* [PATCH v2 0/2] media: az6007: overall refactor to fix bugs @ 2025-09-08 15:07 Jeongjun Park 2025-09-08 15:07 ` [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() Jeongjun Park 2025-09-08 15:07 ` [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 Jeongjun Park 0 siblings, 2 replies; 6+ messages in thread From: Jeongjun Park @ 2025-09-08 15:07 UTC (permalink / raw) To: mchehab, hverkuil, hverkuil+cisco Cc: linux-media, linux-kernel, stable, aha310510 This patch series refactors the az6007 driver to address root causes of persistent bugs that have persisted for some time. Jeongjun Park (2): media: az6007: fix out-of-bounds in az6007_i2c_xfer() media: az6007: refactor to properly use dvb-usb-v2 drivers/media/usb/dvb-usb-v2/az6007.c | 211 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------------------------------------------------------------------- 1 file changed, 107 insertions(+), 104 deletions(-) ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() 2025-09-08 15:07 [PATCH v2 0/2] media: az6007: overall refactor to fix bugs Jeongjun Park @ 2025-09-08 15:07 ` Jeongjun Park 2025-09-09 5:55 ` kernel test robot 2025-10-14 11:03 ` hverkuil+cisco 2025-09-08 15:07 ` [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 Jeongjun Park 1 sibling, 2 replies; 6+ messages in thread From: Jeongjun Park @ 2025-09-08 15:07 UTC (permalink / raw) To: mchehab, hverkuil, hverkuil+cisco Cc: linux-media, linux-kernel, stable, aha310510, syzbot+0192952caa411a3be209 Because the blen is not properly bounds-checked in __az6007_read/write, it is easy to get out-of-bounds errors in az6007_i2c_xfer later. Therefore, we need to add bounds-checking to __az6007_read/write to resolve this. Cc: <stable@vger.kernel.org> Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209 Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") Signed-off-by: Jeongjun Park <aha310510@gmail.com> --- v2: Change to fix the root cause of oob - Link to v1: https://lore.kernel.org/all/20250421105555.34984-1-aha310510@gmail.com/ --- drivers/media/usb/dvb-usb-v2/az6007.c | 62 +++++++++++++++------------ 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 65ef045b74ca..4202042bdb55 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -97,11 +97,17 @@ static struct mt2063_config az6007_mt2063_config = { .refclock = 36125000, }; -static int __az6007_read(struct usb_device *udev, u8 req, u16 value, - u16 index, u8 *b, int blen) +static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st, + u8 req, u16 value, u16 index, u8 *b, int blen) { int ret; + if (blen > sizeof(st->data)) { + pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", + blen, sizeof(st->data)); + return -EOPNOTSUPP; + } + ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), req, @@ -125,24 +131,30 @@ static int __az6007_read(struct usb_device *udev, u8 req, u16 value, static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value, u16 index, u8 *b, int blen) { - struct az6007_device_state *st = d->priv; + struct az6007_device_state *st = d_to_priv(d); int ret; if (mutex_lock_interruptible(&st->mutex) < 0) return -EAGAIN; - ret = __az6007_read(d->udev, req, value, index, b, blen); + ret = __az6007_read(d->udev, st, req, value, index, b, blen); mutex_unlock(&st->mutex); return ret; } -static int __az6007_write(struct usb_device *udev, u8 req, u16 value, - u16 index, u8 *b, int blen) +static int __az6007_write(struct usb_device *udev, struct az6007_device_state *st, + u8 req, u16 value, u16 index, u8 *b, int blen) { int ret; + if (blen > sizeof(st->data)) { + pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n", + blen, sizeof(st->data)); + return -EOPNOTSUPP; + } + if (az6007_xfer_debug) { printk(KERN_DEBUG "az6007: OUT req: %02x, value: %04x, index: %04x\n", req, value, index); @@ -150,12 +162,6 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value, DUMP_PREFIX_NONE, b, blen); } - if (blen > 64) { - pr_err("az6007: tried to write %d bytes, but I2C max size is 64 bytes\n", - blen); - return -EOPNOTSUPP; - } - ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), req, @@ -172,13 +178,13 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value, static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, u16 index, u8 *b, int blen) { - struct az6007_device_state *st = d->priv; + struct az6007_device_state *st = d_to_priv(d); int ret; if (mutex_lock_interruptible(&st->mutex) < 0) return -EAGAIN; - ret = __az6007_write(d->udev, req, value, index, b, blen); + ret = __az6007_write(d->udev, st, req, value, index, b, blen); mutex_unlock(&st->mutex); @@ -775,7 +781,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], value = addr | (1 << 8); length = 6 + msgs[i + 1].len; len = msgs[i + 1].len; - ret = __az6007_read(d->udev, req, value, index, + ret = __az6007_read(d->udev, st, req, value, index, st->data, length); if (ret >= len) { for (j = 0; j < len; j++) @@ -788,7 +794,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); - if (msgs[i].len < 1) { + if (msgs[i].len < 1 && msgs[i].len > 64) { ret = -EIO; goto err; } @@ -796,11 +802,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], index = msgs[i].buf[0]; value = addr | (1 << 8); length = msgs[i].len - 1; - len = msgs[i].len - 1; - for (j = 0; j < len; j++) - st->data[j] = msgs[i].buf[j + 1]; - ret = __az6007_write(d->udev, req, value, index, - st->data, length); + ret = __az6007_write(d->udev, st, req, value, index, + &msgs[i].buf[1], length); } else { /* read bytes */ if (az6007_xfer_debug) @@ -815,10 +818,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], value = addr; length = msgs[i].len + 6; len = msgs[i].len; - ret = __az6007_read(d->udev, req, value, index, + ret = __az6007_read(d->udev, st, req, value, index, st->data, length); - for (j = 0; j < len; j++) - msgs[i].buf[j] = st->data[j + 5]; + if (ret >= len) { + for (j = 0; j < len; j++) + msgs[i].buf[j] = st->data[j + 5]; + } } if (ret < 0) goto err; @@ -845,6 +850,7 @@ static const struct i2c_algorithm az6007_i2c_algo = { static int az6007_identify_state(struct dvb_usb_device *d, const char **name) { + struct az6007_device_state *state = d_to_priv(d); int ret; u8 *mac; @@ -855,7 +861,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) return -ENOMEM; /* Try to read the mac address */ - ret = __az6007_read(d->udev, AZ6007_READ_DATA, 6, 0, mac, 6); + ret = __az6007_read(d->udev, state, AZ6007_READ_DATA, 6, 0, mac, 6); if (ret == 6) ret = WARM; else @@ -864,9 +870,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) kfree(mac); if (ret == COLD) { - __az6007_write(d->udev, 0x09, 1, 0, NULL, 0); - __az6007_write(d->udev, 0x00, 0, 0, NULL, 0); - __az6007_write(d->udev, 0x00, 0, 0, NULL, 0); + __az6007_write(d->udev, state, 0x09, 1, 0, NULL, 0); + __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); + __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); } pr_debug("Device is on %s state\n", -- ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() 2025-09-08 15:07 ` [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() Jeongjun Park @ 2025-09-09 5:55 ` kernel test robot 2025-10-14 11:03 ` hverkuil+cisco 1 sibling, 0 replies; 6+ messages in thread From: kernel test robot @ 2025-09-09 5:55 UTC (permalink / raw) To: Jeongjun Park, mchehab, hverkuil, hverkuil+cisco Cc: llvm, oe-kbuild-all, linux-media, linux-kernel, stable, aha310510, syzbot+0192952caa411a3be209 Hi Jeongjun, kernel test robot noticed the following build warnings: [auto build test WARNING on linuxtv-media-pending/master] [also build test WARNING on linus/master v6.17-rc5 next-20250908] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Jeongjun-Park/media-az6007-fix-out-of-bounds-in-az6007_i2c_xfer/20250908-231026 base: https://git.linuxtv.org/media-ci/media-pending.git master patch link: https://lore.kernel.org/r/20250908150730.24560-2-aha310510%40gmail.com patch subject: [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() config: hexagon-allyesconfig (https://download.01.org/0day-ci/archive/20250909/202509091306.eGl2abHr-lkp@intel.com/config) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 7fb1dc08d2f025aad5777bb779dfac1197e9ef87) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250909/202509091306.eGl2abHr-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509091306.eGl2abHr-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/media/usb/dvb-usb-v2/az6007.c:107:16: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat] 106 | pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", | ~~~ | %zu 107 | blen, sizeof(st->data)); | ^~~~~~~~~~~~~~~~ include/linux/printk.h:557:33: note: expanded from macro 'pr_err' 557 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:514:60: note: expanded from macro 'printk' 514 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:486:19: note: expanded from macro 'printk_index_wrap' 486 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ drivers/media/usb/dvb-usb-v2/az6007.c:154:16: warning: format specifies type 'unsigned long' but the argument has type '__size_t' (aka 'unsigned int') [-Wformat] 153 | pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n", | ~~~ | %zu 154 | blen, sizeof(st->data)); | ^~~~~~~~~~~~~~~~ include/linux/printk.h:557:33: note: expanded from macro 'pr_err' 557 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:514:60: note: expanded from macro 'printk' 514 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ include/linux/printk.h:486:19: note: expanded from macro 'printk_index_wrap' 486 | _p_func(_fmt, ##__VA_ARGS__); \ | ~~~~ ^~~~~~~~~~~ 2 warnings generated. vim +107 drivers/media/usb/dvb-usb-v2/az6007.c 99 100 static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st, 101 u8 req, u16 value, u16 index, u8 *b, int blen) 102 { 103 int ret; 104 105 if (blen > sizeof(st->data)) { 106 pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", > 107 blen, sizeof(st->data)); 108 return -EOPNOTSUPP; 109 } 110 111 ret = usb_control_msg(udev, 112 usb_rcvctrlpipe(udev, 0), 113 req, 114 USB_TYPE_VENDOR | USB_DIR_IN, 115 value, index, b, blen, 5000); 116 if (ret < 0) { 117 pr_warn("usb read operation failed. (%d)\n", ret); 118 return -EIO; 119 } 120 121 if (az6007_xfer_debug) { 122 printk(KERN_DEBUG "az6007: IN req: %02x, value: %04x, index: %04x\n", 123 req, value, index); 124 print_hex_dump_bytes("az6007: payload: ", 125 DUMP_PREFIX_NONE, b, blen); 126 } 127 128 return ret; 129 } 130 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() 2025-09-08 15:07 ` [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() Jeongjun Park 2025-09-09 5:55 ` kernel test robot @ 2025-10-14 11:03 ` hverkuil+cisco 1 sibling, 0 replies; 6+ messages in thread From: hverkuil+cisco @ 2025-10-14 11:03 UTC (permalink / raw) To: Jeongjun Park, mchehab, hverkuil Cc: linux-media, linux-kernel, stable, syzbot+0192952caa411a3be209 On 08/09/2025 17:07, Jeongjun