mainline inclusion
from mainline-v6.4-rc3
commit b8c75e4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6YKXB
CVE: CVE-2023-31084

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b8c75e4a1b325ea0a9433fa8834be97b5836b946

--------------------------------

Using a semaphore in the wait_event*() condition is no good idea.
It hits a kernel WARN_ON() at prepare_to_wait_event() like:
  do not call blocking ops when !TASK_RUNNING; state=1 set at
  prepare_to_wait_event+0x6d/0x690

For avoiding the potential deadlock, rewrite to an open-coded loop
instead.  Unlike the loop in wait_event*(), this uses wait_woken()
after the condition check, hence the task state stays consistent.

CVE-2023-31084 was assigned to this bug.

Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/

Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.deReported-by: NYu Hao <yhao016@ucr.edu>
Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: NChen Jiahao <chenjiahao16@huawei.com>
(cherry picked from commit c008597c)

A bugfix introduce a link failure in configurations without CONFIG_MODULES:

In file included from drivers/media/usb/dvb-usb/pctv452e.c:20:0:
drivers/media/usb/dvb-usb/pctv452e.c: In function 'pctv452e_frontend_attach':
drivers/media/dvb-frontends/stb0899_drv.h:151:36: error: weak declaration of 'stb0899_attach' being applied to a already existing, static definition

The problem is that the !IS_REACHABLE() declaration of stb0899_attach()
is a 'static inline' definition that clashes with the weak definition.

I further observed that the bugfix was only done for one of the five users
of stb0899_attach(), the other four still have the problem.  This reverts
the bugfix and instead addresses the problem by not dropping the reference
count when calling '->detach()', instead we call this function directly
in dvb_frontend_put() before dropping the kref on the front-end.

I first submitted this in early 2018, and after some discussion it
was apparently discarded.  While there is a long-term plan in place,
that plan is obviously not nearing completion yet, and the current
kernel is still broken unless this patch is applied.

Link: https://patchwork.kernel.org/patch/10140175/
Link: https://patchwork.linuxtv.org/patch/54831/

Cc: Max Kellermann <max.kellermann@gmail.com>
Cc: Wolfgang Rohdewald <wolfgang@rohdewald.de>
Cc: stable@vger.kernel.org
Fixes: f686c143 ("[media] stb0899: move code to "detach" callback")
Fixes: 6cdeaed3 ("media: dvb_usb_pctv452e: module refcount changes were unbalanced")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NSean Young <sean@mess.org>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

Over time, dvb_frontend_handle_ioctl() has grown to the point where
we now get a warning from the compiler about excessive stack usage:

drivers/media/dvb-core/dvb_frontend.c: In function 'dvb_frontend_handle_ioctl':
drivers/media/dvb-core/dvb_frontend.c:2692:1: error: the frame size of 1048 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

Almost all of this is used by the dtv_frontend_properties structure
in the FE_GET_PROPERTY and FE_GET_FRONTEND commands. Splitting those
into separate function reduces the stack usage of the main function
to just 136 bytes, the others are under 500 each.
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NSean Young <sean@mess.org>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version this program is distributed in the
  hope that it will be useful but without any warranty without even
  the implied warranty of merchantability or fitness for a particular
  purpose see the gnu general public license for more details to
  obtain the license point your browser to http www gnu org copyleft
  gpl html

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 26 file(s).
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Reviewed-by: NKate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: NRichard Fontana <rfontana@redhat.com>
Reviewed-by: NAllison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190523091650.572604764@linutronix.deSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This can be a debug message. Favour dev_dbg() over dprintk() as this is
already used much more than dprintk().

dvb_frontend: dvb_frontend_get_frequency_limits: frequency interval: tuner: 45000000...860000000, frontend: 44250000...867250000

Fixes: 00ecd6bc ("media: dvb_frontend: add debug message for frequency intervals")

Cc: <stable@vger.kernel.org> # 5.0
Signed-off-by: NSean Young <sean@mess.org>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

Use codespell to fix lots of typos over frontends.

