22 Commits

Author SHA1 Message Date
Julia Lawall
1bc177174b [media] usb: constify vb2_ops structures
Check for vb2_ops structures that are only stored in the ops field of a
vb2_queue structure.  That field is declared const, so vb2_ops structures
that have this property can be declared as const also.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r disable optional_qualifier@
identifier i;
position p;
@@
static struct vb2_ops i@p = { ... };

@ok@
identifier r.i;
struct vb2_queue e;
position p;
@@
e.ops = &i@p;

@bad@
position p != {r.p,ok.p};
identifier r.i;
struct vb2_ops e;
@@
e@i@p

@depends on !bad disable optional_qualifier@
identifier r.i;
@@
static
+const
 struct vb2_ops i = { ... };
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-09-19 16:20:35 -03:00
Wolfram Sang
80ae31974d [media] media: usb: airspy: airspy: don't print error when allocating urb fails
kmalloc will print enough information in case of failure.

Signed-off-by: Wolfram Sang <wsa-dev@sang-engineering.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-08-24 08:47:59 -03:00
Linus Torvalds
9c1958fc32 media updates for v4.8-rc1
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXlfJvAAoJEAhfPr2O5OEVtLUP/RpCQ+W3YVryIdmLkdmYXoY7
 m2rXtUh7GmzBjaBkFzbRCGZtgROF7zl0e1R3nm4tLbCV4Becw8HO7YiMjqFJm9xr
 b6IngIyshsHf60Eii3RpLqUFvYrc/DDIMeYf8miwj/PvFAfI2BV9apraexJlpUuI
 wdyi28cfBHq4WYhubaXKoAyBQ8YRA/t8KNRAkDlifaOaMbSAxWHlmqoSmJWeQx73
 KHkSvbRPu4Hjo3R6q/ab8VhqmXeSnbqnQB9lgnxz7AmAZGhOlMYeAhV/K2ZwbBH8
 swv36RmJVO59Ov+vNR4p7GGGDL3+qk8JLj4LNVVfOcW0A+t7WrPQEmrL6VsyaZAy
 /+r4NEOcQN6Z5nFwbr3E0tYJ2Y5jFHOvsBfKd3EEGwty+hCl634akgb0vqtg06cg
 E2KG+XW983RBadVwEBnEudxJb0fWPWHGhXEqRrwOD+718FNmTqYM6dEvTEyxRup8
 EtCLj+eQQ4LmAyZxWyE8A+keKoMFQlHqk9LN9vQ7t7Wxq9mQ+V2l12T/lN4VhdTq
 4QZ4mrCMCGEvNcNzgSg6R/9lVb6RHDtMXZ3htbB/w+5xET/IKIANYyg1Hr7ahtdh
 rTW/4q6n3jtsu6tp5poteFvPzZKAblbrj2EptVzZYkonQ5BeAUisFTtneUL10Jmj
 EUf/sH0fqoOA0VvV6Tu+
 =mrOW
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media updates from Mauro Carvalho Chehab:

 - new framework support for HDMI CEC and remote control support

 - new encoding codec driver for Mediatek SoC

 - new frontend driver: helene tuner

 - added support for NetUp almost universal devices, with supports
   DVB-C/S/S2/T/T2 and ISDB-T

 - the mn88472 frontend driver got promoted from staging

 - a new driver for RCar video input

 - some soc_camera legacy drivers got removed: timb, omap1, mx2, mx3

 - lots of driver cleanups, improvements and fixups

* tag 'media/v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (377 commits)
  [media] cec: always check all_device_types and features
  [media] cec: poll should check if there is room in the tx queue
  [media] vivid: support monitor all mode
  [media] cec: fix test for unconfigured adapter in main message loop
  [media] cec: limit the size of the transmit queue
  [media] cec: zero unused msg part after msg->len
  [media] cec: don't set fh to NULL in CEC_TRANSMIT
  [media] cec: clear all status fields before transmit and always fill in sequence
  [media] cec: CEC_RECEIVE overwrote the timeout field
  [media] cxd2841er: Reading SNR for DVB-C added
  [media] cxd2841er: Reading BER and UCB for DVB-C added
  [media] cxd2841er: fix switch-case for DVB-C
  [media] cxd2841er: fix signal strength scale for ISDB-T
  [media] cxd2841er: adjust the dB scale for DVB-C
  [media] cxd2841er: provide signal strength for DVB-C
  [media] cxd2841er: fix BER report via DVBv5 stats API
  [media] mb86a20s: apply mask to val after checking for read failure
  [media] airspy: fix error logic during device register
  [media] s5p-cec/TODO: add TODO item
  [media] cec/TODO: drop comment about sphinx documentation
  ...
2016-07-26 18:59:59 -07:00
James Patrick-Evans
aa93d1fee8 media: fix airspy usb probe error path
Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # 3.17+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-07-16 06:15:40 +09:00
James Patrick-Evans
785ef73dba [media] airspy: fix error logic during device register
This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
a memory leak in the airspy usb device driver.

