[PATCH stable v4.15 0/3] lirc_zilog bugs

[PATCH stable v4.15 0/3] lirc_zilog bugs

[Sean Young]

This driver has a few problems, however the driver has been removed from
staging in v4.16 (replaced by a new driver). Please can these patches
be included in the 4.15.* stable tree.

Thanks

Sean Young (3):
  media: staging: lirc_zilog: broken reference counting
  Revert "media: lirc_zilog: driver only sends LIRCCODE"
  media: staging: lirc_zilog: incorrect reference counting

 drivers/staging/media/lirc/lirc_zilog.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

-- 
2.14.3

[PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
 ? __schedule+0x247/0x880
 ? get_ir_tx+0x40/0x40 [lirc_zilog]
 kthread+0x113/0x130
 ? kthread_create_worker_on_cpu+0x70/0x70
 ? do_syscall_64+0x74/0x180
 ? SyS_exit_group+0x10/0x10
 ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
 
 	lirc_init_pdata(node, filep);
 	ir = lirc_get_pdata(filep);
+	get_ir_device(ir, false);
 
 	atomic_inc(&ir->open_count);
 
-- 
2.14.3

[PATCH stable v4.15 2/3] Revert "media: lirc_zilog: driver only sends LIRCCODE"

[Sean Young]

The lirc config documented here
https://www.blushingpenguin.com/mark/blog/?p=24 uses raw_codes for sending
IR. Each key only has one pulse, which in fact is an index into the
haup-ir-blaster.bin file. Changing the driver to LIRCCODE (although more
accurate) breaks this configuration.

This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

This reverts commit 89d8a2cc51d1f29ea24a0b44dde13253141190a0.

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.14-v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index bf6869e48a0f..e8d6c1abc6d8 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -287,7 +287,7 @@ static void release_ir_tx(struct kref *ref)
 	struct IR_tx *tx = container_of(ref, struct IR_tx, ref);
 	struct IR *ir = tx->ir;
 
-	ir->l->features &= ~LIRC_CAN_SEND_LIRCCODE;
+	ir->l->features &= ~LIRC_CAN_SEND_PULSE;
 	/* Don't put_ir_device(tx->ir) here, so our lock doesn't get freed */
 	ir->tx = NULL;
 	kfree(tx);
@@ -1266,14 +1266,14 @@ static long ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 		if (!(features & LIRC_CAN_SEND_MASK))
 			return -ENOTTY;
 
-		result = put_user(LIRC_MODE_LIRCCODE, uptr);
+		result = put_user(LIRC_MODE_PULSE, uptr);
 		break;
 	case LIRC_SET_SEND_MODE:
 		if (!(features & LIRC_CAN_SEND_MASK))
 			return -ENOTTY;
 
 		result = get_user(mode, uptr);
-		if (!result && mode != LIRC_MODE_LIRCCODE)
+		if (!result && mode != LIRC_MODE_PULSE)
 			return -EINVAL;
 		break;
 	default:
@@ -1482,7 +1482,7 @@ static int ir_probe(struct i2c_client *client, const struct i2c_device_id *id)
 		kref_init(&tx->ref);
 		ir->tx = tx;
 
-		ir->l->features |= LIRC_CAN_SEND_LIRCCODE;
+		ir->l->features |= LIRC_CAN_SEND_PULSE;
 		mutex_init(&tx->client_lock);
 		tx->c = client;
 		tx->need_boot = 1;
-- 
2.14.3

[PATCH stable v4.15 3/3] media: staging: lirc_zilog: incorrect reference counting

[Sean Young]

Whenever poll is called, the reference count is increased but never
decreased. This means that on rmmod, the lirc_thread is not stopped,
and will trample over freed memory.

Zilog/Hauppauge IR driver unloaded
BUG: unable to handle kernel paging request at ffffffffc17ba640
Oops: 0010 [#1] SMP
CPU: 1 PID: 667 Comm: zilog-rx-i2c-1 Tainted: P         C OE   4.13.16-302.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
task: ffff964eb452ca00 task.stack: ffffb254414dc000
RIP: 0010:0xffffffffc17ba640
RSP: 0018:ffffb254414dfe78 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff964ec1b35890 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffffb254414dff00 R08: 000000000000036e R09: ffff964ecfc8dfd0
R10: ffffb254414dfe78 R11: 00000000000f4240 R12: ffff964ec2bf28a0
R13: ffff964ec1b358a8 R14: ffff964ec1b358d0 R15: ffff964ec1b35800
FS:  0000000000000000(0000) GS:ffff964ecfc80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffc17ba640 CR3: 000000023058c000 CR4: 00000000000006e0
Call Trace:
 kthread+0x125/0x140
 ? kthread_park+0x60/0x60
 ? do_syscall_64+0x67/0x140
 ret_from_fork+0x25/0x30
Code:  Bad RIP value.
RIP: 0xffffffffc17ba640 RSP: ffffb254414dfe78
CR2: ffffffffc17ba640

Note that zilog-rx-i2c-1 should have exited by now, but hasn't due to
the missing put in poll().