Park wrote: > Because the blen is not properly bounds-checked in __az6007_read/write, > it is easy to get out-of-bounds errors in az6007_i2c_xfer later. > > Therefore, we need to add bounds-checking to __az6007_read/write to > resolve this. > > Cc: <stable@vger.kernel.org> > Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209 > Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") > Signed-off-by: Jeongjun Park <aha310510@gmail.com> > --- > v2: Change to fix the root cause of oob > - Link to v1: https://lore.kernel.org/all/20250421105555.34984-1-aha310510@gmail.com/ > --- > drivers/media/usb/dvb-usb-v2/az6007.c | 62 +++++++++++++++------------ > 1 file changed, 34 insertions(+), 28 deletions(-) > > diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c > index 65ef045b74ca..4202042bdb55 100644 > --- a/drivers/media/usb/dvb-usb-v2/az6007.c > +++ b/drivers/media/usb/dvb-usb-v2/az6007.c > @@ -97,11 +97,17 @@ static struct mt2063_config az6007_mt2063_config = { > .refclock = 36125000, > }; > > -static int __az6007_read(struct usb_device *udev, u8 req, u16 value, > - u16 index, u8 *b, int blen) > +static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st, > + u8 req, u16 value, u16 index, u8 *b, int blen) > { > int ret; > > + if (blen > sizeof(st->data)) { > + pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", > + blen, sizeof(st->data)); > + return -EOPNOTSUPP; > + } > + Hmm, but the pointer 'b' doesn't always point to st->data, so it makes no sense to check against it. > ret = usb_control_msg(udev, > usb_rcvctrlpipe(udev, 0), > req, > @@ -125,24 +131,30 @@ static int __az6007_read(struct usb_device *udev, u8 req, u16 value, > static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value, > u16 index, u8 *b, int blen) > { > - struct az6007_device_state *st = d->priv; > + struct az6007_device_state *st = d_to_priv(d); > int ret; > > if (mutex_lock_interruptible(&st->mutex) < 0) > return -EAGAIN; > > - ret = __az6007_read(d->udev, req, value, index, b, blen); > + ret = __az6007_read(d->udev, st, req, value, index, b, blen); > > mutex_unlock(&st->mutex); > > return ret; > } > > -static int __az6007_write(struct usb_device *udev, u8 req, u16 value, > - u16 index, u8 *b, int blen) > +static int __az6007_write(struct usb_device *udev, struct az6007_device_state *st, > + u8 req, u16 value, u16 index, u8 *b, int blen) > { > int ret; > > + if (blen > sizeof(st->data)) { > + pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n", > + blen, sizeof(st->data)); > + return -EOPNOTSUPP; > + } > + This makes no sense... > if (az6007_xfer_debug) { > printk(KERN_DEBUG "az6007: OUT req: %02x, value: %04x, index: %04x\n", > req, value, index); > @@ -150,12 +162,6 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value, > DUMP_PREFIX_NONE, b, blen); > } > > - if (blen > 64) { > - pr_err("az6007: tried to write %d bytes, but I2C max size is 64 bytes\n", > - blen); > - return -EOPNOTSUPP; > - } > - ...since it is capped at 64 bytes anyway. So just keep this check since it is more stringent than sizeof(st->data). Also, 'b' doesn't always point to st->data, so it makes no sense. I think this is all overkill. There are only a few places in this driver where you are reading or writing to/from a buffer. In most cases the length is hardcoded and clearly fits inside the buffer. Only is a few places do you need to check that the length <= sizeof(st->data), and that should just be added as an extra check. Note that the msg buffers (msg[i].buf) passed to az6007_i2c_xfer are guaranteed to have the right size for the length (msg[i].len). So you only need to check when using st->data as the buffer. Sorry for basically going back to the first patch (almost). Regards, Hans > ret = usb_control_msg(udev, > usb_sndctrlpipe(udev, 0), > req, > @@ -172,13 +178,13 @@ static int __az6007_write(struct usb_device *udev, u8 req, u16 value, > static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, > u16 index, u8 *b, int blen) > { > - struct az6007_device_state *st = d->priv; > + struct az6007_device_state *st = d_to_priv(d); > int ret; > > if (mutex_lock_interruptible(&st->mutex) < 0) > return -EAGAIN; > > - ret = __az6007_write(d->udev, req, value, index, b, blen); > + ret = __az6007_write(d->udev, st, req, value, index, b, blen); > > mutex_unlock(&st->mutex); > > @@ -775,7 +781,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > value = addr | (1 << 8); > length = 6 + msgs[i + 1].len; > len = msgs[i + 1].len; > - ret = __az6007_read(d->udev, req, value, index, > + ret = __az6007_read(d->udev, st, req, value, index, > st->data, length); > if (ret >= len) { > for (j = 0; j < len; j++) > @@ -788,7 +794,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > if (az6007_xfer_debug) > printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", > addr, msgs[i].len); > - if (msgs[i].len < 1) { > + if (msgs[i].len < 1 && msgs[i].len > 64) { > ret = -EIO; > goto err; > } > @@ -796,11 +802,8 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > index = msgs[i].buf[0]; > value = addr | (1 << 8); > length = msgs[i].len - 1; > - len = msgs[i].len - 1; > - for (j = 0; j < len; j++) > - st->data[j] = msgs[i].buf[j + 1]; > - ret = __az6007_write(d->udev, req, value, index, > - st->data, length); > + ret = __az6007_write(d->udev, st, req, value, index, > + &msgs[i].buf[1], length); > } else { > /* read bytes */ > if (az6007_xfer_debug) > @@ -815,10 +818,12 