The vulnerability is triggered when more than 64 usb devices register
with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
emulate 64 of these devices then through continual emulated
connect/disconnect of the 65th device, cause the kernel to run out of
RAM and crash the kernel.

The vulnerability exists in kernel versions from 3.17 to current 4.7.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Cc: stable@vger.kernel.org # Up to Kernel 3.17
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-07-15 13:32:21 -03:00
Hans Verkuil
36c0f8b32c [media] vb2: replace void *alloc_ctxs by struct device *alloc_devs
Make this a proper typed array. Drop the old allocate context code since
that is no longer used.

Note that the memops functions now get a struct device pointer instead of
the struct device ** that was there initially (actually a void pointer to
a struct containing only a struct device pointer).

This code is now a lot cleaner.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Sakari Ailus <sakari.ailus@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-07-08 14:45:07 -03:00
Mauro Carvalho Chehab
f6f7b58ef0 [media] airspy: fix bit set/clean mess on s->flags
As warned by smatch:
	drivers/media/usb/airspy/airspy.c:541 airspy_start_streaming() warn: test_bit() takes a bit number
	drivers/media/usb/airspy/airspy.c:569 airspy_start_streaming() warn: test_bit() takes a bit number
	drivers/media/usb/airspy/airspy.c:605 airspy_stop_streaming() warn: test_bit() takes a bit number

set_bit/clear_bit argument is the bit number, and not 1 << bit.

Thankfully, one of the bits was not used (URB_BUF), with would
otherwise cause a driver misfunctioning.

Clean this mess by always using set_bit/clear_bit/test_bit and
removing the unused bit.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2016-03-01 10:48:17 -03:00
Mauro Carvalho Chehab
c3152592e7 Merge branch 'patchwork' into v4l_for_linus
* patchwork: (204 commits)
  [media] rc: sunxi-cir: Initialize the spinlock properly
  [media] rtl2832: do not filter out slave TS null packets
  [media] rtl2832: print reg number on error case
  [media] rtl28xxu: return demod reg page from driver cache
  [media] coda: enable MPEG-2 ES decoding
  [media] coda: don't start streaming without queued buffers
  [media] coda: hook up vidioc_prepare_buf
  [media] coda: relax coda_jpeg_check_buffer for trailing bytes
  [media] coda: make to_coda_video_device static
  [media] s5p-mfc: remove volatile attribute from MFC register addresses
  [media] s5p-mfc: merge together s5p_mfc_hw_call and s5p_mfc_hw_call_void
  [media] s5p-mfc: use spinlock to protect MFC context
  [media] s5p-mfc: remove unnecessary callbacks
  [media] s5p-mfc: make queue cleanup code common
  [media] s5p-mfc: use one implementation of s5p_mfc_get_new_ctx
  [media] s5p-mfc: constify s5p_mfc_codec_ops structures
  [media] au8522: Avoid memory leak for device config data
  [media] ir-lirc-codec.c: don't leak lirc->drv-rbuf
  [media] uvcvideo: small cleanup in uvc_video_clock_update()
  [media] uvcvideo: Fix reading the current exposure value of UVC
  ...
2016-01-11 11:13:27 -02:00
Antti Palosaari
aa0850e1d5 [media] airspy: increase USB control message buffer size
Driver requested device firmware version string during probe using
only 24 byte long buffer. That buffer is too small for newer firmware
versions, which causes device firmware hang - device stops responding
to any commands after that. Increase buffer size to 128 which should
be enough for any current and future version strings.

Link: https://github.com/airspy/host/issues/27

Cc: <stable@vger.kernel.org> # 3.17+
Reported-by: Benjamin Vernoux <bvernoux@gmail.com>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-12-18 15:25:29 -02:00
Junghak Sung
d6dd645eae [media] media: videobuf2: Move timestamp to vb2_buffer
Move timestamp from struct vb2_v4l2_buffer to struct vb2_buffer
for common use, and change its type to u64 in order to handling
y2038 problem. This patch also includes all device drivers' changes related to
this restructuring.

Signed-off-by: Junghak Sung <jh1009.sung@samsung.com>
Signed-off-by: Geunyoung Kim <nenggun.kim@samsung.com>
Acked-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Acked-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-12-18 13:53:31 -02:00
Hans Verkuil
df9ecb0cad [media] vb2: drop v4l2_format argument from queue_setup
The queue_setup callback has a void pointer that is just for V4L2
and is the pointer to the v4l2_format struct that was passed to
VIDIOC_CREATE_BUFS. The idea was that drivers would use the information
from that struct to buffers suitable for the requested format.

After the vb2 split series this pointer is now a void pointer,
which is ugly, and the reality is that all existing drivers will
effectively just look at the sizeimage field of v4l2_format.

