699bf94114
The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set to NULL after each free. stop stream urb killing urb buffer free tm6000: got start feed request tm6000_start_feed tm6000: got start stream request tm6000_start_stream tm6000: pipe reset tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: got start feed request tm6000_start_feed tm6000: IR URB failure: status: -71, length 0 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 xhci_hcd 0000:00:14.0: ERROR unknown event type 37 tm6000: error tm6000_urb_received usb 1-2: USB disconnect, device number 5 tm6000: disconnecting tm6000 #0 ================================================================== BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb] Read of size 8 at addr ffff888241044060 by task kworker/2:0/22 CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1 Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack+0x9a/0xf0 print_address_description.cold+0xae/0x34f __kasan_report.cold+0x75/0x93 ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa] ? dvb_fini+0x75/0x140 [tm6000_dvb] kasan_report+0xe/0x12 dvb_fini+0x75/0x140 [tm6000_dvb] tm6000_close_extension+0x51/0x80 [tm6000] tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000] usb_unbind_interface+0xe4/0x390 device_release_driver_internal+0x121/0x250 bus_remove_device+0x197/0x260 device_del+0x268/0x550 ? __device_links_no_driver+0xd0/0xd0 ? usb_remove_ep_devs+0x30/0x3b usb_disable_device+0x122/0x400 usb_disconnect+0x153/0x430 hub_event+0x800/0x1e40 ? trace_hardirqs_on_thunk+0x1a/0x20 ? hub_port_debounce+0x1f0/0x1f0 ? retint_kernel+0x10/0x10 ? lock_is_held_type+0xf1/0x130 ? hub_port_debounce+0x1f0/0x1f0 ? process_one_work+0x4ae/0xa00 process_one_work+0x4ba/0xa00 ? pwq_dec_nr_in_flight+0x160/0x160 ? do_raw_spin_lock+0x10a/0x1d0 worker_thread+0x7a/0x5c0 ? process_one_work+0xa00/0xa00 kthread+0x1d5/0x200 ? kthread_create_worker_on_cpu+0xd0/0xd0 ret_from_fork+0x3a/0x50 Allocated by task 2682: save_stack+0x1b/0x80 __kasan_kmalloc.constprop.0+0xc2/0xd0 usb_alloc_urb+0x28/0x60 tm6000_start_feed+0x10a/0x300 [tm6000_dvb] dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core] dvb_dmxdev_start_feed+0x121/0x180 [dvb_core] dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core] dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core] dvb_usercopy+0x97/0x1f0 [dvb_core] dvb_demux_ioctl+0x11/0x20 [dvb_core] do_vfs_ioctl+0x5d8/0x9d0 ksys_ioctl+0x5e/0x90 __x64_sys_ioctl+0x3d/0x50 do_syscall_64+0x74/0xe0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 22: save_stack+0x1b/0x80 __kasan_slab_free+0x12c/0x170 kfree+0xfd/0x3a0 xhci_giveback_urb_in_irq+0xfe/0x230 xhci_td_cleanup+0x276/0x340 xhci_irq+0x1129/0x3720 __handle_irq_event_percpu+0x6e/0x420 handle_irq_event_percpu+0x6f/0x100 handle_irq_event+0x55/0x84 handle_edge_irq+0x108/0x3b0 handle_irq+0x2e/0x40 do_IRQ+0x83/0x1a0 Cc: stable@vger.kernel.org Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