Manually verified to avoid false-positives.
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

As we did an internal change inside the subsystem to always
represent min/max frequencies in Hz, add a debug message, as this
would help to discover bugs on drivers, if any.
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

The dvb_frontend dprintk() macro already prints __func__. So,
we don't need to add it again at the printed message.
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

The strcpy() function is being deprecated upstream. Replace
it by the safer strscpy().
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Reviewed-by: NHans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

The frequency step should take into account the tuner step,
as, if tuner step is bigger than frontend step, the zigzag
algorithm won't be doing the right thing, as it will be
tuning multiple times at the same frequency.
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

Right now, satellite frontend drivers specify frequencies in kHz,
while terrestrial/cable ones specify in Hz. That's confusing
for developers.

However, the main problem is that universal frontends capable
of handling both satellite and non-satelite delivery systems
are appearing. We end by needing to hack the drivers in
order to support such hybrid frontends.

So, convert everything to specify frontend frequencies in Hz.
Tested-by: NKatsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

Right now, satellite tuner drivers specify frequencies in kHz,
while terrestrial/cable ones specify in Hz. That's confusing
for developers.

However, the main problem is that universal tuners capable
of handling both satellite and non-satelite delivery systems
are appearing. We end by needing to hack the drivers in
order to support such hybrid tuners.

So, convert everything to specify tuner frequencies in Hz.

Plese notice that a similar patch is also needed for frontends.
Tested-by: NKatsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
Acked-by: NMichael Büsch <m@bues.ch>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

This is a core media file... it shoudn't have so many coding
style issues! The last patch ended by being submitted with
an error like that, very likely due to some cut and paste
issue.

Maybe it is time to clean it up. Do it with the auto
fix logic:

 ./scripts/checkpatch.pl -f drivers/media/dvb-core/dvb_frontend.c --strict --fix-inplace

Then manually fix the errors introduced by it.
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

During destruction, a race condition in
dvb_media_controller_disable_source() can cause a kernel crash,
because the "mdev" pointer has been read successfully while another
task executes dvb_usb_media_device_unregister(), which destroys the
object.  Example for such a crash:

    general protection fault: 0000 [#1] SMP
    CPU: 1 PID: 301 Comm: vdr Not tainted 4.8.1-nuc+ #102
    [142B blob data]
    task: ffff8802301f2040 task.stack: ffff880233728000
    RIP: 0010:[<ffffffff816c296b>]  [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120
    RSP: 0018:ffff88023372bdd8  EFLAGS: 00010202
    RAX: 001fd55c000000da RBX: ffff880236bad810 RCX: 0000000000000000
    RDX: ffff880235bd81f0 RSI: 0000000000000246 RDI: ffff880235bd81e8
    RBP: ffff88023372be00 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: ffff88022f009910 R12: 0000000000000000
    R13: ffff880235a21a80 R14: ffff880235bd8000 R15: ffff880235bb8a78
    FS:  0000000000000000(0000) GS:ffff88023fd00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f96edd69818 CR3: 0000000002406000 CR4: 00000000001006e0
    Stack:
     ffff88022f009900 0000000000000008 ffff880235bb8a78 ffff8802344fbb20
     ffff880236437b40 ffff88023372be48 ffffffff8117a81e ffff880235bb8a78
     ffff88022f009910 ffff8802335a7400 ffff8802301f2040 ffff88022f009900
    Call Trace:
     [<ffffffff8117a81e>] __fput+0xde/0x1d0
     [<ffffffff8117a949>] ____fput+0x9/0x10
     [<ffffffff810a9fce>] task_work_run+0x7e/0xa0
     [<ffffffff81094bab>] do_exit+0x27b/0xa50
     [<ffffffff810407e3>] ? __do_page_fault+0x1c3/0x430
     [<ffffffff81095402>] do_group_exit+0x42/0xb0
     [<ffffffff8109547f>] SyS_exit_group+0xf/0x10
     [<ffffffff8108bedb>] entry_SYSCALL_64_fastpath+0x13/0x8f
    Code: 31 c9 49 8d be e8 01 00 00 ba 01 00 00 00 be 03 00 00 00 e8 68 2d a0 ff 48 8b 83 10 03 00 00 48 8b 80 88 00 00 00 48 85 c0 74 12 <48> 8b 80 88 02 00 00 48 85 c0 74 06 49 8b 7d
    RIP  [<ffffffff816c296b>] dvb_frontend_release+0xcb/0x120

[mchehab+samsung@kernel.org: fix a Coding Style issue]
Signed-off-by: NMax Kellermann <max.kellermann@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

DTV_ISDBT_LAYER_ENABLED parameter should be set to "All" by default,
instead of "None", as described in the API document.
Signed-off-by: NAkihiro Tsukada <tskd08@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>

As warned by smatch:
	drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
	  Locked on:   line 288
	               line 295
	               line 306
	               line 314
	  Unlocked on: line 303

The lock implementation for get event is wrong, as, if an
interrupt occurs, down_interruptible() will fail, and the
routine will call up() twice when userspace calls the ioctl
again.