This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Cc: stable@vger.kernel.org # v4.15- (all up to and including v4.15)
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index e8d6c1abc6d8..022720210f70 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1227,6 +1227,7 @@ static unsigned int poll(struct file *filep, poll_table *wait)
 
 	dev_dbg(ir->dev, "%s result = %s\n", __func__,
 		ret ? "POLLIN|POLLRDNORM" : "none");
+	put_ir_rx(rx, false);
 	return ret;
 }
 
-- 
2.14.3

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Greg KH]

On Sun, Apr 15, 2018 at 10:54:20AM +0100, Sean Young wrote:
> commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
> file->private_data") removed the reference get from open, so on the first
> close the reference count hits zero and the lirc device is freed.
> 
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
> IP: lirc_thread+0x94/0x520 [lirc_zilog]
> PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
> Oops: 0000 [#1] SMP NOPTI
> CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
> Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
> RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
> RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
> RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
> R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
> FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
> Call Trace:
>  ? __schedule+0x247/0x880
>  ? get_ir_tx+0x40/0x40 [lirc_zilog]
>  kthread+0x113/0x130
>  ? kthread_create_worker_on_cpu+0x70/0x70
>  ? do_syscall_64+0x74/0x180
>  ? SyS_exit_group+0x10/0x10
>  ret_from_fork+0x22/0x40
> Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
> RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
> CR2: 0000000000000040
> This code has been replaced completely in kernel v4.16 by a new driver,
> see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
> commit f95367a7b758 ("media: staging: remove lirc_zilog driver").
> 
> Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")
> 
> Cc: stable@vger.kernel.org # v4.15
> Reported-by: Warren Sturm <warren.sturm@gmail.com>
> Tested-by: Warren Sturm <warren.sturm@gmail.com>
> Signed-off-by: Sean Young <sean@mess.org>
> ---
>  drivers/staging/media/lirc/lirc_zilog.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
> index 6bd0717bf76e..bf6869e48a0f 100644
> --- a/drivers/staging/media/lirc/lirc_zilog.c
> +++ b/drivers/staging/media/lirc/lirc_zilog.c
> @@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
>  
>  	lirc_init_pdata(node, filep);
>  	ir = lirc_get_pdata(filep);
> +	get_ir_device(ir, false);
>  
>  	atomic_inc(&ir->open_count);
>  
> -- 
> 2.14.3

What is the git commit id of this patch, and the other patches in this
series and the 4.14 patch series that you sent out?

Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this in a way that I can pick them up.

thanks,

greg k-h

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:
> On Sun, Apr 15, 2018 at 10:54:20AM +0100, Sean Young wrote:
> > commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
> > file->private_data") removed the reference get from open, so on the first
> > close the reference count hits zero and the lirc device is freed.
> > 
> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
> > IP: lirc_thread+0x94/0x520 [lirc_zilog]
> > PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
> > Oops: 0000 [#1] SMP NOPTI
> > CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
> > Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
> > RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
> > RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
> > RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
> > R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
> > FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
> > Call Trace:
> >  ? __schedule+0x247/0x880
> >  ? get_ir_tx+0x40/0x40 [lirc_zilog]
> >  kthread+0x113/0x130
> >  ? kthread_create_worker_on_cpu+0x70/0x70
> >  ? do_syscall_64+0x74/0x180
> >  ? SyS_exit_group+0x10/0x10
> >  ret_from_fork+0x22/0x40
> > Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
> > RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
> > CR2: 0000000000000040
> > This code has been replaced completely in kernel v4.16 by a new driver,
> > see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
> > commit f95367a7b758 ("media: staging: remove lirc_zilog driver").
> > 
> > Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")
> > 
> > Cc: stable@vger.kernel.org # v4.15
> > Reported-by: Warren Sturm <warren.sturm@gmail.com>
> > Tested-by: Warren Sturm <warren.sturm@gmail.com>
> > Signed-off-by: Sean Young <sean@mess.org>
> > ---
> >  drivers/staging/media/lirc/lirc_zilog.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
> > index 6bd0717bf76e..bf6869e48a0f 100644
> > --- a/drivers/staging/media/lirc/lirc_zilog.c
> > +++ b/drivers/staging/media/lirc/lirc_zilog.c
> > @@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
> >  
> >  	lirc_init_pdata(node, filep);
> >  	ir = lirc_get_pdata(filep);
> > +	get_ir_device(ir, false);
> >  
> >  	atomic_inc(&ir->open_count);
> >  
> > -- 
> > 2.14.3
> 
> What is the git commit id of this patch, and the other patches in this
> series and the 4.14 patch series that you sent out?

lirc_zilog was dropped in v4.16, so this can't be patched upstream.