453 lines
10 KiB
C
453 lines
10 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* tm6000-dvb.c - dvb-t support for TM5600/TM6000/TM6010 USB video capture devices
|
|
*
|
|
* Copyright (C) 2007 Michel Ludwig <michel.ludwig@gmail.com>
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/usb.h>
|
|
|
|
#include "tm6000.h"
|
|
#include "tm6000-regs.h"
|
|
|
|
#include "zl10353.h"
|
|
|
|
#include <media/tuner.h>
|
|
|
|
#include "tuner-xc2028.h"
|
|
#include "xc5000.h"
|
|
|
|
MODULE_DESCRIPTION("DVB driver extension module for tm5600/6000/6010 based TV cards");
|
|
MODULE_AUTHOR("Mauro Carvalho Chehab");
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_SUPPORTED_DEVICE("{{Trident, tm5600},{{Trident, tm6000},{{Trident, tm6010}");
|
|
|
|
static int debug;
|
|
|
|
module_param(debug, int, 0644);
|
|
MODULE_PARM_DESC(debug, "enable debug message");
|
|
|
|
static inline void print_err_status(struct tm6000_core *dev,
|
|
int packet, int status)
|
|
{
|
|
char *errmsg = "Unknown";
|
|
|
|
switch (status) {
|
|
case -ENOENT:
|
|
errmsg = "unlinked synchronously";
|
|
break;
|
|
case -ECONNRESET:
|
|
errmsg = "unlinked asynchronously";
|
|
break;
|
|
case -ENOSR:
|
|
errmsg = "Buffer error (overrun)";
|
|
break;
|
|
case -EPIPE:
|
|
errmsg = "Stalled (device not responding)";
|
|
break;
|
|
case -EOVERFLOW:
|
|
errmsg = "Babble (bad cable?)";
|
|
break;
|
|
case -EPROTO:
|
|
errmsg = "Bit-stuff error (bad cable?)";
|
|
break;
|
|
case -EILSEQ:
|
|
errmsg = "CRC/Timeout (could be anything)";
|
|
break;
|
|
case -ETIME:
|
|
errmsg = "Device does not respond";
|
|
break;
|
|
}
|
|
if (packet < 0) {
|
|
dprintk(dev, 1, "URB status %d [%s].\n",
|
|
status, errmsg);
|
|
} else {
|
|
dprintk(dev, 1, "URB packet %d, status %d [%s].\n",
|
|
packet, status, errmsg);
|
|
}
|
|
}
|
|
|
|
static void tm6000_urb_received(struct urb *urb)
|
|
{
|
|
int ret;
|
|
struct tm6000_core *dev = urb->context;
|
|
|
|
switch (urb->status) {
|
|
case 0:
|
|
case -ETIMEDOUT:
|
|
break;
|
|
case -ENOENT:
|
|
case -ECONNRESET:
|
|
case -ESHUTDOWN:
|
|
return;
|
|
default:
|
|
print_err_status(dev, 0, urb->status);
|
|
}
|
|
|
|
if (urb->actual_length > 0)
|
|
dvb_dmx_swfilter(&dev->dvb->demux, urb->transfer_buffer,
|
|
urb->actual_length);
|
|
|
|
if (dev->dvb->streams > 0) {
|
|
ret = usb_submit_urb(urb, GFP_ATOMIC);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR "tm6000: error %s\n", __func__);
|
|
kfree(urb->transfer_buffer);
|
|
usb_free_urb(urb);
|
|
dev->dvb->bulk_urb = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
static int tm6000_start_stream(struct tm6000_core *dev)
|
|
{
|
|
int ret;
|
|
unsigned int pipe, size;
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
printk(KERN_INFO "tm6000: got start stream request %s\n", __func__);
|
|
|
|
if (dev->mode != TM6000_MODE_DIGITAL) {
|
|
tm6000_init_digital_mode(dev);
|
|
dev->mode = TM6000_MODE_DIGITAL;