The bad code is there since when Linux migrated to git, in
2005.

Cc: stable@vger.kernel.org
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

FE_GET_PROPERTY has always failed as following situations:
  - Use compatible ioctl
  - The array of 'struct dtv_property' has 2 or more items

This patch fixes wrong cast to a pointer 'struct dtv_property' from a
pointer of 2nd or after item of 'struct compat_dtv_property' array.
Signed-off-by: NKatsuhiro Suzuki <suzuki.katsuhiro@socionext.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Solves those warnings:
	drivers/media/dvb-core/dvb_frontend.c:2297:39: warning: incorrect type in argument 1 (different address spaces)
	drivers/media/dvb-core/dvb_frontend.c:2297:39:    expected void const [noderef] <asn:1>*<noident>
	drivers/media/dvb-core/dvb_frontend.c:2297:39:    got struct dtv_property *props
	drivers/media/dvb-core/dvb_frontend.c:2331:39: warning: incorrect type in argument 1 (different address spaces)
	drivers/media/dvb-core/dvb_frontend.c:2331:39:    expected void const [noderef] <asn:1>*<noident>
	drivers/media/dvb-core/dvb_frontend.c:2331:39:    got struct dtv_property *props

No functional changes.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.
Scripted-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Except for DVB, all media kAPI headers are at include/media.

Move the headers to it.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

This commit adds a new property DTV_SCRAMBLING_SEQUENCE_INDEX.

This 18 bit field, when present, carries the index of the DVB-S2 physical
layer scrambling sequence as defined in clause 5.5.4 of EN 302 307.
There is no explicit signalling method to convey scrambling sequence index
to the receiver. If S2 satellite delivery system descriptor is available
it can be used to read the scrambling sequence index (EN 300 468 table 41).

By default, gold scrambling sequence index 0 is used. The valid scrambling
sequence index range is from 0 to 262142.

Increase the DVB API version in order userspace to be aware of the changes.
Signed-off-by: NAthanasios Oikonomou <athoik@gmail.com>
Acked-by: NRalph Metzler <rjkm@metzlerbros.de>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

The dtv_properties structure and the dtv_property structure are
different sizes in 32-bit and 64-bit system. This patch provides
FE_SET_PROPERTY and FE_GET_PROPERTY ioctl commands implementation for
32-bit user space applications.
Signed-off-by: NJaedon Shin <jaedon.shin@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Adds compat_ioctl for 32-bit user space applications on a 64-bit system.

[m.chehab@osg.samsung.com: add missing include compat.h]
Signed-off-by: NJaedon Shin <jaedon.shin@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Adds unlocked ioctl function directly in dvb_frontend.c instead of using
dvb_generic_ioctl().
Signed-off-by: NJaedon Shin <jaedon.shin@gmail.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

drivers/media/dvb-core/dvb_frontend.c:154:2-7: WARNING: NULL check before freeing functions like kfree, debugfs_remove, debugfs_remove_recursive or usb_free_urb is not needed. Maybe consider reorganizing relevant code to avoid passing NULL values.

 NULL check before some freeing functions is not needed.

 Based on checkpatch warning
 "kfree(NULL) is safe this check is probably not required"
 and kfreeaddr.cocci by Julia Lawall.

Generated by: scripts/coccinelle/free/ifnullfree.cocci

Fixes: b1cb7372 ("dvb_frontend: don't use-after-free the frontend struct")
Signed-off-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

The correct error code when a function is not defined is
-ENOTSUPP. It was typoed wrong as -EOPNOTSUPP, with,
unfortunately, exists, but it is not used by the DVB core.

Thanks-to: Geert Uytterhoeven <geert@linux-m68k.org>
Thanks-to: Arnd Bergmann <arnd@arndb.de>

To make me revisit this code.

