2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-24 21:24:00 +08:00
linux-next/drivers/media/radio/radio-raremono.c
Luke Nowakowski-Krijger c666355e60 media: radio-raremono: change devm_k*alloc to k*alloc
Change devm_k*alloc to k*alloc to manually allocate memory

The manual allocation and freeing of memory is necessary because when
the USB radio is disconnected, the memory associated with devm_k*alloc
is freed. Meaning if we still have unresolved references to the radio
device, then we get use-after-free errors.

This patch fixes this by manually allocating memory, and freeing it in
the v4l2.release callback that gets called when the last radio device
exits.

Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com

Signed-off-by: Luke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings]
[hverkuil-cisco@xs4all.nl: prefix subject with driver name]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
2019-06-27 07:35:24 -04:00

390 lines
10 KiB
C

// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright 2013 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/input.h>
#include <linux/usb.h>
#include <linux/hid.h>
#include <linux/mutex.h>
#include <linux/videodev2.h>
#include <asm/unaligned.h>
#include <media/v4l2-device.h>
#include <media/v4l2-ioctl.h>
#include <media/v4l2-ctrls.h>
#include <media/v4l2-event.h>
/*
* 'Thanko's Raremono' is a Japanese si4734-based AM/FM/SW USB receiver:
*
* http://www.raremono.jp/product/484.html/
*
* The USB protocol has been reversed engineered using wireshark, initially
* by Dinesh Ram <dinesh.ram@cern.ch> and finished by Hans Verkuil
* <hverkuil@xs4all.nl>.
*
* Sadly the firmware used in this product hides lots of goodies since the
* si4734 has more features than are supported by the firmware. Oh well...
*/
/* driver and module definitions */
MODULE_AUTHOR("Hans Verkuil <hverkuil@xs4all.nl>");
MODULE_DESCRIPTION("Thanko's Raremono AM/FM/SW Receiver USB driver");
MODULE_LICENSE("GPL v2");
/*
* The Device announces itself as Cygnal Integrated Products, Inc.
*
* The vendor and product IDs (and in fact all other lsusb information as
* well) are identical to the si470x Silicon Labs USB FM Radio Reference
* Design board, even though this card has a si4734 device. Clearly the
* designer of this product never bothered to change the USB IDs.
*/
/* USB Device ID List */
static const struct usb_device_id usb_raremono_device_table[] = {
{USB_DEVICE_AND_INTERFACE_INFO(0x10c4, 0x818a, USB_CLASS_HID, 0, 0) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, usb_raremono_device_table);
#define BUFFER_LENGTH 64
/* Timeout is set to a high value, could probably be reduced. Need more tests */
#define USB_TIMEOUT 10000
/* Frequency limits in KHz */
#define FM_FREQ_RANGE_LOW 64000
#define FM_FREQ_RANGE_HIGH 108000
#define AM_FREQ_RANGE_LOW 520
#define AM_FREQ_RANGE_HIGH 1710
#define SW_FREQ_RANGE_LOW 2300
#define SW_FREQ_RANGE_HIGH 26100
enum { BAND_FM, BAND_AM, BAND_SW };
static const struct v4l2_frequency_band bands[] = {
/* Band FM */
{
.type = V4L2_TUNER_RADIO,
.index = 0,
.capability = V4L2_TUNER_CAP_LOW | V4L2_TUNER_CAP_STEREO |
V4L2_TUNER_CAP_FREQ_BANDS,
.rangelow = FM_FREQ_RANGE_LOW * 16,
.rangehigh = FM_FREQ_RANGE_HIGH * 16,
.modulation = V4L2_BAND_MODULATION_FM,
},
/* Band AM */
{
.type = V4L2_TUNER_RADIO,
.index = 1,
.capability = V4L2_TUNER_CAP_LOW | V4L2_TUNER_CAP_FREQ_BANDS,
.rangelow = AM_FREQ_RANGE_LOW * 16,
.rangehigh = AM_FREQ_RANGE_HIGH * 16,
.modulation = V4L2_BAND_MODULATION_AM,
},
/* Band SW */
{
.type = V4L2_TUNER_RADIO,
.index = 2,
.capability = V4L2_TUNER_CAP_LOW | V4L2_TUNER_CAP_FREQ_BANDS,
.rangelow = SW_FREQ_RANGE_LOW * 16,
.rangehigh = SW_FREQ_RANGE_HIGH * 16,