> Please read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this in a way that I can pick them up.

These patches have been tested with different types of hardware. Is there
anything else I can do to get these patches included?

Thanks,

Sean

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Greg KH]

On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:
> On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:
> > On Sun, Apr 15, 2018 at 10:54:20AM +0100, Sean Young wrote:
> > > commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
> > > file->private_data") removed the reference get from open, so on the first
> > > close the reference count hits zero and the lirc device is freed.
> > > 
> > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
> > > IP: lirc_thread+0x94/0x520 [lirc_zilog]
> > > PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
> > > Oops: 0000 [#1] SMP NOPTI
> > > CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
> > > Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
> > > RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
> > > RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
> > > RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
> > > RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
> > > RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
> > > R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
> > > R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
> > > FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
> > > Call Trace:
> > >  ? __schedule+0x247/0x880
> > >  ? get_ir_tx+0x40/0x40 [lirc_zilog]
> > >  kthread+0x113/0x130
> > >  ? kthread_create_worker_on_cpu+0x70/0x70
> > >  ? do_syscall_64+0x74/0x180
> > >  ? SyS_exit_group+0x10/0x10
> > >  ret_from_fork+0x22/0x40
> > > Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
> > > RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
> > > CR2: 0000000000000040
> > > This code has been replaced completely in kernel v4.16 by a new driver,
> > > see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
> > > commit f95367a7b758 ("media: staging: remove lirc_zilog driver").
> > > 
> > > Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")
> > > 
> > > Cc: stable@vger.kernel.org # v4.15
> > > Reported-by: Warren Sturm <warren.sturm@gmail.com>
> > > Tested-by: Warren Sturm <warren.sturm@gmail.com>
> > > Signed-off-by: Sean Young <sean@mess.org>
> > > ---
> > >  drivers/staging/media/lirc/lirc_zilog.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > > 
> > > diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
> > > index 6bd0717bf76e..bf6869e48a0f 100644
> > > --- a/drivers/staging/media/lirc/lirc_zilog.c
> > > +++ b/drivers/staging/media/lirc/lirc_zilog.c
> > > @@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
> > >  
> > >  	lirc_init_pdata(node, filep);
> > >  	ir = lirc_get_pdata(filep);
> > > +	get_ir_device(ir, false);
> > >  
> > >  	atomic_inc(&ir->open_count);
> > >  
> > > -- 
> > > 2.14.3
> > 
> > What is the git commit id of this patch, and the other patches in this
> > series and the 4.14 patch series that you sent out?
> 
> lirc_zilog was dropped in v4.16, so this can't be patched upstream.

Ah you are right, should we just ditch them here as well as they
obviously do not work? :)

> > Please read:
> >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > for how to do this in a way that I can pick them up.
> 
> These patches have been tested with different types of hardware. Is there
> anything else I can do to get these patches included?

When submitting patches to stable, you need to be explicit as to why
they are needed, and if they are not upstream, why not.

In this case, for obviously broken code that is not used anymore (as
it is gone in 4.16), why don't we just take the patch that removed the
driver to the stable trees as well?

thanks,

greg k-h

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

On Mon, Apr 16, 2018 at 10:50:15AM +0200, Greg KH wrote:
> On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:
> > On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:
> > > What is the git commit id of this patch, and the other patches in this
> > > series and the 4.14 patch series that you sent out?
> > 
> > lirc_zilog was dropped in v4.16, so this can't be patched upstream.
> 
> Ah you are right, should we just ditch them here as well as they
> obviously do not work? :)
> 
> > > Please read:
> > >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > > for how to do this in a way that I can pick them up.
> > 
> > These patches have been tested with different types of hardware. Is there
> > anything else I can do to get these patches included?
> 
> When submitting patches to stable, you need to be explicit as to why
> they are needed, and if they are not upstream, why not.
> 
> In this case, for obviously broken code that is not used anymore (as
> it is gone in 4.16), why don't we just take the patch that removed the
> driver to the stable trees as well?