|
|
}
|
|
|
|
dvb->bulk_urb = usb_alloc_urb(0, GFP_KERNEL);
|
|
if (!dvb->bulk_urb)
|
|
return -ENOMEM;
|
|
|
|
pipe = usb_rcvbulkpipe(dev->udev, dev->bulk_in.endp->desc.bEndpointAddress
|
|
& USB_ENDPOINT_NUMBER_MASK);
|
|
|
|
size = usb_maxpacket(dev->udev, pipe, usb_pipeout(pipe));
|
|
size = size * 15; /* 512 x 8 or 12 or 15 */
|
|
|
|
dvb->bulk_urb->transfer_buffer = kzalloc(size, GFP_KERNEL);
|
|
if (!dvb->bulk_urb->transfer_buffer) {
|
|
usb_free_urb(dvb->bulk_urb);
|
|
dvb->bulk_urb = NULL;
|
|
return -ENOMEM;
|
|
}
|
|
|
|
usb_fill_bulk_urb(dvb->bulk_urb, dev->udev, pipe,
|
|
dvb->bulk_urb->transfer_buffer,
|
|
size,
|
|
tm6000_urb_received, dev);
|
|
|
|
ret = usb_clear_halt(dev->udev, pipe);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR "tm6000: error %i in %s during pipe reset\n",
|
|
ret, __func__);
|
|
return ret;
|
|
} else
|
|
printk(KERN_ERR "tm6000: pipe reset\n");
|
|
|
|
/* mutex_lock(&tm6000_driver.open_close_mutex); */
|
|
ret = usb_submit_urb(dvb->bulk_urb, GFP_ATOMIC);
|
|
|
|
/* mutex_unlock(&tm6000_driver.open_close_mutex); */
|
|
if (ret) {
|
|
printk(KERN_ERR "tm6000: submit of urb failed (error=%i)\n",
|
|
ret);
|
|
|
|
kfree(dvb->bulk_urb->transfer_buffer);
|
|
usb_free_urb(dvb->bulk_urb);
|
|
dvb->bulk_urb = NULL;
|
|
return ret;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void tm6000_stop_stream(struct tm6000_core *dev)
|
|
{
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
if (dvb->bulk_urb) {
|
|
printk(KERN_INFO "urb killing\n");
|
|
usb_kill_urb(dvb->bulk_urb);
|
|
printk(KERN_INFO "urb buffer free\n");
|
|
kfree(dvb->bulk_urb->transfer_buffer);
|
|
usb_free_urb(dvb->bulk_urb);
|
|
dvb->bulk_urb = NULL;
|
|
}
|
|
}
|
|
|
|
static int tm6000_start_feed(struct dvb_demux_feed *feed)
|
|
{
|
|
struct dvb_demux *demux = feed->demux;
|
|
struct tm6000_core *dev = demux->priv;
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
printk(KERN_INFO "tm6000: got start feed request %s\n", __func__);
|
|
|
|
mutex_lock(&dvb->mutex);
|
|
if (dvb->streams == 0) {
|
|
dvb->streams = 1;
|
|
/* mutex_init(&tm6000_dev->streming_mutex); */
|
|
tm6000_start_stream(dev);
|
|
} else
|
|
++(dvb->streams);
|
|
mutex_unlock(&dvb->mutex);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int tm6000_stop_feed(struct dvb_demux_feed *feed)
|
|
{
|
|
struct dvb_demux *demux = feed->demux;
|
|
struct tm6000_core *dev = demux->priv;
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
printk(KERN_INFO "tm6000: got stop feed request %s\n", __func__);
|
|
|
|
mutex_lock(&dvb->mutex);
|
|
|
|
printk(KERN_INFO "stream %#x\n", dvb->streams);
|
|
--(dvb->streams);
|
|
if (dvb->streams == 0) {
|
|
printk(KERN_INFO "stop stream\n");
|
|
tm6000_stop_stream(dev);
|
|
/* mutex_destroy(&tm6000_dev->streaming_mutex); */
|
|
}
|
|
mutex_unlock(&dvb->mutex);
|
|
/* mutex_destroy(&tm6000_dev->streaming_mutex); */
