提交 06fd82dc 编写于 作者: C Chris Pascoe 提交者: Mauro Carvalho Chehab

V4L/DVB (6638): xc2028: firmware loading cleanup

Hold the private lock over set_config and set priv->firm_size to 0 after a
failed firmware load to prevent firmware accidentally being freed on us.

Clean up the firmware load/error messages somewhat and rename priv->version
to priv->firm_version to make it clear which "version" it is.
Signed-off-by: NChris Pascoe <c.pascoe@itee.uq.edu.au>
Signed-off-by: NMauro Carvalho Chehab <mchehab@infradead.org>
上级 b32f9fb9
...@@ -65,8 +65,7 @@ struct xc2028_data { ...@@ -65,8 +65,7 @@ struct xc2028_data {
struct firmware_description *firm; struct firmware_description *firm;
int firm_size; int firm_size;
__u16 firm_version;
__u16 version;
struct xc2028_ctrl ctrl; struct xc2028_ctrl ctrl;
...@@ -237,6 +236,7 @@ static void free_firmware(struct xc2028_data *priv) ...@@ -237,6 +236,7 @@ static void free_firmware(struct xc2028_data *priv)
kfree(priv->firm); kfree(priv->firm);
priv->firm = NULL; priv->firm = NULL;
priv->firm_size = 0;
priv->need_load_generic = 1; priv->need_load_generic = 1;
} }
...@@ -251,7 +251,7 @@ static int load_all_firmwares(struct dvb_frontend *fe) ...@@ -251,7 +251,7 @@ static int load_all_firmwares(struct dvb_frontend *fe)
tuner_dbg("%s called\n", __FUNCTION__); tuner_dbg("%s called\n", __FUNCTION__);
tuner_info("Reading firmware %s\n", priv->ctrl.fname); tuner_dbg("Reading firmware %s\n", priv->ctrl.fname);
rc = request_firmware(&fw, priv->ctrl.fname, rc = request_firmware(&fw, priv->ctrl.fname,
&priv->i2c_props.adap->dev); &priv->i2c_props.adap->dev);
if (rc < 0) { if (rc < 0) {
...@@ -267,40 +267,34 @@ static int load_all_firmwares(struct dvb_frontend *fe) ...@@ -267,40 +267,34 @@ static int load_all_firmwares(struct dvb_frontend *fe)
p = fw->data; p = fw->data;
endp = p + fw->size; endp = p + fw->size;
if (fw->size < sizeof(name) - 1 + 2) { if (fw->size < sizeof(name) - 1 + 2 + 2) {
tuner_err("Error: firmware size is zero!\n"); tuner_err("Error: firmware file %s has invalid size!\n",
rc = -EINVAL; priv->ctrl.fname);
goto done; goto corrupt;
} }
memcpy(name, p, sizeof(name) - 1); memcpy(name, p, sizeof(name) - 1);
name[sizeof(name) - 1] = 0; name[sizeof(name) - 1] = 0;
p += sizeof(name) - 1; p += sizeof(name) - 1;
priv->version = le16_to_cpu(*(__u16 *) p); priv->firm_version = le16_to_cpu(*(__u16 *) p);
p += 2; p += 2;
tuner_info("Firmware: %s, ver %d.%d\n", name,
priv->version >> 8, priv->version & 0xff);
if (p + 2 > endp)
goto corrupt;
n_array = le16_to_cpu(*(__u16 *) p); n_array = le16_to_cpu(*(__u16 *) p);
p += 2; p += 2;
tuner_info("There are %d firmwares at %s\n", tuner_info("Loading %d firmware images from %s, type: %s, ver %d.%d\n",
n_array, priv->ctrl.fname); n_array, priv->ctrl.fname, name,
priv->firm_version >> 8, priv->firm_version & 0xff);
priv->firm = kzalloc(sizeof(*priv->firm) * n_array, GFP_KERNEL); priv->firm = kzalloc(sizeof(*priv->firm) * n_array, GFP_KERNEL);
if (priv->firm == NULL) {
if (!fw) { tuner_err("Not enough memory to load firmware file.\n");
tuner_err("Not enough memory for reading firmware.\n");
rc = -ENOMEM; rc = -ENOMEM;
goto done; goto err;
} }
priv->firm_size = n_array; priv->firm_size = n_array;
n = -1; n = -1;
while (p < endp) { while (p < endp) {
__u32 type, size; __u32 type, size;
...@@ -308,7 +302,8 @@ static int load_all_firmwares(struct dvb_frontend *fe) ...@@ -308,7 +302,8 @@ static int load_all_firmwares(struct dvb_frontend *fe)
n++; n++;
if (n >= n_array) { if (n >= n_array) {
tuner_err("Too much firmwares at the file\n"); tuner_err("More firmware images in file than "
"were expected!\n");
goto corrupt; goto corrupt;
} }
...@@ -338,15 +333,17 @@ static int load_all_firmwares(struct dvb_frontend *fe) ...@@ -338,15 +333,17 @@ static int load_all_firmwares(struct dvb_frontend *fe)
} }
priv->firm[n].ptr = kzalloc(size, GFP_KERNEL); priv->firm[n].ptr = kzalloc(size, GFP_KERNEL);
if (!priv->firm[n].ptr) { if (priv->firm[n].ptr == NULL) {
tuner_err("Not enough memory.\n"); tuner_err("Not enough memory to load firmware file.\n");
rc = -ENOMEM; rc = -ENOMEM;
goto err; goto err;
} }