Well in v4.16 the ir-kbd-i2c.c driver can do what the lirc_zilog does in
v4.15 (and earlier), so it wasn't ditched as such. It's a case of replaced
by mainline.

Since I was getting bug reports on it, there must be users of the lirc_zilog
driver.

That being said, the old lirc_dev and lirc_zilog is pretty awful code.


Sean

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Greg KH]

On Mon, Apr 16, 2018 at 10:15:28AM +0100, Sean Young wrote:
> On Mon, Apr 16, 2018 at 10:50:15AM +0200, Greg KH wrote:
> > On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:
> > > On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:
> > > > What is the git commit id of this patch, and the other patches in this
> > > > series and the 4.14 patch series that you sent out?
> > > 
> > > lirc_zilog was dropped in v4.16, so this can't be patched upstream.
> > 
> > Ah you are right, should we just ditch them here as well as they
> > obviously do not work? :)
> > 
> > > > Please read:
> > > >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > > > for how to do this in a way that I can pick them up.
> > > 
> > > These patches have been tested with different types of hardware. Is there
> > > anything else I can do to get these patches included?
> > 
> > When submitting patches to stable, you need to be explicit as to why
> > they are needed, and if they are not upstream, why not.
> > 
> > In this case, for obviously broken code that is not used anymore (as
> > it is gone in 4.16), why don't we just take the patch that removed the
> > driver to the stable trees as well?
> 
> Well in v4.16 the ir-kbd-i2c.c driver can do what the lirc_zilog does in
> v4.15 (and earlier), so it wasn't ditched as such. It's a case of replaced
> by mainline.
> 
> Since I was getting bug reports on it, there must be users of the lirc_zilog
> driver.
> 
> That being said, the old lirc_dev and lirc_zilog is pretty awful code.

Ok, I've queued these up for 4.14.y now.  4.15 is end-of-life, so I
can't apply these patches there, sorry.

greg k-h

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

On Sun, Apr 22, 2018 at 11:47:51AM +0200, Greg KH wrote:
> On Mon, Apr 16, 2018 at 10:15:28AM +0100, Sean Young wrote:
> > On Mon, Apr 16, 2018 at 10:50:15AM +0200, Greg KH wrote:
> > > On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:
> > > > On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:
> > > > > What is the git commit id of this patch, and the other patches in this
> > > > > series and the 4.14 patch series that you sent out?
> > > > 
> > > > lirc_zilog was dropped in v4.16, so this can't be patched upstream.
> > > 
> > > Ah you are right, should we just ditch them here as well as they
> > > obviously do not work? :)
> > > 
> > > > > Please read:
> > > > >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > > > > for how to do this in a way that I can pick them up.
> > > > 
> > > > These patches have been tested with different types of hardware. Is there
> > > > anything else I can do to get these patches included?
> > > 
> > > When submitting patches to stable, you need to be explicit as to why
> > > they are needed, and if they are not upstream, why not.
> > > 
> > > In this case, for obviously broken code that is not used anymore (as
> > > it is gone in 4.16), why don't we just take the patch that removed the
> > > driver to the stable trees as well?
> > 
> > Well in v4.16 the ir-kbd-i2c.c driver can do what the lirc_zilog does in
> > v4.15 (and earlier), so it wasn't ditched as such. It's a case of replaced
> > by mainline.
> > 
> > Since I was getting bug reports on it, there must be users of the lirc_zilog
> > driver.
> > 
> > That being said, the old lirc_dev and lirc_zilog is pretty awful code.
> 
> Ok, I've queued these up for 4.14.y now.  4.15 is end-of-life, so I
> can't apply these patches there, sorry.

Ok, thanks.

I wonder why Ubuntu picked 4.15 as the kernel for their upcoming 18.04 LTS
release.


Sean

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Mauro Carvalho Chehab]

Em Mon, 23 Apr 2018 10:04:20 +0100
Sean Young <sean@mess.org> escreveu:

