From 973e9f133a6bbf1fdfe9110e529d15995867137a Mon Sep 17 00:00:00 2001
From: Harunobu Kurokawa <harunobu.kurokawa.dn@renesas.com>
Date: Tue, 24 Jan 2017 16:38:38 +0900
Subject: rcar-gen2: linux-renesas: backport r820t tuner driver to fix SPEC-418

Fix the issue that radio app using r820t tuner driver some times crash.

Bug-AGL: SPEC-418

Change-Id: I1529ecba91c3988eea6b271d5f8ce6d2d8f1bb11
Signed-off-by: Harunobu Kurokawa <harunobu.kurokawa.dn@renesas.com>
---
 .../recipes-kernel/linux/linux-renesas_%.bbappend  |  3 ++
 ...-do-not-double-free-fe-tuner_priv-in-r820.patch | 30 +++++++++++++
 ...-remove-redundant-initializations-in-r820.patch | 52 ++++++++++++++++++++++
 ...-avoid-potential-memcpy-buffer-overflow-i.patch | 33 ++++++++++++++
 4 files changed, 118 insertions(+)
 create mode 100644 meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch
 create mode 100644 meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0002-media-r820t-remove-redundant-initializations-in-r820.patch
 create mode 100644 meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch

diff --git a/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux-renesas_%.bbappend b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux-renesas_%.bbappend
index f585283b4..7da3e5c8a 100755
--- a/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux-renesas_%.bbappend
+++ b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux-renesas_%.bbappend
@@ -8,6 +8,9 @@ SRC_URI += " file://disable_delay_printk.patch \
              file://rtl_sdr.cfg \
              file://usbaudio.cfg \
              file://ra2x00.cfg \
+             file://0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch \
+             file://0002-media-r820t-remove-redundant-initializations-in-r820.patch \
+             file://0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch \
             "
 
 KERNEL_CONFIG_FRAGMENTS_append = " ${WORKDIR}/ath9k_htc.cfg ${WORKDIR}/rtl_sdr.cfg"
diff --git a/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch
new file mode 100644
index 000000000..61542556d
--- /dev/null
+++ b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0001-media-r820t-do-not-double-free-fe-tuner_priv-in-r820.patch
@@ -0,0 +1,30 @@
+From 4aab0398e003ac2effae98ba66a012ed715967ba Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:26:15 -0300
+Subject: [PATCH 1/3] [media] r820t: do not double-free fe->tuner_priv in
+ r820t_release()
+
+fe->tuner_priv is already freed by hybrid_tuner_release_state().
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 4835021..64f9738 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -2256,7 +2256,6 @@ static int r820t_release(struct dvb_frontend *fe)
+ 
+ 	mutex_unlock(&r820t_list_mutex);
+ 
+-	kfree(fe->tuner_priv);
+ 	fe->tuner_priv = NULL;
+ 
+ 	return 0;
+-- 
+2.9.2
+
diff --git a/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0002-media-r820t-remove-redundant-initializations-in-r820.patch b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0002-media-r820t-remove-redundant-initializations-in-r820.patch
new file mode 100644
index 000000000..596dd6bee
--- /dev/null
+++ b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0002-media-r820t-remove-redundant-initializations-in-r820.patch
@@ -0,0 +1,52 @@
+From e2e324d70defce7ffc4668085dc3c8ae580074e5 Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:30:09 -0300
+Subject: [PATCH 2/3] [media] r820t: remove redundant initializations in
+ r820t_attach()
+
+fe->tuner_priv and fe->ops.tuner_ops are initialized twice in r820t_attach().
+Remove the redundant initializations and also move fe->ops.tuner_ops
+initialization outside of the mutex lock (as in the xc4000 tuner code for example).
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 64f9738..63062a9 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -2310,8 +2310,6 @@ struct dvb_frontend *r820t_attach(struct dvb_frontend *fe,
+ 		break;
+ 	}
+ 
+-	memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops, sizeof(r820t_tuner_ops));
+-
+ 	if (fe->ops.i2c_gate_ctrl)
+ 		fe->ops.i2c_gate_ctrl(fe, 1);
+ 
+@@ -2326,15 +2324,14 @@ struct dvb_frontend *r820t_attach(struct dvb_frontend *fe,
+ 
+ 	tuner_info("Rafael Micro r820t successfully identified\n");
+ 
+-	fe->tuner_priv = priv;
+-	memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops,
+-			sizeof(struct dvb_tuner_ops));
+-
+ 	if (fe->ops.i2c_gate_ctrl)
+ 		fe->ops.i2c_gate_ctrl(fe, 0);
+ 
+ 	mutex_unlock(&r820t_list_mutex);
+ 
++	memcpy(&fe->ops.tuner_ops, &r820t_tuner_ops,
++			sizeof(struct dvb_tuner_ops));
++
+ 	return fe;
+ err:
+ 	if (fe->ops.i2c_gate_ctrl)
+-- 
+2.9.2
+
diff --git a/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch
new file mode 100644
index 000000000..fac5c2171
--- /dev/null
+++ b/meta-agl-bsp/meta-renesas/recipes-kernel/linux/linux/0003-media-r820t-avoid-potential-memcpy-buffer-overflow-i.patch
@@ -0,0 +1,33 @@
+From 757d7ace565c06e1302ba7c9244d839455e13881 Mon Sep 17 00:00:00 2001
+From: Gianluca Gennari <gennarone@gmail.com>
+Date: Sun, 2 Jun 2013 14:31:19 -0300
+Subject: [PATCH 3/3] [media] r820t: avoid potential memcpy buffer overflow in
+ shadow_store()
+
+The memcpy in shadow_store() could exceed buffer limits when r > 0.
+
+Signed-off-by: Gianluca Gennari <gennarone@gmail.com>
+Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+---
+ drivers/media/tuners/r820t.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/tuners/r820t.c b/drivers/media/tuners/r820t.c
+index 63062a9..0a5f96b 100644
+--- a/drivers/media/tuners/r820t.c
++++ b/drivers/media/tuners/r820t.c
+@@ -364,8 +364,8 @@ static void shadow_store(struct r820t_priv *priv, u8 reg, const u8 *val,
+ 	}
+ 	if (len <= 0)
+ 		return;
+-	if (len > NUM_REGS)
+-		len = NUM_REGS;
++	if (len > NUM_REGS - r)
++		len = NUM_REGS - r;
+ 
+ 	tuner_dbg("%s: prev  reg=%02x len=%d: %*ph\n",
+ 		  __func__, r + REG_SHADOW_START, len, len, val);
+-- 
+2.9.2
+
-- 
cgit