[PATCH 4.9 022/157] media: dib0700: fix undefined behavior in tuner shutdown

From: Greg Kroah-Hartman
Date: Mon Jan 24 2022 - 14:01:16 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.9 005/157] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 026/157] can: softing_cs: softingcs_probe(): fix memleak on registration failure"
In reply to: Greg Kroah-Hartman: "[PATCH 4.9 026/157] can: softing_cs: softingcs_probe(): fix memleak on registration failure"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.9 005/157] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Kuron <michael.kuron@xxxxxxxxx>

commit f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 upstream.

This fixes a problem where closing the tuner would leave it in a state
where it would not tune to any channel when reopened. This problem was
discovered as part of https://github.com/hselasky/webcamd/issues/16.

Since adap->id is 0 or 1, this bit-shift overflows, which is undefined
behavior. The driver still worked in practice as the overflow would in
most environments result in 0, which rendered the line a no-op. When
running the driver as part of webcamd however, the overflow could lead
to 0xff due to optimizations by the compiler, which would, in the end,
improperly shut down the tuner.

The bug is a regression introduced in the commit referenced below. The
present patch causes identical behavior to before that commit for
adap->id equal to 0 or 1. The driver does not contain support for
dib0700 devices with more adapters, assuming such even exist.

Tests have been performed with the Xbox One Digital TV Tuner on amd64.
Not all dib0700 devices are expected to be affected by the regression;
this code path is only taken by those with incorrect endpoint numbers.

Link: https://lore.kernel.org/linux-media/1d2fc36d94ced6f67c7cc21dcc469d5e5bdd8201.1632689033.git.mchehab+huawei@xxxxxxxxxx

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 7757ddda6f4f ("[media] DiB0700: add function to change I2C-speed")
Signed-off-by: Michael Kuron <michael.kuron@xxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/media/usb/dvb-usb/dib0700_core.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -610,8 +610,6 @@ int dib0700_streaming_ctrl(struct dvb_us
deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint);
if (onoff)
st->channel_state |= 1 << (adap->id);
- else
- st->channel_state |= 1 << ~(adap->id);
} else {
if (onoff)
st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2);

Next message: Greg Kroah-Hartman: "[PATCH 4.9 005/157] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 026/157] can: softing_cs: softingcs_probe(): fix memleak on registration failure"
In reply to: Greg Kroah-Hartman: "[PATCH 4.9 026/157] can: softing_cs: softingcs_probe(): fix memleak on registration failure"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.9 005/157] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]