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int tm6000_dvb_attach_frontend(struct tm6000_core *dev)
|
|
{
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
if (dev->caps.has_zl10353) {
|
|
struct zl10353_config config = {
|
|
.demod_address = dev->demod_addr,
|
|
.no_tuner = 1,
|
|
.parallel_ts = 1,
|
|
.if2 = 45700,
|
|
.disable_i2c_gate_ctrl = 1,
|
|
};
|
|
|
|
dvb->frontend = dvb_attach(zl10353_attach, &config,
|
|
&dev->i2c_adap);
|
|
} else {
|
|
printk(KERN_ERR "tm6000: no frontend defined for the device!\n");
|
|
return -1;
|
|
}
|
|
|
|
return (!dvb->frontend) ? -1 : 0;
|
|
}
|
|
|
|
DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr);
|
|
|
|
static int register_dvb(struct tm6000_core *dev)
|
|
{
|
|
int ret = -1;
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
mutex_init(&dvb->mutex);
|
|
|
|
dvb->streams = 0;
|
|
|
|
/* attach the frontend */
|
|
ret = tm6000_dvb_attach_frontend(dev);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR "tm6000: couldn't attach the frontend!\n");
|
|
goto err;
|
|
}
|
|
|
|
ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T",
|
|
THIS_MODULE, &dev->udev->dev, adapter_nr);
|
|
if (ret < 0) {
|
|
pr_err("tm6000: couldn't register the adapter!\n");
|
|
goto err;
|
|
}
|
|
|
|
dvb->adapter.priv = dev;
|
|
|
|
if (dvb->frontend) {
|
|
switch (dev->tuner_type) {
|
|
case TUNER_XC2028: {
|
|
struct xc2028_config cfg = {
|
|
.i2c_adap = &dev->i2c_adap,
|
|
.i2c_addr = dev->tuner_addr,
|
|
};
|
|
|
|
dvb->frontend->callback = tm6000_tuner_callback;
|
|
ret = dvb_register_frontend(&dvb->adapter, dvb->frontend);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR
|
|
"tm6000: couldn't register frontend\n");
|
|
goto adapter_err;
|
|
}
|
|
|
|
if (!dvb_attach(xc2028_attach, dvb->frontend, &cfg)) {
|
|
printk(KERN_ERR "tm6000: couldn't register frontend (xc3028)\n");
|
|
ret = -EINVAL;
|
|
goto frontend_err;
|
|
}
|
|
printk(KERN_INFO "tm6000: XC2028/3028 asked to be attached to frontend!\n");
|
|
break;
|
|
}
|
|
case TUNER_XC5000: {
|
|
struct xc5000_config cfg = {
|
|
.i2c_address = dev->tuner_addr,
|
|
};
|
|
|
|
dvb->frontend->callback = tm6000_xc5000_callback;
|
|
ret = dvb_register_frontend(&dvb->adapter, dvb->frontend);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR
|
|
"tm6000: couldn't register frontend\n");
|
|
goto adapter_err;
|
|
}
|
|
|
|
if (!dvb_attach(xc5000_attach, dvb->frontend, &dev->i2c_adap, &cfg)) {
|
|
printk(KERN_ERR "tm6000: couldn't register frontend (xc5000)\n");
|
|
ret = -EINVAL;
|
|
goto frontend_err;
|
|
}
|
|
printk(KERN_INFO "tm6000: XC5000 asked to be attached to frontend!\n");
|
|
break;
|
|
}
|
|
}
|
|
} else
|
|
printk(KERN_ERR "tm6000: no frontend found\n");
|
|
|
|
dvb->demux.dmx.capabilities = DMX_TS_FILTERING | DMX_SECTION_FILTERING
|
|
| DMX_MEMORY_BASED_FILTERING;
|
|
dvb->demux.priv = dev;
|
|
dvb->demux.filternum = 8;
|
|
dvb->demux.feednum = 8;
|
|
dvb->demux.start_feed = tm6000_start_feed;