tuner_info("Reading firmware type "); tuner_dbg("Reading firmware type ");
dump_firm_type(type); if (debug) {
printk("(%x), id %llx, size=%d.\n", dump_firm_type(type);
type, (unsigned long long)id, size); printk("(%x), id %llx, size=%d.\n",
type, (unsigned long long)id, size);
}
memcpy(priv->firm[n].ptr, p, size); memcpy(priv->firm[n].ptr, p, size);
priv->firm[n].type = type; priv->firm[n].type = type;
...@@ -368,13 +365,13 @@ static int load_all_firmwares(struct dvb_frontend *fe) ...@@ -368,13 +365,13 @@ static int load_all_firmwares(struct dvb_frontend *fe)
tuner_err("Error: firmware file is corrupted!\n"); tuner_err("Error: firmware file is corrupted!\n");
err: err:
tuner_info("Releasing loaded firmware file.\n"); tuner_info("Releasing partially loaded firmware file.\n");
free_firmware(priv); free_firmware(priv);
done: done:
release_firmware(fw); release_firmware(fw);
tuner_dbg("Firmware files loaded.\n"); if (rc == 0)
tuner_dbg("Firmware files loaded.\n");
return rc; return rc;
} }
...@@ -442,11 +439,6 @@ static int load_firmware(struct dvb_frontend *fe, unsigned int type, ...@@ -442,11 +439,6 @@ static int load_firmware(struct dvb_frontend *fe, unsigned int type,
printk("(%x), id %016llx.\n", type, (unsigned long long)*id); printk("(%x), id %016llx.\n", type, (unsigned long long)*id);
p = priv->firm[pos].ptr; p = priv->firm[pos].ptr;
if (!p) {
tuner_err("Firmware pointer were freed!");
return -EINVAL;
}
endp = p + priv->firm[pos].size; endp = p + priv->firm[pos].size;
while (p < endp) { while (p < endp) {
...@@ -546,15 +538,10 @@ static int load_scode(struct dvb_frontend *fe, unsigned int type, ...@@ -546,15 +538,10 @@ static int load_scode(struct dvb_frontend *fe, unsigned int type,
p = priv->firm[pos].ptr; p = priv->firm[pos].ptr;
if (!p) {
tuner_err("Firmware pointer were freed!");
return -EINVAL;
}
if ((priv->firm[pos].size != 12 * 16) || (scode >= 16)) if ((priv->firm[pos].size != 12 * 16) || (scode >= 16))
return -EINVAL; return -EINVAL;
if (priv->version < 0x0202) if (priv->firm_version < 0x0202)
rc = send_seq(priv, {0x20, 0x00, 0x00, 0x00}); rc = send_seq(priv, {0x20, 0x00, 0x00, 0x00});
else else
rc = send_seq(priv, {0xa0, 0x00, 0x00, 0x00}); rc = send_seq(priv, {0xa0, 0x00, 0x00, 0x00});
...@@ -783,7 +770,7 @@ static int generic_set_tv_freq(struct dvb_frontend *fe, u32 freq /* in Hz */ , ...@@ -783,7 +770,7 @@ static int generic_set_tv_freq(struct dvb_frontend *fe, u32 freq /* in Hz */ ,
/* CMD= Set frequency */ /* CMD= Set frequency */
if (priv->version < 0x0202) if (priv->firm_version < 0x0202)
rc = send_seq(priv, {0x00, 0x02, 0x00, 0x00}); rc = send_seq(priv, {0x00, 0x02, 0x00, 0x00});
else else
rc = send_seq(priv, {0x80, 0x02, 0x00, 0x00}); rc = send_seq(priv, {0x80, 0x02, 0x00, 0x00});
...@@ -868,6 +855,7 @@ static int xc2028_dvb_release(struct dvb_frontend *fe) ...@@ -868,6 +855,7 @@ static int xc2028_dvb_release(struct dvb_frontend *fe)
free_firmware(priv); free_firmware(priv);
kfree(priv); kfree(priv);
fe->tuner_priv = NULL;
} }
mutex_unlock(&xc2028_list_mutex); mutex_unlock(&xc2028_list_mutex);
...@@ -893,14 +881,18 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) ...@@ -893,14 +881,18 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
tuner_dbg("%s called\n", __FUNCTION__); tuner_dbg("%s called\n", __FUNCTION__);
mutex_lock(&priv->lock);
priv->ctrl.type = p->type; priv->ctrl.type = p->type;
if (p->fname) { if (p->fname) {
kfree(priv->ctrl.fname); kfree(priv->ctrl.fname);
priv->ctrl.fname = kmalloc(strlen(p->fname) + 1, GFP_KERNEL); priv->ctrl.fname = kmalloc(strlen(p->fname) + 1, GFP_KERNEL);
if (!priv->ctrl.fname) if (priv->ctrl.fname == NULL) {
mutex_unlock(&priv->lock);
return -ENOMEM; return -ENOMEM;
}
free_firmware(priv); free_firmware(priv);
strcpy(priv->ctrl.fname, p->fname); strcpy(priv->ctrl.fname, p->fname);
...@@ -909,6 +901,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) ...@@ -909,6 +901,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
if (p->max_len > 0) if (p->max_len > 0)
priv->max_len = p->max_len; priv->max_len = p->max_len;
mutex_unlock(&priv->lock);
return 0; return 0;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册