Fixes: a9cb97c3 ("media: dvb_frontend: be sure to init dvb_frontend_handle_ioctl() return code")
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

As smatch warned:
	drivers/media/dvb-core/dvb_frontend.c:2468 dvb_frontend_handle_ioctl() error: uninitialized symbol 'err'.

The ioctl handler actually got a regression here: before changeset
d73dcf0c ("media: dvb_frontend: cleanup ioctl handling logic"),
the code used to return -EOPNOTSUPP if an ioctl handler was not
implemented on a driver. After the change, it may return a random
value.

Fixes: d73dcf0c ("media: dvb_frontend: cleanup ioctl handling logic")

Cc: stable@vger.kernel.org
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
Tested-by: NDaniel Scheller <d.scheller@gmx.net>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

There were some troubles there:
	drivers/media/dvb-core/dvb_frontend.c:379: warning: No description found for parameter 'fe'
	drivers/media/dvb-core/dvb_frontend.c:379: warning: No description found for parameter 'check_wrapped'
	drivers/media/dvb-core/dvb_frontend.c:1265: warning: No description found for parameter 'p_out'
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

dvb_frontend_invoke_release() may free the frontend struct.
So, the free logic can't update it anymore after calling it.

That's OK, as __dvb_frontend_free() is called only when the
krefs are zeroed, so nobody is using it anymore.

That should fix the following KASAN error:

The KASAN report looks like this (running on kernel 3e0cc09a (4.14-rc5+)):
==================================================================
BUG: KASAN: use-after-free in __dvb_frontend_free+0x113/0x120
Write of size 8 at addr ffff880067d45a00 by task kworker/0:1/24

CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc5-43687-g06ab8a23e0e6 #545
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x23d/0x350 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
 __dvb_frontend_free+0x113/0x120 drivers/media/dvb-core/dvb_frontend.c:156
 dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
 dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
 dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
 dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
 dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
 dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
 kmalloc ./include/linux/slab.h:493
 kzalloc ./include/linux/slab.h:666
 dtt200u_fe_attach+0x4c/0x110 drivers/media/usb/dvb-usb/dtt200u-fe.c:212
 dtt200u_frontend_attach+0x35/0x80 drivers/media/usb/dvb-usb/dtt200u.c:136
 dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162
 dvb_usb_device_init+0xf73/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277
 dtt200u_usb_probe+0xa1/0xe0 drivers/media/usb/dvb-usb/dtt200u.c:155
 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
 __device_attach+0x26b/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
 device_add+0xd0b/0x1660 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Freed by task 24:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0xf6/0x2f0 mm/slub.c:3919
 dtt200u_fe_release+0x3c/0x50 drivers/media/usb/dvb-usb/dtt200u-fe.c:202
 dvb_frontend_invoke_release.part.13+0x1c/0x30 drivers/media/dvb-core/dvb_frontend.c:2790
 dvb_frontend_invoke_release drivers/media/dvb-core/dvb_frontend.c:2789
 __dvb_frontend_free+0xad/0x120 drivers/media/dvb-core/dvb_frontend.c:153
 dvb_frontend_put+0x59/0x70 drivers/media/dvb-core/dvb_frontend.c:176
 dvb_frontend_detach+0x120/0x150 drivers/media/dvb-core/dvb_frontend.c:2803
 dvb_usb_adapter_frontend_exit+0xd6/0x160 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:340
 dvb_usb_adapter_exit drivers/media/usb/dvb-usb/dvb-usb-init.c:116
 dvb_usb_exit+0x9b/0x200 drivers/media/usb/dvb-usb/dvb-usb-init.c:132
 dvb_usb_device_exit+0xa5/0xf0 drivers/media/usb/dvb-usb/dvb-usb-init.c:295
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f1/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc73/0x1d90 kernel/workqueue.c:2119
 worker_thread+0x221/0x1850 kernel/workqueue.c:2253
 kthread+0x363/0x440 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

The buggy address belongs to the object at ffff880067d45500
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1280 bytes inside of
 2048-byte region [ffff880067d45500, ffff880067d45d00)
The buggy address belongs to the page:
page:ffffea00019f5000 count:1 mapcount:0 mapping:          (null)
index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 0000000000000000 0000000000000000 00000001000f000f
raw: dead000000000100 dead000000000200 ffff88006c002d80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff880067d45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff880067d45a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880067d45b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: ead66600 ("media: dvb_frontend: only use kref after initialized")
Reported-by: NAndrey Konovalov <andreyknvl@google.com>
Suggested-by: NMatthias Schwarzott <zzam@gentoo.org>
Tested-by: NAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Follow-up to: ead66600 ("media: dvb_frontend: only use kref after initialized")