|
|
dvb->demux.stop_feed = tm6000_stop_feed;
|
|
dvb->demux.write_to_decoder = NULL;
|
|
ret = dvb_dmx_init(&dvb->demux);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR "tm6000: dvb_dmx_init failed (errno = %d)\n", ret);
|
|
goto frontend_err;
|
|
}
|
|
|
|
dvb->dmxdev.filternum = dev->dvb->demux.filternum;
|
|
dvb->dmxdev.demux = &dev->dvb->demux.dmx;
|
|
dvb->dmxdev.capabilities = 0;
|
|
|
|
ret = dvb_dmxdev_init(&dvb->dmxdev, &dvb->adapter);
|
|
if (ret < 0) {
|
|
printk(KERN_ERR "tm6000: dvb_dmxdev_init failed (errno = %d)\n", ret);
|
|
goto dvb_dmx_err;
|
|
}
|
|
|
|
return 0;
|
|
|
|
dvb_dmx_err:
|
|
dvb_dmx_release(&dvb->demux);
|
|
frontend_err:
|
|
if (dvb->frontend) {
|
|
dvb_unregister_frontend(dvb->frontend);
|
|
dvb_frontend_detach(dvb->frontend);
|
|
}
|
|
adapter_err:
|
|
dvb_unregister_adapter(&dvb->adapter);
|
|
err:
|
|
return ret;
|
|
}
|
|
|
|
static void unregister_dvb(struct tm6000_core *dev)
|
|
{
|
|
struct tm6000_dvb *dvb = dev->dvb;
|
|
|
|
if (dvb->bulk_urb) {
|
|
struct urb *bulk_urb = dvb->bulk_urb;
|
|
|
|
kfree(bulk_urb->transfer_buffer);
|
|
bulk_urb->transfer_buffer = NULL;
|
|
usb_unlink_urb(bulk_urb);
|
|
usb_free_urb(bulk_urb);
|
|
}
|
|
|
|
/* mutex_lock(&tm6000_driver.open_close_mutex); */
|
|
if (dvb->frontend) {
|
|
dvb_unregister_frontend(dvb->frontend);
|
|
dvb_frontend_detach(dvb->frontend);
|
|
}
|
|
|
|
dvb_dmxdev_release(&dvb->dmxdev);
|
|
dvb_dmx_release(&dvb->demux);
|
|
dvb_unregister_adapter(&dvb->adapter);
|
|
mutex_destroy(&dvb->mutex);
|
|
/* mutex_unlock(&tm6000_driver.open_close_mutex); */
|
|
}
|
|
|
|
static int dvb_init(struct tm6000_core *dev)
|
|
{
|
|
struct tm6000_dvb *dvb;
|
|
int rc;
|
|
|
|
if (!dev)
|
|
return 0;
|
|
|
|
if (!dev->caps.has_dvb)
|
|
return 0;
|
|
|
|
if (dev->udev->speed == USB_SPEED_FULL) {
|
|
printk(KERN_INFO "This USB2.0 device cannot be run on a USB1.1 port. (it lacks a hardware PID filter)\n");
|
|
return 0;
|
|
}
|
|
|
|
dvb = kzalloc(sizeof(struct tm6000_dvb), GFP_KERNEL);
|
|
if (!dvb)
|
|
return -ENOMEM;
|
|
|
|
dev->dvb = dvb;
|
|
|
|
rc = register_dvb(dev);
|
|
if (rc < 0) {
|
|
kfree(dvb);
|
|
dev->dvb = NULL;
|
|
return 0;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int dvb_fini(struct tm6000_core *dev)
|
|
{
|
|
if (!dev)
|
|
return 0;
|
|
|
|
if (!dev->caps.has_dvb)
|
|
return 0;
|
|
|
|
if (dev->dvb) {
|
|
unregister_dvb(dev);
|
|
kfree(dev->dvb);
|
|
dev->dvb = NULL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct tm6000_ops dvb_ops = {
|
|
.type = TM6000_DVB,
|
|
.name = "TM6000 dvb Extension",
|
|
.init = dvb_init,
|
|
.fini = dvb_fini,
|
|
};
|
|
|
|
static int __init tm6000_dvb_register(void)
|
|
{
|
|
return tm6000_register_extension(&dvb_ops);
|
|
}
|
|
|
|
static void __exit tm6000_dvb_unregister(void)
|
|
{
|
|
tm6000_unregister_extension(&dvb_ops);
|
|
}
|
|
|
|
module_init(tm6000_dvb_register);
|
|
module_exit(tm6000_dvb_unregister);
|