.modulation = V4L2_BAND_MODULATION_AM,
},
};
struct raremono_device {
struct usb_device *usbdev;
struct usb_interface *intf;
struct video_device vdev;
struct v4l2_device v4l2_dev;
struct mutex lock;
u8 *buffer;
u32 band;
unsigned curfreq;
};
static inline struct raremono_device *to_raremono_dev(struct v4l2_device *v4l2_dev)
{
return container_of(v4l2_dev, struct raremono_device, v4l2_dev);
}
/* Set frequency. */
static int raremono_cmd_main(struct raremono_device *radio, unsigned band, unsigned freq)
{
unsigned band_offset;
int ret;
switch (band) {
case BAND_FM:
band_offset = 1;
freq /= 10;
break;
case BAND_AM:
band_offset = 0;
break;
default:
band_offset = 2;
break;
}
radio->buffer[0] = 0x04 + band_offset;
radio->buffer[1] = freq >> 8;
radio->buffer[2] = freq & 0xff;
ret = usb_control_msg(radio->usbdev, usb_sndctrlpipe(radio->usbdev, 0),
HID_REQ_SET_REPORT,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_OUT,
0x0300 + radio->buffer[0], 2,
radio->buffer, 3, USB_TIMEOUT);
if (ret < 0) {
dev_warn(radio->v4l2_dev.dev, "%s failed (%d)\n", __func__, ret);
return ret;
}
radio->curfreq = (band == BAND_FM) ? freq * 10 : freq;
return 0;
}
/* Handle unplugging the device.
* We call video_unregister_device in any case.
* The last function called in this procedure is
* usb_raremono_device_release.
*/
static void usb_raremono_disconnect(struct usb_interface *intf)
{
struct raremono_device *radio = to_raremono_dev(usb_get_intfdata(intf));
dev_info(&intf->dev, "Thanko's Raremono disconnected\n");
mutex_lock(&radio->lock);
usb_set_intfdata(intf, NULL);
video_unregister_device(&radio->vdev);
v4l2_device_disconnect(&radio->v4l2_dev);
mutex_unlock(&radio->lock);
v4l2_device_put(&radio->v4l2_dev);
}
/*
* Linux Video interface
*/
static int vidioc_querycap(struct file *file, void *priv,
struct v4l2_capability *v)
{
struct raremono_device *radio = video_drvdata(file);
strscpy(v->driver, "radio-raremono", sizeof(v->driver));
strscpy(v->card, "Thanko's Raremono", sizeof(v->card));
usb_make_path(radio->usbdev, v->bus_info, sizeof(v->bus_info));
return 0;
}
static int vidioc_enum_freq_bands(struct file *file, void *priv,
struct v4l2_frequency_band *band)
{
if (band->tuner != 0)
return -EINVAL;
if (band->index >= ARRAY_SIZE(bands))
return -EINVAL;
*band = bands[band->index];
return 0;
}
static int vidioc_g_tuner(struct file *file, void *priv,
struct v4l2_tuner *v)
{
struct raremono_device *radio = video_drvdata(file);
int ret;
if (v->index > 0)
return -EINVAL;
strscpy(v->name, "AM/FM/SW", sizeof(v->name));
v->capability = V4L2_TUNER_CAP_LOW | V4L2_TUNER_CAP_STEREO |
V4L2_TUNER_CAP_FREQ_BANDS;
v->rangelow = AM_FREQ_RANGE_LOW * 16;
v->rangehigh = FM_FREQ_RANGE_HIGH * 16;
v->rxsubchans = V4L2_TUNER_SUB_STEREO | V4L2_TUNER_SUB_MONO;
v->audmode = (radio->curfreq < FM_FREQ_RANGE_LOW) ?
V4L2_TUNER_MODE_MONO : V4L2_TUNER_MODE_STEREO;
memset(radio->buffer, 1, BUFFER_LENGTH);
ret = usb_control_msg(radio->usbdev, usb_rcvctrlpipe(radio->usbdev, 0),
1, 0xa1, 0x030d, 2, radio->buffer, BUFFER_LENGTH, USB_TIMEOUT);
if (ret < 0) {
dev_warn(radio->v4l2_dev.dev, "%s failed (%d)\n", __func__, ret);
return ret;
}
v->signal = ((radio->buffer[1] & 0xf) << 8 | radio->buffer[2]) << 4;
return 0;
}
static int vidioc_s_tuner(struct file *file, void *priv,
const struct v4l2_tuner *v)
{
return v->index ? -EINVAL : 0;
}
static int vidioc_s_frequency(struct file *file, void *priv,
const struct v4l2_frequency *f)
{
struct raremono_device *radio = video_drvdata(file);
u32 freq;
unsigned band;
if (f->tuner != 0 || f->type != V4L2_TUNER_RADIO)
return -EINVAL;
if (f->frequency >= (FM_FREQ_RANGE_LOW + SW_FREQ_RANGE_HIGH) * 8)
band = BAND_FM;
else if (f->frequency <= (AM_FREQ_RANGE_HIGH + SW_FREQ_RANGE_LOW) * 8)