The aforementioned commit fixed refcount OOPSes when demod driver attaching
succeeded but tuner driver didn't. However, the use count of the attached
demod drivers don't go back to zero and thus couldn't be cleanly unloaded.
Improve on this by calling dvb_frontend_invoke_release() in
__dvb_frontend_free() regardless of fepriv being NULL, instead of returning
when fepriv is NULL. This is safe to do since _invoke_release() will check
for passed pointers being valid before calling the .release() function.

[mchehab@s-opensource.com: changed the logic a little bit to reduce
 conflicts with another bug fix patch under review]
Fixes: ead66600 ("media: dvb_frontend: only use kref after initialized")
Signed-off-by: NDaniel Scheller <d.scheller@gmx.net>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Fix a bunch of coding style issues found by checkpatch on the
part of the code that the previous patches touched.

WARNING: please, no space before tabs
+ * ^I^Icallback.$

ERROR: space required before the open parenthesis '('
+	switch(cmd) {

WARNING: line over 80 characters
+			err = dtv_property_process_get(fe, &getp, tvp + i, file);

WARNING: line over 80 characters
+			err = fe->ops.diseqc_recv_slave_reply(fe, (struct dvb_diseqc_slave_reply*) parg);

ERROR: "(foo*)" should be "(foo *)"
+			err = fe->ops.diseqc_recv_slave_reply(fe, (struct dvb_diseqc_slave_reply*) parg);

WARNING: line over 80 characters
+				err = fe->ops.read_signal_strength(fe, (__u16 *) parg);
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Simplify the get property handling and move it to the existing
code at dtv_property_process_get() directly.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Since all properties in the func dtv_property_process_set() use
at most 4 bytes arguments, change the code to pass
u32 cmd and u32 data as function arguments, instead of passing a
pointer to the entire struct dtv_property *tvp.

Instead of having a generic dtv_property_dump(), added its own
properties debug logic in the dtv_property_process_set().
Signed-off-by: NSatendra Singh Thakur <satendra.t@samsung.com>
Reviewed-by: NShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

There are several problems with regards to the return of
FE_SET_PROPERTY. The original idea were to return per-property
return codes via tvp->result field, and to return an updated
set of values.

However, that never worked. What's actually implemented is:

- the FE_SET_PROPERTY implementation doesn't call .get_frontend
  callback in order to get the actual parameters after return;

- the tvp->result field is only filled if there's no error.
  So, it is always filled with zero;

- FE_SET_PROPERTY doesn't call memdup_user() nor any other
  copy_to_user() function. So, any changes to the properties
  will be lost;

- FE_SET_PROPERTY is declared as a write-only ioctl (IOW).

While we could fix the above, it could cause regressions.

So, let's just assume what the code really does, updating
the documentation accordingly and removing the logic that
would update the discarded tvp->result.
Reviewed-by: NShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Two readonly ioctls can't be allowed if the frontend device
is opened in read only mode. Explain why.

Reviewed by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

In the past, I guess the idea was to use state in order to
allow an autofush logic. However, in the current code, it is
used only for debug messages, on a poor man's solution, as
there's already a debug message to indicate when the properties
got flushed.

So, just get rid of it for good.
Reviewed-by: NShuah Khan <shuahkg@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Currently, there are two handlers for ioctls:
 - dvb_frontend_ioctl_properties()
 - dvb_frontend_ioctl_legacy()

Despite their names, both handles non-legacy DVB ioctls.

Besides that, there's no reason why to not handle all ioctls
on a single handler function.

So, merge them into a single function (dvb_frontend_handle_ioctl)
and reorganize the ioctl's to indicate what's the current DVB
API and what's deprecated.

Despite the big diff, the handling logic for each ioctl is the
same as before.
Reviewed-by: NShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Use a switch() on this function, just like on other ioctl
handlers and handle parameters inside each part of the
switch.

That makes it easier to integrate with the already existing
ioctl handler function.
Reviewed-by: NShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>

Now that all clients of set_property() were removed, get rid
of this callback.
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>