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > value = addr; > length = msgs[i].len + 6; > len = msgs[i].len; > - ret = __az6007_read(d->udev, req, value, index, > + ret = __az6007_read(d->udev, st, req, value, index, > st->data, length); > - for (j = 0; j < len; j++) > - msgs[i].buf[j] = st->data[j + 5]; > + if (ret >= len) { > + for (j = 0; j < len; j++) > + msgs[i].buf[j] = st->data[j + 5]; > + } > } > if (ret < 0) > goto err; > @@ -845,6 +850,7 @@ static const struct i2c_algorithm az6007_i2c_algo = { > > static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > { > + struct az6007_device_state *state = d_to_priv(d); > int ret; > u8 *mac; > > @@ -855,7 +861,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > return -ENOMEM; > > /* Try to read the mac address */ > - ret = __az6007_read(d->udev, AZ6007_READ_DATA, 6, 0, mac, 6); > + ret = __az6007_read(d->udev, state, AZ6007_READ_DATA, 6, 0, mac, 6); > if (ret == 6) > ret = WARM; > else > @@ -864,9 +870,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > kfree(mac); > > if (ret == COLD) { > - __az6007_write(d->udev, 0x09, 1, 0, NULL, 0); > - __az6007_write(d->udev, 0x00, 0, 0, NULL, 0); > - __az6007_write(d->udev, 0x00, 0, 0, NULL, 0); > + __az6007_write(d->udev, state, 0x09, 1, 0, NULL, 0); > + __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); > + __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); > } > > pr_debug("Device is on %s state\n", > -- > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 2025-09-08 15:07 [PATCH v2 0/2] media: az6007: overall refactor to fix bugs Jeongjun Park 2025-09-08 15:07 ` [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() Jeongjun Park @ 2025-09-08 15:07 ` Jeongjun Park 2025-10-14 11:45 ` hverkuil+cisco 1 sibling, 1 reply; 6+ messages in thread From: Jeongjun Park @ 2025-09-08 15:07 UTC (permalink / raw) To: mchehab, hverkuil, hverkuil+cisco Cc: linux-media, linux-kernel, stable, aha310510, syzbot+a43c95e5c2c9ed88e966 The az6007 driver has long since transitioned from dvb-usb to dvb-usb-v2, but its implementation is still a mix of dvb-usb and dvb-usb-v2. Addressing the various issues that arise from this requires comprehensive refactoring to transition to the dvb-usb-v2 implementation. Cc: <stable@vger.kernel.org> Reported-by: syzbot+a43c95e5c2c9ed88e966@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=a43c95e5c2c9ed88e966 Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") Signed-off-by: Jeongjun Park <aha310510@gmail.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 175 +++++++++++++------------- 1 file changed, 86 insertions(+), 89 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 4202042bdb55..5517675fd0b1 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -39,10 +39,10 @@ DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr); #define AZ6007_READ_IR 0xb4 struct az6007_device_state { - struct mutex mutex; struct mutex ca_mutex; struct dvb_ca_en50221 ca; unsigned warm:1; + unsigned ci_attached:1; int (*gate_ctrl) (struct dvb_frontend *, int); unsigned char data[4096]; }; @@ -97,25 +97,30 @@ static struct mt2063_config az6007_mt2063_config = { .refclock = 36125000, }; -static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st, +static int __az6007_read(struct dvb_usb_device *d, struct az6007_device_state *st, u8 req, u16 value, u16 index, u8 *b, int blen) { int ret; + if (mutex_lock_interruptible(&d->usb_mutex) < 0) + return -EAGAIN; + if (blen > sizeof(st->data)) { pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", blen, sizeof(st->data)); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto end_unlock; } - ret = usb_control_msg(udev, - usb_rcvctrlpipe(udev, 0), + ret = usb_control_msg(d->udev, + usb_rcvctrlpipe(d->udev, 0), req, USB_TYPE_VENDOR | USB_DIR_IN, value, index, b, blen, 5000); if (ret < 0) { pr_warn("usb read operation failed. (%d)\n", ret); - return -EIO; + ret = -EIO; + goto end_unlock; } if (az6007_xfer_debug) { @@ -125,6 +130,8 @@ static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st DUMP_PREFIX_NONE, b, blen); } +end_unlock: + mutex_unlock(&d->usb_mutex); return ret; } @@ -134,25 +141,24 @@ static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value, struct az6007_device_state *st = d_to_priv(d); int ret; - if (mutex_lock_interruptible(&st->mutex) < 0) - return -EAGAIN; - - ret = __az6007_read(d->udev, st, req, value, index, b, blen); - - mutex_unlock(&st->mutex); + ret = __az6007_read(d, st, req, value, index, b, blen); return ret; } -static int __az6007_write(struct usb_device *udev, struct az6007_device_state *st, +static int __az6007_write(struct dvb_usb_device *d, struct az6007_device_state *st, u8 req, u16 value, u16 index, u8 *b, int blen) { int ret; + if (mutex_lock_interruptible(&d->usb_mutex) < 0) + return -EAGAIN; + if (blen > sizeof(st->data)) { pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n", blen, sizeof(st->data)); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto end_unlock; } if (az6007_xfer_debug) { @@ -162,17 +168,21 @@ static int __az6007_write(struct usb_device *udev, struct az6007_device_state *s DUMP_PREFIX_NONE, b, blen); } - ret = usb_control_msg(udev, - usb_sndctrlpipe(udev, 0), + ret = usb_control_msg(d->udev, + usb_sndctrlpipe(d->udev, 0), req, USB_TYPE_VENDOR | USB_DIR_OUT, value, index, b, blen, 5000); if (ret != blen) { pr_err("usb write operation failed. (%d)\n", ret); - return -EIO; + ret = -EIO; + goto