[PATCH] rtl28xxu: fix control message flaws

linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] rtl28xxu: fix control message flaws
@ 2015-10-10 16:45 Antti Palosaari
  2015-10-14 22:11 ` Daniel Glöckner
  2015-11-06 23:15 ` Benjamin Larsson
  0 siblings, 2 replies; 4+ messages in thread
From: Antti Palosaari @ 2015-10-10 16:45 UTC (permalink / raw)
  To: linux-media; +Cc: Antti Palosaari

Add lock to prevent concurrent access for control message as control
message function uses shared buffer. Without the lock there may be
remote control polling which messes the buffer causing IO errors.
Increase buffer size and add check for maximum supported message
length.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=103391
Fixes: c56222a6b25c ("[media] rtl28xxu: move usb buffers to state")
Cc: <stable@vger.kernel.org> # 4.0+
Signed-off-by: Antti Palosaari <crope@iki.fi>
---
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 15 +++++++++++++--
 drivers/media/usb/dvb-usb-v2/rtl28xxu.h |  2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
index c3cac4c..197a4f2 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
 	unsigned int pipe;
 	u8 requesttype;
 
+	mutex_lock(&d->usb_mutex);
+
+	if (req->size > sizeof(dev->buf)) {
+		dev_err(&d->intf->dev, "too large message %u\n", req->size);
+		ret = -EINVAL;
+		goto err_mutex_unlock;
+	}
+
 	if (req->index & CMD_WR_FLAG) {
 		/* write */
 		memcpy(dev->buf, req->data, req->size);
@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
 	dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value,
 			req->index, dev->buf, req->size);
 	if (ret < 0)
-		goto err;
+		goto err_mutex_unlock;
 
 	/* read request, copy returned data to return buf */
 	if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
 		memcpy(req->data, dev->buf, req->size);
 
+	mutex_unlock(&d->usb_mutex);
+
 	return 0;
-err:
+err_mutex_unlock:
+	mutex_unlock(&d->usb_mutex);
 	dev_dbg(&d->intf->dev, "failed=%d\n", ret);
 	return ret;
 }
diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
index 9f6115a..1380629 100644
--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.h
@@ -71,7 +71,7 @@
 
 
 struct rtl28xxu_dev {
-	u8 buf[28];
+	u8 buf[128];
 	u8 chip_id;
 	u8 tuner;
 	char *tuner_name;
-- 
http://palosaari.fi/


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] rtl28xxu: fix control message flaws
  2015-10-10 16:45 [PATCH] rtl28xxu: fix control message flaws Antti Palosaari
@ 2015-10-14 22:11 ` Daniel Glöckner
  2015-10-15  6:54   ` Antti Palosaari
  2015-11-06 23:15 ` Benjamin Larsson
  1 sibling, 1 reply; 4+ messages in thread
From: Daniel Glöckner @ 2015-10-14 22:11 UTC (permalink / raw)
  To: Antti Palosaari; +Cc: linux-media

On Sat, Oct 10, 2015 at 07:45:30PM +0300, Antti Palosaari wrote:
> Add lock to prevent concurrent access for control message as control
> message function uses shared buffer. Without the lock there may be
> remote control polling which messes the buffer causing IO errors.

This patch fixes the Problems I had with my Astrometa stick's I2C bus
locking up at the end of each dvbv5-scan run until it is disconnected.
There is another source of IO errors in the current driver, though.
The delayed work closing the I2C gate to the tuner is often executed
after rtl2832_power_ctrl has disabled the PLL. This will cause the
USB transfer accessing the gate control register to fail with -EPIPE.

Best regards,

  Daniel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] rtl28xxu: fix control message flaws
  2015-10-14 22:11 ` Daniel Glöckner
@ 2015-10-15  6:54   ` Antti Palosaari
  0 siblings, 0 replies; 4+ messages in thread
From: Antti Palosaari @ 2015-10-15  6:54 UTC (permalink / raw)
  To: linux-media

On 10/15/2015 01:11 AM, Daniel Glöckner wrote:
> On Sat, Oct 10, 2015 at 07:45:30PM +0300, Antti Palosaari wrote:
>> Add lock to prevent concurrent access for control message as control
>> message function uses shared buffer. Without the lock there may be
>> remote control polling which messes the buffer causing IO errors.
>
> This patch fixes the Problems I had with my Astrometa stick's I2C bus
> locking up at the end of each dvbv5-scan run until it is disconnected.
> There is another source of IO errors in the current driver, though.
> The delayed work closing the I2C gate to the tuner is often executed
> after rtl2832_power_ctrl has disabled the PLL. This will cause the
> USB transfer accessing the gate control register to fail with -EPIPE.

I saw that few times too, but it does not cause any other harm than 
error printing. It went away when canceled that delayed gate closing 
timer during demod sleep. But that was device which doesn't have slave 
demod at all, so it does not apply to your case as integrated demod 
sleep is not called at all. I think some callback which does opposite 
than "enable_slave_ts()" is needed. Like "disable_slave_ts()" which 
kills that timer before demod is powered off.

regards
Antti

-- 
http://palosaari.fi/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] rtl28xxu: fix control message flaws
  2015-10-10 16:45 [PATCH] rtl28xxu: fix control message flaws Antti Palosaari
  2015-10-14 22:11 ` Daniel Glöckner
@ 2015-11-06 23:15 ` Benjamin Larsson
  1 sibling, 0 replies; 4+ messages in thread
From: Benjamin Larsson @ 2015-11-06 23:15 UTC (permalink / raw)
  To: Antti Palosaari, linux-media

On 10/10/2015 06:45 PM, Antti Palosaari wrote:
> Add lock to prevent concurrent access for control message as control
> message function uses shared buffer. Without the lock there may be
> remote control polling which messes the buffer causing IO errors.
> Increase buffer size and add check for maximum supported message
> length.
>

This patch made at least one of my devices work. Before my log was full 
of errors.

Totally unrelated I do get a fail on loading the firmware. Just retrying 
made it work eventually.

[  143.286498] mn88473 19-0018: downloading firmware from file 
'dvb-demod-mn88473-01.fw'
[  143.551497] mn88473 19-0018: firmware download failed=-32
[  143.826792] rtl2832 19-0010: i2c reg read failed -32
[  143.903215] mn88473 19-0018: downloading firmware from file 
'dvb-demod-mn88473-01.fw'
[  144.345554] mn88473 19-0018: firmware download failed=-32
[  331.060613] mn88473 19-0018: downloading firmware from file 
'dvb-demod-mn88473-01.fw'
[  331.477234] mn88473 19-0018: firmware download failed=-32
[  354.997771] rtl2832 19-0010: i2c reg read failed -32
[  358.591754] mn88473 19-0018: downloading firmware from file 
'dvb-demod-mn88473-01.fw'
[  359.115582] mn88473 19-0018: firmware parity check succeeded=0x20

MvH
Benjamin Larsson

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-11-06 23:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-10 16:45 [PATCH] rtl28xxu: fix control message flaws Antti Palosaari
2015-10-14 22:11 ` Daniel Glöckner
2015-10-15  6:54   ` Antti Palosaari
2015-11-06 23:15 ` Benjamin Larsson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).