band = BAND_AM;
else
band = BAND_SW;
freq = clamp_t(u32, f->frequency, bands[band].rangelow, bands[band].rangehigh);
return raremono_cmd_main(radio, band, freq / 16);
}
static int vidioc_g_frequency(struct file *file, void *priv,
struct v4l2_frequency *f)
{
struct raremono_device *radio = video_drvdata(file);
if (f->tuner != 0)
return -EINVAL;
f->type = V4L2_TUNER_RADIO;
f->frequency = radio->curfreq * 16;
return 0;
}
static void raremono_device_release(struct v4l2_device *v4l2_dev)
{
struct raremono_device *radio = to_raremono_dev(v4l2_dev);
kfree(radio->buffer);
kfree(radio);
}
/* File system interface */
static const struct v4l2_file_operations usb_raremono_fops = {
.owner = THIS_MODULE,
.open = v4l2_fh_open,
.release = v4l2_fh_release,
.unlocked_ioctl = video_ioctl2,
};
static const struct v4l2_ioctl_ops usb_raremono_ioctl_ops = {
.vidioc_querycap = vidioc_querycap,
.vidioc_g_tuner = vidioc_g_tuner,
.vidioc_s_tuner = vidioc_s_tuner,
.vidioc_g_frequency = vidioc_g_frequency,
.vidioc_s_frequency = vidioc_s_frequency,
.vidioc_enum_freq_bands = vidioc_enum_freq_bands,
};
/* check if the device is present and register with v4l and usb if it is */
static int usb_raremono_probe(struct usb_interface *intf,
const struct usb_device_id *id)
{
struct raremono_device *radio;
int retval = 0;
radio = kzalloc(sizeof(*radio), GFP_KERNEL);
if (!radio)
return -ENOMEM;
radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL);
if (!radio->buffer) {
kfree(radio);
return -ENOMEM;
}
radio->usbdev = interface_to_usbdev(intf);
radio->intf = intf;
/*
* This device uses the same USB IDs as the si470x SiLabs reference
* design. So do an additional check: attempt to read the device ID
* from the si470x: the lower 12 bits are 0x0242 for the si470x. The
* Raremono always returns 0x0800 (the meaning of that is unknown, but
* at least it works).
*
* We use this check to determine which device we are dealing with.
*/
msleep(20);
retval = usb_control_msg(radio->usbdev,
usb_rcvctrlpipe(radio->usbdev, 0),
HID_REQ_GET_REPORT,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
1, 2,
radio->buffer, 3, 500);
if (retval != 3 ||
(get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) {
dev_info(&intf->dev, "this is not Thanko's Raremono.\n");
retval = -ENODEV;
goto free_mem;
}
dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n",
id->idVendor, id->idProduct);
retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev);
if (retval < 0) {
dev_err(&intf->dev, "couldn't register v4l2_device\n");
goto free_mem;
}
mutex_init(&radio->lock);
strscpy(radio->vdev.name, radio->v4l2_dev.name,
sizeof(radio->vdev.name));
radio->vdev.v4l2_dev = &radio->v4l2_dev;
radio->vdev.fops = &usb_raremono_fops;
radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops;
radio->vdev.lock = &radio->lock;
radio->vdev.release = video_device_release_empty;
radio->vdev.device_caps = V4L2_CAP_TUNER | V4L2_CAP_RADIO;
radio->v4l2_dev.release = raremono_device_release;
usb_set_intfdata(intf, &radio->v4l2_dev);
video_set_drvdata(&radio->vdev, radio);
raremono_cmd_main(radio, BAND_FM, 95160);
retval = video_register_device(&radio->vdev, VFL_TYPE_RADIO, -1);
if (retval == 0) {
dev_info(&intf->dev, "V4L2 device registered as %s\n",
video_device_node_name(&radio->vdev));
return 0;
}
dev_err(&intf->dev, "could not register video device\n");
v4l2_device_unregister(&radio->v4l2_dev);
free_mem:
kfree(radio->buffer);
kfree(radio);
return retval;
}
/* USB subsystem interface */
static struct usb_driver usb_raremono_driver = {
.name = "radio-raremono",
.probe = usb_raremono_probe,
.disconnect = usb_raremono_disconnect,
.id_table = usb_raremono_device_table,
};
module_usb_driver(usb_raremono_driver);