end_unlock; } - return 0; + ret = 0; +end_unlock: + mutex_unlock(&d->usb_mutex); + return ret; } static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, @@ -181,12 +191,7 @@ static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, struct az6007_device_state *st = d_to_priv(d); int ret; - if (mutex_lock_interruptible(&st->mutex) < 0) - return -EAGAIN; - - ret = __az6007_write(d->udev, st, req, value, index, b, blen); - - mutex_unlock(&st->mutex); + ret = __az6007_write(d, st, req, value, index, b, blen); return ret; } @@ -580,10 +585,9 @@ static void az6007_ci_uninit(struct dvb_usb_device *d) } -static int az6007_ci_init(struct dvb_usb_adapter *adap) +static int az6007_ci_init(struct dvb_usb_device *d) { - struct dvb_usb_device *d = adap_to_d(adap); - struct az6007_device_state *state = adap_to_priv(adap); + struct az6007_device_state *state = d_to_priv(d); int ret; pr_debug("%s()\n", __func__); @@ -600,7 +604,7 @@ static int az6007_ci_init(struct dvb_usb_adapter *adap) state->ca.poll_slot_status = az6007_ci_poll_slot_status; state->ca.data = d; - ret = dvb_ca_en50221_init(&adap->dvb_adap, + ret = dvb_ca_en50221_init(&d->adapter[0].dvb_adap, &state->ca, 0, /* flags */ 1);/* n_slots */ @@ -610,6 +614,8 @@ static int az6007_ci_init(struct dvb_usb_adapter *adap) return ret; } + state->ci_attached = true; + pr_debug("CI initialized.\n"); return 0; @@ -646,8 +652,6 @@ static int az6007_frontend_attach(struct dvb_usb_adapter *adap) st->gate_ctrl = adap->fe[0]->ops.i2c_gate_ctrl; adap->fe[0]->ops.i2c_gate_ctrl = drxk_gate_ctrl; - az6007_ci_init(adap); - return 0; } @@ -667,8 +671,6 @@ static int az6007_cablestar_hdci_frontend_attach(struct dvb_usb_adapter *adap) st->gate_ctrl = adap->fe[0]->ops.i2c_gate_ctrl; adap->fe[0]->ops.i2c_gate_ctrl = drxk_gate_ctrl; - az6007_ci_init(adap); - return 0; } @@ -699,50 +701,55 @@ static int az6007_power_ctrl(struct dvb_usb_device *d, int onoff) pr_debug("%s()\n", __func__); - if (!state->warm) { - mutex_init(&state->mutex); + mutex_lock(&d->i2c_mutex); + if (!state->warm) { ret = az6007_write(d, AZ6007_POWER, 0, 2, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(60); ret = az6007_write(d, AZ6007_POWER, 1, 4, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(100); ret = az6007_write(d, AZ6007_POWER, 1, 3, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(20); ret = az6007_write(d, AZ6007_POWER, 1, 4, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(400); ret = az6007_write(d, FX2_SCON1, 0, 3, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(150); ret = az6007_write(d, FX2_SCON1, 1, 3, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; msleep(430); ret = az6007_write(d, AZ6007_POWER, 0, 0, NULL, 0); if (ret < 0) - return ret; + goto end_unlock; state->warm = true; - return 0; + ret = 0; + goto end_unlock; } + ret = 0; + if (!onoff) - return 0; + goto end_unlock; az6007_write(d, AZ6007_POWER, 0, 0, NULL, 0); az6007_write(d, AZ6007_TS_THROUGH, 0, 0, NULL, 0); - return 0; +end_unlock: + mutex_unlock(&d->i2c_mutex); + return ret; } /* I2C */ @@ -758,7 +765,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int length; u8 req, addr; - if (mutex_lock_interruptible(&st->mutex) < 0) + if (mutex_lock_interruptible(&d->i2c_mutex) < 0) return -EAGAIN; for (i = 0; i < num; i++) { @@ -781,7 +788,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], value = addr | (1 << 8); length = 6 + msgs[i + 1].len; len = msgs[i + 1].len; - ret = __az6007_read(d->udev, st, req, value, index, + ret = __az6007_read(d, st, req, value, index, st->data, length); if (ret >= len) { for (j = 0; j < len; j++) @@ -802,7 +809,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], index = msgs[i].buf[0]; value = addr | (1 << 8); length = msgs[i].len - 1; - ret = __az6007_write(d->udev, st, req, value, index, + ret = __az6007_write(d, st, req, value, index, &msgs[i].buf[1], length); } else { /* read bytes */ @@ -818,7 +825,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], value = addr; length = msgs[i].len + 6; len = msgs[i].len; - ret = __az6007_read(d->udev, st, req, value, index, + ret = __az6007_read(d, st, req, value, index, st->data, length); if (ret >= len) { for (j = 0; j < len; j++) @@ -829,7 +836,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], goto err; } err: - mutex_unlock(&st->mutex); + mutex_unlock(&d->i2c_mutex); if (ret < 0) { pr_info("%s ERROR: %i\n", __func__, ret); @@ -861,7 +868,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) return -ENOMEM; /* Try to read the mac address */ - ret = __az6007_read(d->udev, state, AZ6007_READ_DATA, 6, 0, mac, 6); + ret = __az6007_read(d, state, AZ6007_READ_DATA, 6, 0, mac, 6); if (ret == 6) ret = WARM; else @@ -870,9 +877,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) kfree(mac); if (ret == COLD) { - __az6007_write(d->udev, state, 0x09, 1, 0, NULL, 0); - __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); - __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); + __az6007_write(d, state, 0x09, 1, 0, NULL, 0); + __az6007_write(d, state, 0x00, 0, 0, NULL, 0); + __az6007_write(d, state, 0x00, 0, 0, NULL, 0); } pr_debug("Device is on %s state\n", @@ -880,13 +887,6 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) return ret; } -static void az6007_usb_disconnect(struct usb_interface *intf) -{ - struct dvb_usb_device *d = usb_get_intfdata(intf); - az6007_ci_uninit(d); - dvb_usbv2_disconnect(intf); -} - static int