The commit 8dfbcc4351 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.
However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
if (!firmware_name[0] && p->fname &&
priv->fname && strcmp(p->fname, priv->fname))
free_firmware(priv);
where priv->fname points to the previous file name, and this was
already freed by kfree().
For fixing the bug properly, this patch does the following:
- Keep the copy of firmware file name in only priv->fname,
priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly
Fixes: commit 8dfbcc4351 ('[media] xc2028: avoid use after free')
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Merge more updates from Andrew Morton:
- a few block updates that fell in my lap
- lib/ updates
- checkpatch
- autofs
- ipc
- a ton of misc other things
* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (100 commits)
mm: split gfp_mask and mapping flags into separate fields
fs: use mapping_set_error instead of opencoded set_bit
treewide: remove redundant #include <linux/kconfig.h>
hung_task: allow hung_task_panic when hung_task_warnings is 0
kthread: add kerneldoc for kthread_create()
kthread: better support freezable kthread workers
kthread: allow to modify delayed kthread work
kthread: allow to cancel kthread work
kthread: initial support for delayed kthread work
kthread: detect when a kthread work is used by more workers
kthread: add kthread_destroy_worker()
kthread: add kthread_create_worker*()
kthread: allow to call __kthread_create_on_node() with va_list args
kthread/smpboot: do not park in kthread_create_on_cpu()
kthread: kthread worker API cleanup
kthread: rename probe_kthread_data() to kthread_probe_data()
scripts/tags.sh: enable code completion in VIM
mm: kmemleak: avoid using __va() on addresses that don't have a lowmem mapping
kdump, vmcoreinfo: report memory sections virtual addresses
ipc/sem.c: add cond_resched in exit_sme
...
Kernel source files need not include <linux/kconfig.h> explicitly
because the top Makefile forces to include it with:
-include $(srctree)/include/linux/kconfig.h
This commit removes explicit includes except the following:
* arch/s390/include/asm/facilities_src.h
* tools/testing/radix-tree/linux/kernel.h
These two are used for host programs.
Link: http://lkml.kernel.org/r/1473656164-11929-1-git-send-email-yamada.masahiro@socionext.com
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
These structures are only used to copy into other structures, so declare
them as const.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r disable optional_qualifier@
identifier i;
position p;
@@
static struct dvb_tuner_ops i@p = { ... };
@ok1@
identifier r.i;
expression e;
position p;
@@
e = i@p
@ok2@
identifier r.i;
expression e1, e2;
position p;
@@
memcpy(e1, &i@p, e2)
@bad@
position p != {r.p,ok1.p,ok2.p};
identifier r.i;
struct dvb_tuner_ops e;
@@
e@i@p
@depends on !bad disable optional_qualifier@
identifier r.i;
@@
static
+const
struct dvb_tuner_ops i = { ... };
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
use pr_fmt() & friends for error messages to output like:
[ 9.651721] tea5767: Chip ID is not zero. It is not a TEA5767
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Some messages have a hardcoded prefix; others not. Use the
pr_fmt() to ensure that all messages will use the same prefix.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Disable runtime unbind as driver does not support it.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Disable runtime unbind as driver does not support it.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
As Gcc6.1 warned, those tables are currently unused:
drivers/media/tuners/r820t.c:349:18: warning: 'r820t_mixer_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_mixer_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~~~
drivers/media/tuners/r820t.c:345:18: warning: 'r820t_lna_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_lna_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~
They're actually used only by a routine that it is currently
commented out. So, move those tables to be together with such
code and comment them out.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
PX-BCUD has the following components:
USB interface: Empia EM28178
Demodulator: Toshiba TC90532 (works by code for TC90522)
Tuner: Next version of Sharp QM1D1C0042
em28xx_dvb_init(): add init code for PLEX PX-BCUD with calling
px_bcud_init() that does things like pin configuration.
qm1d1c0042_init(): support the next version of QM1D1C0042, change to
choose an appropriate array of initial registers by reading chip id.
[mchehab@osg.samsung.com: fold a fixup patch and fix checkpatch.pl
errors/warnings, where applicable]
Signed-off-by: Satoshi Nagahama <sattnag@aim.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Detect if firmware is running run-time and download / start it only
when needed. Detection is done by reading IF frequency value.
Garbage value is returned by firmware when it is not running,
otherwise correct value is returned.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
si2157_remove was calling kfree(dev) with possibly still active
schedule_delayed_work(dev->stat_work). This caused kernel panics in
call_timer_fn e.g. after rmmod cx23885.
Signed-off-by: Ernst Martin Witte <emw-linux-kernel@nocabal.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
The variable "rc" will be set to an appropriate value from a call of
the r820t_set_tv_standard() function.