To make this more generic the queue_setup callback is changed:
the void pointer is dropped, instead if the *num_planes argument
is 0, then use the current format size, if it is non-zero, then
it contains the number of requested planes and the sizes array
contains the requested sizes. If either is unsupported, then return
-EINVAL, otherwise use the requested size(s).

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-12-18 13:48:19 -02:00
Junghak Sung
33119e80c3 [media] media: videobuf2: Change queue_setup argument
Replace struct v4l2_format * with void * to make queue_setup()
for common use.
And then, modify all device drivers related with this change.

Signed-off-by: Junghak Sung <jh1009.sung@samsung.com>
Signed-off-by: Geunyoung Kim <nenggun.kim@samsung.com>
Acked-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Acked-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
[hans.verkuil@cisco.com: fix missing const in fimc-lite.c]

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-10-20 14:48:39 -02:00
Junghak Sung
2d7007153f [media] media: videobuf2: Restructure vb2_buffer
Remove v4l2 stuff - v4l2_buf, v4l2_plane - from struct vb2_buffer.

Add new member variables - bytesused, length, offset, userptr, fd,
data_offset - to struct vb2_plane in order to cover all information
of v4l2_plane.
struct vb2_plane {
        <snip>
        unsigned int            bytesused;
        unsigned int            length;
        union {
                unsigned int    offset;
                unsigned long   userptr;
                int             fd;
        } m;
        unsigned int            data_offset;
}

Replace v4l2_buf with new member variables - index, type, memory - which
are common fields for buffer management.
struct vb2_buffer {
        <snip>
        unsigned int            index;
        unsigned int            type;
        unsigned int            memory;
        unsigned int            num_planes;
        struct vb2_plane        planes[VIDEO_MAX_PLANES];
        <snip>
};

v4l2 specific fields - flags, field, timestamp, timecode,
sequence - are moved to vb2_v4l2_buffer in videobuf2-v4l2.c
struct vb2_v4l2_buffer {
        struct vb2_buffer       vb2_buf;

        __u32                   flags;
        __u32                   field;
        struct timeval          timestamp;
        struct v4l2_timecode    timecode;
        __u32                   sequence;
};

Signed-off-by: Junghak Sung <jh1009.sung@samsung.com>
Signed-off-by: Geunyoung Kim <nenggun.kim@samsung.com>
Acked-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Acked-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-10-01 09:04:43 -03:00
Maninder Singh
a73df85892 [media] usb/airspy: removing unneeded goto
This patch removes unneded goto,
reported by coccinelle.

Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
Reviewed-by: Akhilesh Kumar <akhilesh.k@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2015-08-11 12:50:18 -03:00
Antti Palosaari
b8843c7979 [media] airspy: enhance sample rate debug calculation precision
Sample rate calculation gives a little bit too large results because
in real life there was around one milliseconds (~one usb packet) too
much data for given time. Calculate time more accurate in order to
provide better results.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2014-09-21 16:42:33 -03:00
Antti Palosaari
8880f2cbdb [media] airspy: remove unneeded spinlock irq flags initialization
There is no need to init flags before calling spin_lock_irqsave().
spin_lock_irqsave is a macro which stores value to 'flags'.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2014-09-21 16:42:33 -03:00
Antti Palosaari
617123ae38 [media] airspy: logging changes
Kernel logging system needs pointer to usb interface device in
order to print names and bus numbers properly. There was wrong
device pointer given and log printings wasn't correct.

Remove some debug logging from v4l2 ioctl functions. v4l2 core debug
prints almost same information when enabled.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2014-09-21 16:42:32 -03:00
Antti Palosaari
7057005db6 [media] airspy: coding style issues
Fix issues reported by checkpatch.pl.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2014-09-21 16:42:31 -03:00
Antti Palosaari
6b831d7847 [media] airspy: fix error handling on start streaming
Free all reserved USB buffers and URBs on failure. Return all queued
buffers to vb2 with state queued on error case.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2014-09-21 16:42:31 -03:00
Antti Palosaari
1b303e1a58 [media] airspy: fill FMT buffer size
Fill FMT buffer size field in order to inform app which will be
used streaming buffer size. Currently driver doesn't allow buffer
size value proposed by application.

Cc: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-07-21 21:41:48 -03:00
Antti Palosaari
ac4f90ca1b [media] airspy: print notice to point SDR API is not 100% stable yet
Print notice on driver load: "SDR API is still slightly
experimental and functionality changes may follow". It is just
remind possible used SDR API is very new and surprises may occur.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-07-21 21:02:38 -03:00
Antti Palosaari
f3e775962c [media] airspy: move out of staging into drivers/media/usb
Move it out of staging into media like all the other SDR drivers
too. There is no good reasons to keep these SDR drivers in staging.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-07-21 21:01:54 -03:00