490]  ddb_ports_attach+0x3d7/0xbf0 [ddbridge]
        [   50.355495]  ddb_init+0x4b3/0xa30 [ddbridge]
        [   50.355499]  ddb_probe+0xa51/0xfe0 [ddbridge]
        [   50.355501]  pci_device_probe+0x279/0x480
        [   50.355504]  driver_probe_device+0x46f/0x7a0
        [   50.355506]  __driver_attach+0x133/0x170
        [   50.355509]  bus_for_each_dev+0x10a/0x190
        [   50.355511]  bus_add_driver+0x2a3/0x5a0
        [   50.355513]  driver_register+0x182/0x3a0
        [   50.355516]  arc4_set_key+0x8f/0x2a0 [arc4]
        [   50.355518]  do_one_initcall+0x77/0x1d0
        [   50.355521]  do_init_module+0x1c2/0x548
        [   50.355523]  load_module+0x5e61/0x8df0
        [   50.355525]  SyS_finit_module+0x142/0x150
        [   50.355527]  do_syscall_64+0x179/0x4c0
        [   50.355529]  return_from_SYSCALL_64+0x0/0x65
      
        [   50.355539] Freed by task 285:
        [   50.355551]  kfree+0x6c/0xa0
        [   50.355558]  __dvb_frontend_free+0x81/0xb0 [dvb_core]
        [   50.355562]  dvb_input_detach.isra.24+0x17c/0x480 [ddbridge]
        [   50.355566]  ddb_ports_detach+0x15f/0x4f0 [ddbridge]
        [   50.355570]  ddb_remove+0x3c/0xb0 [ddbridge]
        [   50.355573]  pci_device_remove+0x93/0x1d0
        [   50.355576]  device_release_driver_internal+0x267/0x510
        [   50.355578]  driver_detach+0xb9/0x1b0
        [   50.355580]  bus_remove_driver+0xd0/0x1f0
        [   50.355583]  pci_unregister_driver+0x25/0x210
        [   50.355587]  module_exit_ddbridge+0xc/0x45 [ddbridge]
        [   50.355590]  SyS_delete_module+0x314/0x440
        [   50.355592]  do_syscall_64+0x179/0x4c0
        [   50.355594]  return_from_SYSCALL_64+0x0/0x65
      
        [   50.355604] The buggy address belongs to the object at ffff8800c235cd80
                        which belongs to the cache kmalloc-2048 of size 2048
        [   50.355630] The buggy address is located 408 bytes inside of
                        2048-byte region [ffff8800c235cd80, ffff8800c235d580)
        [   50.355652] The buggy address belongs to the page:
        [   50.355666] page:ffffea0002a7bc20 count:1 mapcount:0 mapping:ffff8800c235c500 index:0x0 compound_mapcount: 0
        [   50.355688] flags: 0x4000000000008100(slab|head)
        [   50.355703] raw: 4000000000008100 ffff8800c235c500 0000000000000000 0000000100000003
        [   50.355720] raw: ffffea000382b4b0 ffffea0002b91550 ffff88010b000800
        [   50.355734] page dumped because: kasan: bad access detected
      
        [   50.355754] Memory state around the buggy address:
        [   50.355767]  ffff8800c235ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        [   50.355783]  ffff8800c235ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        [   50.355800] >ffff8800c235cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        [   50.355815]                             ^
        [   50.355827]  ffff8800c235cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        [   50.355843]  ffff8800c235d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        [   50.355858] ==================================================================
      
      This is due to dvb_frontend_detach() being called before
      i2c_unregister_device() on the TDA18212 tuner client instance, as
      dvb_frontend_detach() causes the demod drivers to release all their
      resources, and the tuner driver's _remove method does further cleanup on
      the now invalid (freed) resources. Fix this by putting the I2C client
      deregistration in dvb_input_detach() to state/case 0x30, right before the
      call to dvb_frontend_detach(). This also makes sure that any further
      (tuner) hardware driven by I2C client drivers unload cleanly.
      
      Fixes: 1502efd2 ("media: ddbridge: fix teardown/deregistration order in ddb_input_detach()")
      Signed-off-by: default avatarDaniel Scheller <d.scheller@gmx.net>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      a1c484b3
    • Athanasios Oikonomou's avatar
      media: stv090x: add physical layer scrambling support · 93314453
      Athanasios Oikonomou authored
      This commit uses the new property scrambling_sequence_index
      to control PLS.
      By default we are using the gold sequence 0 and only gold sequences
      expected on the new property.
      