az6007_download_firmware(struct dvb_usb_device *d, const struct firmware *fw) { @@ -895,6 +895,19 @@ static int az6007_download_firmware(struct dvb_usb_device *d, return cypress_load_firmware(d->udev, fw, CYPRESS_FX2); } +static int az6007_init(struct dvb_usb_device *d) +{ + return az6007_ci_init(d); +} + +static void az6007_exit(struct dvb_usb_device *d) +{ + struct az6007_device_state *state = d_to_priv(d); + + if (state->ci_attached) + az6007_ci_uninit(d); +} + /* DVB USB Driver stuff */ static struct dvb_usb_device_properties az6007_props = { .driver_name = KBUILD_MODNAME, @@ -912,6 +925,8 @@ static struct dvb_usb_device_properties az6007_props = { .download_firmware = az6007_download_firmware, .identify_state = az6007_identify_state, .power_ctrl = az6007_power_ctrl, + .init = az6007_init, + .exit = az6007_exit, .num_adapters = 1, .adapter = { { .stream = DVB_USB_STREAM_BULK(0x02, 10, 4096), } @@ -935,6 +950,8 @@ static struct dvb_usb_device_properties az6007_cablestar_hdci_props = { .download_firmware = az6007_download_firmware, .identify_state = az6007_identify_state, .power_ctrl = az6007_power_ctrl, + .init = az6007_init, + .exit = az6007_exit, .num_adapters = 1, .adapter = { { .stream = DVB_USB_STREAM_BULK(0x02, 10, 4096), } @@ -955,37 +972,17 @@ static const struct usb_device_id az6007_usb_table[] = { MODULE_DEVICE_TABLE(usb, az6007_usb_table); -static int az6007_suspend(struct usb_interface *intf, pm_message_t msg) -{ - struct dvb_usb_device *d = usb_get_intfdata(intf); - - az6007_ci_uninit(d); - return dvb_usbv2_suspend(intf, msg); -} - -static int az6007_resume(struct usb_interface *intf) -{ - struct dvb_usb_device *d = usb_get_intfdata(intf); - struct dvb_usb_adapter *adap = &d->adapter[0]; - - az6007_ci_init(adap); - return dvb_usbv2_resume(intf); -} - /* usb specific object needed to register this driver with the usb subsystem */ static struct usb_driver az6007_usb_driver = { - .name = KBUILD_MODNAME, - .id_table = az6007_usb_table, - .probe = dvb_usbv2_probe, - .disconnect = az6007_usb_disconnect, - .no_dynamic_id = 1, - .soft_unbind = 1, - /* - * FIXME: need to implement reset_resume, likely with - * dvb-usb-v2 core support - */ - .suspend = az6007_suspend, - .resume = az6007_resume, + .name = KBUILD_MODNAME, + .id_table = az6007_usb_table, + .probe = dvb_usbv2_probe, + .disconnect = dvb_usbv2_disconnect, + .suspend = dvb_usbv2_suspend, + .resume = dvb_usbv2_resume, + .reset_resume = dvb_usbv2_reset_resume, + .no_dynamic_id = 1, + .soft_unbind = 1, }; module_usb_driver(az6007_usb_driver); -- ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 2025-09-08 15:07 ` [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 Jeongjun Park @ 2025-10-14 11:45 ` hverkuil+cisco 0 siblings, 0 replies; 6+ messages in thread From: hverkuil+cisco @ 2025-10-14 11:45 UTC (permalink / raw) To: Jeongjun Park, mchehab, hverkuil Cc: linux-media, linux-kernel, stable, syzbot+a43c95e5c2c9ed88e966 Hi Jeongjun Park, On 08/09/2025 17:07, Jeongjun Park wrote: > The az6007 driver has long since transitioned from dvb-usb to dvb-usb-v2, > but its implementation is still a mix of dvb-usb and dvb-usb-v2. > > Addressing the various issues that arise from this requires comprehensive > refactoring to transition to the dvb-usb-v2 implementation. Since I dropped the previous patch, this patch doesn't apply anymore, so I'm dropping it as well. But in any case, this patch really needs to be tested on actual hardware. > > Cc: <stable@vger.kernel.org> > Reported-by: syzbot+a43c95e5c2c9ed88e966@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=a43c95e5c2c9ed88e966 What does this syzkaller report have to do with refactoring? I think you're mixing refactoring and fixing a bug. Regards, Hans > Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") > Signed-off-by: Jeongjun Park <aha310510@gmail.com> > --- > drivers/media/usb/dvb-usb-v2/az6007.c | 175 +++++++++++++------------- > 1 file changed, 86 insertions(+), 89 deletions(-) > > diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c > index 4202042bdb55..5517675fd0b1 100644 > --- a/drivers/media/usb/dvb-usb-v2/az6007.c > +++ b/drivers/media/usb/dvb-usb-v2/az6007.c > @@ -39,10 +39,10 @@ DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr); > #define AZ6007_READ_IR 0xb4 > > struct az6007_device_state { > - struct mutex mutex; > struct mutex ca_mutex; > struct dvb_ca_en50221 ca; > unsigned warm:1; > + unsigned ci_attached:1; > int (*gate_ctrl) (struct dvb_frontend *, int); > unsigned char data[4096]; > }; > @@ -97,25 +97,30 @@ static struct mt2063_config az6007_mt2063_config = { > .refclock = 36125000, > }; > > -static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st, > +static int __az6007_read(struct dvb_usb_device *d, struct az6007_device_state *st, > u8 req, u16 value, u16 index, u8 *b, int blen) > { > int ret; > > + if (mutex_lock_interruptible(&d->usb_mutex) < 0) > + return -EAGAIN; > + > if (blen > sizeof(st->data)) { > pr_err("az6007: tried to read %d bytes, but I2C max size is %lu bytes\n", > blen, sizeof(st->data)); > - return -EOPNOTSUPP; > + ret = -EOPNOTSUPP; > + goto end_unlock; > } > > - ret = usb_control_msg(udev, > - usb_rcvctrlpipe(udev, 0), > + ret = usb_control_msg(d->udev, > + usb_rcvctrlpipe(d->udev, 0), > req, > USB_TYPE_VENDOR | USB_DIR_IN, > value, index, b, blen, 5000); > if (ret < 0) { > pr_warn("usb read operation failed. (%d)\n", ret); > - return -EIO; > + ret = -EIO; > + goto end_unlock; > } > > if (az6007_xfer_debug) { > @@ -125,6 +130,8 @@ static int __az6007_read(struct usb_device *udev, struct az6007_device_state *st > DUMP_PREFIX_NONE, b, blen); > } > > +end_unlock: > + mutex_unlock(&d->usb_mutex); > return ret; > } > > @@ -134,25 +141,24 @@ static int az6007_read(struct dvb_usb_device *d, u8 req, u16 value, > struct az6007_device_state *st = d_to_priv(d); > int ret; > > - if (mutex_lock_interruptible(&st->mutex) < 0) > - return -EAGAIN; > - > - ret = __az6007_read(d->udev, st, req, value, index, b, blen); > - > - mutex_unlock(&st->mutex); > + ret = __az6007_read(d, st, req, value, index, b, blen); > > return ret; > } > > -static int __az6007_write(struct usb_device *udev, struct az6007_device_state *st, > +static int __az6007_write(struct dvb_usb_device *d, struct az6007_device_state *st, > u8 req, u16 value, u16 index, u8 *b, int blen) > { > int ret; > > + if (mutex_lock_interruptible(&d->usb_mutex) < 0) > + return -EAGAIN; > + > if (blen > sizeof(st->data)) { > pr_err("az6007: tried to write %d bytes, but I2C max size is %lu bytes\n", > blen, sizeof(st->data)); > - return -EOPNOTSUPP; > + ret = -EOPNOTSUPP; > + goto end_unlock; > } > > if (az6007_xfer_debug) { > @@ -162,17 +168,21 @@ static int __az6007_write(struct usb_device *udev, struct az6007_device_state *s > DUMP_PREFIX_NONE, b, blen); > } > > - ret = usb_control_msg(udev, > - usb_sndctrlpipe(udev, 0), > + ret = usb_control_msg(d->udev, > + usb_sndctrlpipe(d->udev, 0), > req, > USB_TYPE_VENDOR | USB_DIR_OUT, > value, index, b, blen, 5000); > if (ret != blen) { > pr_err("usb write operation failed. (%d)\n", ret); > - return -EIO; > + ret = -EIO; > + goto end_unlock; > } > > - return 0; > + ret = 0; > +end_unlock: > + mutex_unlock(&d->usb_mutex); > + return ret; > } > > static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, > @@ -181,12 +191,7 @@ static int az6007_write(struct dvb_usb_device *d, u8 req, u16 value, > struct az6007_device_state *st = d_to_priv(d); > int ret; > > - if (mutex_lock_interruptible(&st->mutex) < 0) > - return -EAGAIN; > - > - ret = __az6007_write(d->udev, st, req, value, index, b, blen); > - > - mutex_unlock(&st->mutex); > + ret = __az6007_write(d, st, req, value, index, b, blen); > > return ret; > } > @@ -580,10 +585,9 @@ static void az6007_ci_uninit(struct dvb_usb_device *d) > } > > > -static int az6007_ci_init(struct dvb_usb_adapter *adap) > +static int az6007_ci_init(struct dvb_usb_device *d) > { > - struct dvb_usb_device *d = adap_to_d(adap); > - struct az6007_device_state *state = adap_to_priv(adap); > + struct az6007_device_state *state = d_to_priv(d); > int ret; > > pr_debug("%s()\n", __func__); > @@ -600,7 +604,7 @@ static int az6007_ci_init(struct dvb_usb_adapter *adap) > state->ca.poll_slot_status = az6007_ci_poll_slot_status; > state->ca.data = d; > > - ret = dvb_ca_en50221_init(&adap->dvb_adap, > + ret = dvb_ca_en50221_init(&d->adapter[0].dvb_adap, > &state->ca, > 0, /* flags */ > 1);/* n_slots */ > @@ -610,6 +614,8 @@ static int az6007_ci_init(struct dvb_usb_adapter *adap) > return ret; > } > > + state->ci_attached = true; > + > pr_debug("CI initialized.\n"); > > return 0; > @@ -646,8 +652,6 @@ static int az6007_frontend_attach(struct dvb_usb_adapter *adap) > st->gate_ctrl = adap->fe[0]->ops.i2c_gate_ctrl; > adap->fe[0]->ops.i2c_gate_ctrl = drxk_gate_ctrl; > > - az6007_ci_init(adap); > - > return 0; > } > > @@ -667,8 +671,6 @@ static int az6007_cablestar_hdci_frontend_attach(struct dvb_usb_adapter *adap) > st->gate_ctrl = adap->fe[0]->ops.i2c_gate_ctrl; > adap->fe[0]->ops.i2c_gate_ctrl = drxk_gate_ctrl; > > - az6007_ci_init(adap); > - > return 0; > } > > @@ -699,50 +701,55 @@ static int az6007_power_ctrl(struct dvb_usb_device *d, int onoff) > > pr_debug("%s()\n", __func__); > > - if (!state->warm) { > - mutex_init(&state->mutex); > + mutex_lock(&d->i2c_mutex); > > + if (!state->warm) { > ret = az6007_write(d, AZ6007_POWER, 0, 2, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > msleep(60); > ret = az6007_write(d, AZ6007_POWER, 1, 4, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > msleep(100); > ret = az6007_write(d, AZ6007_POWER, 1, 3, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > msleep(20); > ret = az6007_write(d, AZ6007_POWER, 1, 4, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > > msleep(400); > ret = az6007_write(d, FX2_SCON1, 0, 3, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > msleep(150); > ret = az6007_write(d, FX2_SCON1, 1, 3, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > msleep(430); > ret = az6007_write(d, AZ6007_POWER, 0, 0, NULL, 0); > if (ret < 0) > - return ret; > + goto end_unlock; > > state->warm = true; > > - return 0; > + ret = 0; > + goto end_unlock; > } > > + ret = 0; > + > if (!onoff) > - return 0; > + goto end_unlock; > > az6007_write(d, AZ6007_POWER, 0, 0, NULL, 0); > az6007_write(d, AZ6007_TS_THROUGH, 0, 0, NULL, 0); > > - return 0; > +end_unlock: > + mutex_unlock(&d->i2c_mutex); > + return ret; > } > > /* I2C */ > @@ -758,7 +765,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > int length; > u8 req, addr; > > - if (mutex_lock_interruptible(&st->mutex) < 0) > + if (mutex_lock_interruptible(&d->i2c_mutex) < 0) > return -EAGAIN; > > for (i = 0; i < num; i++) { > @@ -781,7 +788,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > value = addr | (1 << 8); > length = 6 + msgs[i + 1].len; > len = msgs[i + 