Fix the issue that radio app using r820t tuner driver some times crash.
Bug-AGL: SPEC-418
Change-Id: I1529ecba91c3988eea6b271d5f8ce6d2d8f1bb11
Signed-off-by: Harunobu Kurokawa <harunobu.kurokawa.dn@renesas.com>
file://rtl_sdr.cfg \
file://usbaudio.cfg \
file://ra2x00.cfg \
+ file://0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch \
+ file://0002-media-r820t-remove-redundant-initializations-in-r820.patch \
+ file://0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch \
"
KERNEL_CONFIG_FRAGMENTS_append = " ${WORKDIR}/ath9k_htc.cfg ${WORKDIR}/rtl_sdr.cfg"
--- /dev/null
+From 4aab0398e003ac2effae98ba66a012ed715967ba Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:26:15 -0300
+Subject: [PATCH 1/3] [media] r820t: do not double-free fe->tuner_priv in
+ r820t_release()
+
+fe->tuner_priv is already freed by hybrid_tuner_release_state().
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 4835021..64f9738 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -2256,7 +2256,6 @@ static int r820t_release(struct dvb_frontend *fe)
+
+ mutex_unlock(&r820t_list_mutex);
+
+- kfree(fe->tuner_priv);
+ fe->tuner_priv = NULL;
+
+ return 0;
+--
+2.9.2
+
--- /dev/null
+From e2e324d70defce7ffc4668085dc3c8ae580074e5 Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:30:09 -0300
+Subject: [PATCH 2/3] [media] r820t: remove redundant initializations in
+ r820t_attach()
+
+fe->tuner_priv and fe->ops.tuner_ops are initialized twice in r820t_attach().
+Remove the redundant initializations and also move fe->ops.tuner_ops
+initialization outside of the mutex lock (as in the xc4000 tuner code for example).
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 64f9738..63062a9 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -2310,8 +2310,6 @@ struct dvb_frontend *r820t_attach(struct dvb_frontend *fe,
+ break;
+ }
+
+- memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops, sizeof(r820t_tuner_ops));
+-
+ if (fe->ops.i2c_gate_ctrl)
+ fe->ops.i2c_gate_ctrl(fe, 1);
+
+@@ -2326,15 +2324,14 @@ struct dvb_frontend *r820t_attach(struct dvb_frontend *fe,
+
+ tuner_info("Rafael Micro r820t successfully identified\n");
+
+- fe->tuner_priv = priv;
+- memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops,
+- sizeof(struct dvb_tuner_ops));
+-
+ if (fe->ops.i2c_gate_ctrl)
+ fe->ops.i2c_gate_ctrl(fe, 0);
+
+ mutex_unlock(&r820t_list_mutex);
+
++ memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops,
++ sizeof(struct dvb_tuner_ops));
++
+ return fe;
+ err:
+ if (fe->ops.i2c_gate_ctrl)
+--
+2.9.2
+
--- /dev/null
+From 757d7ace565c06e1302ba7c9244d839455e13881 Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:31:19 -0300
+Subject: [PATCH 3/3] [media] r820t: avoid potential memcpy buffer overflow in
+ shadow_store()
+
+The memcpy in shadow_store() could exceed buffer limits when r > 0.
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 63062a9..0a5f96b 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val,
+ }
+ if (len <= 0)
+ return;
+- if (len > NUM_REGS)
+- len = NUM_REGS;
++ if (len > NUM_REGS - r)
++ len = NUM_REGS - r;
+
+ tuner_dbg("%s: prev reg=%02x len=%d: %*ph\n",
+ __func__, r + REG_SHADOW_START, len, len, val);
+--
+2.9.2
+
Code Review / AGL / meta-agl.git / commitdiff