      Please note that all services use PLS, just most with the default
      sequence 0 and many demods only support gold 0.
      Signed-off-by: default avatarAthanasios Oikonomou <athoik@gmail.com>
      Acked-by: default avatarRalph Metzler <rjkm@metzlerbros.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      93314453
    • Athanasios Oikonomou's avatar
      media: dvb_frontend: add physical layer scrambling support · f9d79126
      Athanasios Oikonomou authored
      This commit adds a new property DTV_SCRAMBLING_SEQUENCE_INDEX.
      
      This 18 bit field, when present, carries the index of the DVB-S2 physical
      layer scrambling sequence as defined in clause 5.5.4 of EN 302 307.
      There is no explicit signalling method to convey scrambling sequence index
      to the receiver. If S2 satellite delivery system descriptor is available
      it can be used to read the scrambling sequence index (EN 300 468 table 41).
      
      By default, gold scrambling sequence index 0 is used. The valid scrambling
      sequence index range is from 0 to 262142.
      
      Increase the DVB API version in order userspace to be aware of the changes.
      Signed-off-by: default avatarAthanasios Oikonomou <athoik@gmail.com>
      Acked-by: default avatarRalph Metzler <rjkm@metzlerbros.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      f9d79126
    • Bjorn Helgaas's avatar
      media: netup_unidvb: use PCI_EXP_DEVCTL2_COMP_TIMEOUT macro · 24538879
      Bjorn Helgaas authored
      Use the existing PCI_EXP_DEVCTL2_COMP_TIMEOUT macro instead of hard-coding
      the PCIe Completion Timeout Value mask.  No functional change intended.
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      24538879
    • Mauro Carvalho Chehab's avatar
      media: davinci: fix a debug printk · 4f6c1104
      Mauro Carvalho Chehab authored
      Two orthogonal changesets caused a breakage at a printk
      inside davinci. Commit a2d17962
      ("[media] davinci: Switch from V4L2 OF to V4L2 fwnode")
      made davinci to use struct fwnode_handle instead of
      struct device_node. Commit 68d9c47b
      ("media: Convert to using %pOF instead of full_name")
      changed the printk to not use ->full_name, but, instead,
      to rely on %pOF.
      
      With both patches applied, the Kernel will do the wrong
      thing, as warned by smatch:
      	drivers/media/platform/davinci/vpif_capture.c:1399 vpif_async_bound() error: '%pOF' expects argument of type 'struct device_node*', argument 5 has type 'void*'
      
      So, change the logic to actually print the device name
      that was obtained before the print logic.
      
      Fixes: 68d9c47b ("media: Convert to using %pOF instead of full_name")
      Fixes: a2d17962 ("[media] davinci: Switch from V4L2 OF to V4L2 fwnode")
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Acked-by: default avatarLad, Prabhakar <prabhakar.csengg@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      4f6c1104
    • Mauro Carvalho Chehab's avatar
      media: dvb_net: let dynamic debug enable some DVB net handling · 444faf34
      Mauro Carvalho Chehab authored
      pr_debug() and netdev_dbg() can be enabled/disabled dynamically
      via sysfs. So, stop hidding them under ULE_DEBUG config macro.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      444faf34
    • Mauro Carvalho Chehab's avatar
      media: dvb-core: allow users to enable DVB net ULE debug · ba711e1c
      Mauro Carvalho Chehab authored
      This debug option is there for a long time, but it is only
      enabled by editing the source code. Due to that, a breakage
      inside its code was only noticed years after a change at
      the ULE handling logic.
      
      Make it a Kconfig parameter, as it makes easier for
      advanced users to enable, and allow test if the compilation
      won't be broken in the future.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      ba711e1c
    • Mauro Carvalho Chehab's avatar
      media: dvb_net: ensure that dvb_net_ule_handle is fully initialized · b93a25e1
      Mauro Carvalho Chehab authored
      commit efb9ab67 ("[media] dvb_net: prepare to split a very
      complex function") changed the ULE handling logic, simplifying it.
      However, it forgot to keep the initialization for .priv and to
      zero .ule_hist fields.
      
      The lack of .priv cause crashes if dvb_net_ule() is called, as
      the function assuems that .priv field to be initialized.
      
      With regards to .ule_hist, the current logic is broken and don't
      even compile if ULE_DEBUG. Fix it by making the debug vars static
      again, and be sure to pass iov parameter to dvb_net_ule_check_crc().
      
      Fixes: efb9ab67 ("[media] dvb_net: prepare to split a very complex function")
      Suggested-by: default avatarRon Economos <w6rz@comcast.net>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      b93a25e1
  2. 18 Dec, 2017 31 commits