Thus let us omit the explicit initialisation at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
This issue was detected by using the Coccinelle software.
1. Let us return directly if a call of the regmap_write() function failed.
2. Delete the jump label "err" then.
3. Return zero as a constant at the end.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Extend the frequency range to cover Hong Kong's digital TV broadcasting;
RTHK TV uses 802MHz and is not covered now. Tested on my TV tuner card
"MyGica X8558 Pro".
Signed-off-by: Walter Cheuk <wwycheuk@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
A previous patch added a check if the firmware is too big, but it didn't
set the return error code with the right value.
[mchehab@osg.samsung.com: I ended by applying a v1 of Laura's patch, without
the proper return code. This patch contains the difference between v2 and v1 of
the Laura's "si2157: Bounds check firmware" patch]
Cc: stable@kernel.org
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Reviewed-by: Olli Salonen <olli.salonen@iki.fi>
Tested-by: Olli Salonen <olli.salonen@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
The get_state()/set_state and the corresponding data types
(struct tuner_state and enum tuner_param) are old DVB interfaces
that came from the DVBv3 time.
Nowadays, set_params() provide a better way to set the tuner
and demod parameters. So, no need to keep those legacy stuff,
as all drivers that were using it got converted.
With this patch, all kABI elements at dvb_frontend.h are now
documented.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
An spi_driver does not need to set an owner, it will be populated by the
driver core.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Acked-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
When reading the firmware and sending commands, the length
must be bounds checked to avoid overrunning the size of the command
buffer and smashing the stack if the firmware is not in the
expected format. Add the proper check.
Cc: stable@kernel.org
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
i2c_driver does not need to set an owner because i2c_register_driver()
will set it.
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Make the TV tuners menu visible when compile-testing, to allow
selecting additional drivers on top of the drivers that are already
automatically selected if MEDIA_SUBDRV_AUTOSELECT is enabled.
Without this, many drivers stay disabled during e.g. allmodconfig.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
On alpha, gcc warns a log about signed/unsigned ballance, with
produces 3185 warnings. Ok, this is bogus, but it indicates that
the declaration at V4L2 side is not consistent with the one at
I2C.
With this trivial patch, the number of errors reduce to 2959
warnings. Still too much, but it is 7.1% less. So let's do it.
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
We must return -ENODEV error on case probe() fails to detect chip.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
drivers/media/tuners/e4000.c:287:3: warning: this decimal constant is unsigned only in ISO C90
.rangehigh = 2208000000L,
^
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
As reported by smatch:
drivers/media/tuners/e4000.c:287:32: warning: constant 2208000000 is so big it is long long
drivers/media/tuners/e4000.c:287:32: warning: decimal constant 2208000000 is between LONG_MAX and ULONG_MAX. For C99 that means long long, C90 compilers are very likely to produce unsigned long (and a warning) here
drivers/media/tuners/e4000.c:287:3: warning: this decimal constant is unsigned only in ISO C90
.rangehigh = 2208000000,
^
Cc: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Implement V4L2 subdevice tuner and core ops. After that this driver
is hybrid driver implementing both V4L2 and DVB ops.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* Rename device state from 's' to 'dev'.
* Move single include to driver private header.
* Change error handling type of each function to one I tend use
nowadays.
* Remove dummy register write from init. Even Windows driver does this
multiple times remove it as I have never seen any I2C errors.
* Define I2C client pointer for each function and use it.
* Do not clean tuner ops during driver remove - not needed.
* Disable sysfs device bind / unbind. We are not allowed manually
bind / unbind device from the driver currently.
* Rename some other variables.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Update synthesizer calculation to model I prefer nowadays. It is
mostly just renaming some variables to ones I think are most standard.
Also add 'schematic' of synthesizer following my current understanding.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Implement V4L2 subdevice for bandwidth and frequency controls of
SDR usage. That driver now implements both DVB frontend and V4L2
subdevice. Driver itself is I2C driver. Lets see how it works.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Calculate low-pass filter control word dynamically from given radio
channel bandwidth.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Use div_u64() to simplify and remove home made divides.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
We are using I2C client binding now, so remove old media attach.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Replace home made register access routines with regmap.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Rename driver state from priv to dev.
Remove legacy i2c-gate control.
Use I2C client for proper dev_() logging.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Calculate PLL dividers slightly differently, most likely it is now
correct. Move some register values to innitab. Use jiffies to poll
filter lock. Fix logging.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
All users are using driver via I2C client binding so lets remove
unneeded media binding.
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
The same code is executed if ret is true or false, so this test can
be removed.
Fix Coverity CID 1268782.
Signed-off-by: Laurent Navet <laurent.navet@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Rename state from s to dev. Rename some other things. Fix indentations.
Disable driver unbind via sysfs.
indentation prevent unload
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>