1].len; > - ret = __az6007_read(d->udev, st, req, value, index, > + ret = __az6007_read(d, st, req, value, index, > st->data, length); > if (ret >= len) { > for (j = 0; j < len; j++) > @@ -802,7 +809,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > index = msgs[i].buf[0]; > value = addr | (1 << 8); > length = msgs[i].len - 1; > - ret = __az6007_write(d->udev, st, req, value, index, > + ret = __az6007_write(d, st, req, value, index, > &msgs[i].buf[1], length); > } else { > /* read bytes */ > @@ -818,7 +825,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > value = addr; > length = msgs[i].len + 6; > len = msgs[i].len; > - ret = __az6007_read(d->udev, st, req, value, index, > + ret = __az6007_read(d, st, req, value, index, > st->data, length); > if (ret >= len) { > for (j = 0; j < len; j++) > @@ -829,7 +836,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > goto err; > } > err: > - mutex_unlock(&st->mutex); > + mutex_unlock(&d->i2c_mutex); > > if (ret < 0) { > pr_info("%s ERROR: %i\n", __func__, ret); > @@ -861,7 +868,7 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > return -ENOMEM; > > /* Try to read the mac address */ > - ret = __az6007_read(d->udev, state, AZ6007_READ_DATA, 6, 0, mac, 6); > + ret = __az6007_read(d, state, AZ6007_READ_DATA, 6, 0, mac, 6); > if (ret == 6) > ret = WARM; > else > @@ -870,9 +877,9 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > kfree(mac); > > if (ret == COLD) { > - __az6007_write(d->udev, state, 0x09, 1, 0, NULL, 0); > - __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); > - __az6007_write(d->udev, state, 0x00, 0, 0, NULL, 0); > + __az6007_write(d, state, 0x09, 1, 0, NULL, 0); > + __az6007_write(d, state, 0x00, 0, 0, NULL, 0); > + __az6007_write(d, state, 0x00, 0, 0, NULL, 0); > } > > pr_debug("Device is on %s state\n", > @@ -880,13 +887,6 @@ static int az6007_identify_state(struct dvb_usb_device *d, const char **name) > return ret; > } > > -static void az6007_usb_disconnect(struct usb_interface *intf) > -{ > - struct dvb_usb_device *d = usb_get_intfdata(intf); > - az6007_ci_uninit(d); > - dvb_usbv2_disconnect(intf); > -} > - > static int az6007_download_firmware(struct dvb_usb_device *d, > const struct firmware *fw) > { > @@ -895,6 +895,19 @@ static int az6007_download_firmware(struct dvb_usb_device *d, > return cypress_load_firmware(d->udev, fw, CYPRESS_FX2); > } > > +static int az6007_init(struct dvb_usb_device *d) > +{ > + return az6007_ci_init(d); > +} > + > +static void az6007_exit(struct dvb_usb_device *d) > +{ > + struct az6007_device_state *state = d_to_priv(d); > + > + if (state->ci_attached) > + az6007_ci_uninit(d); > +} > + > /* DVB USB Driver stuff */ > static struct dvb_usb_device_properties az6007_props = { > .driver_name = KBUILD_MODNAME, > @@ -912,6 +925,8 @@ static struct dvb_usb_device_properties az6007_props = { > .download_firmware = az6007_download_firmware, > .identify_state = az6007_identify_state, > .power_ctrl = az6007_power_ctrl, > + .init = az6007_init, > + .exit = az6007_exit, > .num_adapters = 1, > .adapter = { > { .stream = DVB_USB_STREAM_BULK(0x02, 10, 4096), } > @@ -935,6 +950,8 @@ static struct dvb_usb_device_properties az6007_cablestar_hdci_props = { > .download_firmware = az6007_download_firmware, > .identify_state = az6007_identify_state, > .power_ctrl = az6007_power_ctrl, > + .init = az6007_init, > + .exit = az6007_exit, > .num_adapters = 1, > .adapter = { > { .stream = DVB_USB_STREAM_BULK(0x02, 10, 4096), } > @@ -955,37 +972,17 @@ static const struct usb_device_id az6007_usb_table[] = { > > MODULE_DEVICE_TABLE(usb, az6007_usb_table); > > -static int az6007_suspend(struct usb_interface *intf, pm_message_t msg) > -{ > - struct dvb_usb_device *d = usb_get_intfdata(intf); > - > - az6007_ci_uninit(d); > - return dvb_usbv2_suspend(intf, msg); > -} > - > -static int az6007_resume(struct usb_interface *intf) > -{ > - struct dvb_usb_device *d = usb_get_intfdata(intf); > - struct dvb_usb_adapter *adap = &d->adapter[0]; > - > - az6007_ci_init(adap); > - return dvb_usbv2_resume(intf); > -} > - > /* usb specific object needed to register this driver with the usb subsystem */ > static struct usb_driver az6007_usb_driver = { > - .name = KBUILD_MODNAME, > - .id_table = az6007_usb_table, > - .probe = dvb_usbv2_probe, > - .disconnect = az6007_usb_disconnect, > - .no_dynamic_id = 1, > - .soft_unbind = 1, > - /* > - * FIXME: need to implement reset_resume, likely with > - * dvb-usb-v2 core support > - */ > - .suspend = az6007_suspend, > - .resume = az6007_resume, > + .name = KBUILD_MODNAME, > + .id_table = az6007_usb_table, > + .probe = dvb_usbv2_probe, > + .disconnect = dvb_usbv2_disconnect, > + .suspend = dvb_usbv2_suspend, > + .resume = dvb_usbv2_resume, > + .reset_resume = dvb_usbv2_reset_resume, > + .no_dynamic_id = 1, > + .soft_unbind = 1, > }; > > module_usb_driver(az6007_usb_driver); > -- > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-10-14 11:45 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-09-08 15:07 [PATCH v2 0/2] media: az6007: overall refactor to fix bugs Jeongjun Park 2025-09-08 15:07 ` [PATCH v2 1/2] media: az6007: fix out-of-bounds in az6007_i2c_xfer() Jeongjun Park 2025-09-09 5:55 ` kernel test robot 2025-10-14 11:03 ` hverkuil+cisco 2025-09-08 15:07 ` [PATCH v2 2/2] media: az6007: refactor to properly use dvb-usb-v2 Jeongjun Park 2025-10-14 11:45 ` hverkuil+cisco
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).