> On Sun, Apr 22, 2018 at 11:47:51AM +0200, Greg KH wrote:
> > On Mon, Apr 16, 2018 at 10:15:28AM +0100, Sean Young wrote:  
> > > On Mon, Apr 16, 2018 at 10:50:15AM +0200, Greg KH wrote:  
> > > > On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:  
> > > > > On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:  
> > > > > > What is the git commit id of this patch, and the other patches in this
> > > > > > series and the 4.14 patch series that you sent out?  
> > > > > 
> > > > > lirc_zilog was dropped in v4.16, so this can't be patched upstream.  
> > > > 
> > > > Ah you are right, should we just ditch them here as well as they
> > > > obviously do not work? :)
> > > >   
> > > > > > Please read:
> > > > > >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > > > > > for how to do this in a way that I can pick them up.  
> > > > > 
> > > > > These patches have been tested with different types of hardware. Is there
> > > > > anything else I can do to get these patches included?  
> > > > 
> > > > When submitting patches to stable, you need to be explicit as to why
> > > > they are needed, and if they are not upstream, why not.
> > > > 
> > > > In this case, for obviously broken code that is not used anymore (as
> > > > it is gone in 4.16), why don't we just take the patch that removed the
> > > > driver to the stable trees as well?  
> > > 
> > > Well in v4.16 the ir-kbd-i2c.c driver can do what the lirc_zilog does in
> > > v4.15 (and earlier), so it wasn't ditched as such. It's a case of replaced
> > > by mainline.
> > > 
> > > Since I was getting bug reports on it, there must be users of the lirc_zilog
> > > driver.
> > > 
> > > That being said, the old lirc_dev and lirc_zilog is pretty awful code.  
> > 
> > Ok, I've queued these up for 4.14.y now.  4.15 is end-of-life, so I
> > can't apply these patches there, sorry.  
> 
> Ok, thanks.
> 
> I wonder why Ubuntu picked 4.15 as the kernel for their upcoming 18.04 LTS
> release.

I've no idea. Maybe it might be due to spectre/meltdown? Anyway, they'll
need to maintain it for a long time. So, I won't be surprised if they
decide to take over LTS maintainership upstream. In the mean time, if the
bug is seriously enough, you may consider sending them fixup patches
directly, although I guess that they use a bugzilla instead for patches
to the distro, with makes harder/painful to send them fixups.

The Ubuntu FAQ (https://wiki.ubuntu.com/Kernel/FAQ) points to an IRC
freenode channel (#ubuntu-kernel). Perhaps you could ping them there
and ask them about that.


Thanks,
Mauro

[PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
 ? __schedule+0x247/0x880
 ? get_ir_tx+0x40/0x40 [lirc_zilog]
 kthread+0x113/0x130
 ? kthread_create_worker_on_cpu+0x70/0x70
 ? do_syscall_64+0x74/0x180
 ? SyS_exit_group+0x10/0x10
 ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
 
 	lirc_init_pdata(node, filep);
 	ir = lirc_get_pdata(filep);
+	get_ir_device(ir, false);
 
 	atomic_inc(&ir->open_count);
 
-- 
2.14.3

[PATCH stable v4.15 2/3] Revert "media: lirc_zilog: driver only sends LIRCCODE"

[Sean Young]

The lirc config documented here
https://www.blushingpenguin.com/mark/blog/?p=24 uses raw_codes for sending
IR. Each key only has one pulse, which in fact is an index into the
haup-ir-blaster.bin file. Changing the driver to LIRCCODE (although more
accurate) breaks this configuration.

This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

This reverts commit 89d8a2cc51d1f29ea24a0b44dde13253141190a0.

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.14-v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index bf6869e48a0f..e8d6c1abc6d8 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -287,7 +287,7 @@ static void release_ir_tx(struct kref *ref)
 	struct IR_tx *tx = container_of(ref, struct IR_tx, ref);
 	struct IR *ir = tx->ir;
 
-	ir->l->features &= ~LIRC_CAN_SEND_LIRCCODE;
+	ir->l->features &= ~LIRC_CAN_SEND_PULSE;
 	/* Don't put_ir_device(tx->ir) here, so our lock doesn't get freed */
 	ir->tx = NULL;
 	kfree(tx);
@@ -1266,14 +1266,14 @@ static long ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
 		if (!(features & LIRC_CAN_SEND_MASK))
 			return -ENOTTY;
 
-		result = put_user(LIRC_MODE_LIRCCODE, uptr);
+		result = put_user(LIRC_MODE_PULSE, uptr);
 		break;
 	case LIRC_SET_SEND_MODE:
 		if (!(features & LIRC_CAN_SEND_MASK))
 			return -ENOTTY;
 
 		result = get_user(mode, uptr);
-		if (!result && mode != LIRC_MODE_LIRCCODE)
+		if (!result && mode != LIRC_MODE_PULSE)
 			return -EINVAL;
 		break;
 	default:
@@ -1482,7 +1482,7 @@ static int ir_probe(struct i2c_client *client, const struct i2c_device_id *id)
 		kref_init(&tx->ref);
 		ir->tx = tx;
 
-		ir->l->features |= LIRC_CAN_SEND_LIRCCODE;
+		ir->l->features |= LIRC_CAN_SEND_PULSE;
 		mutex_init(&tx->client_lock);
 		tx->c = client;
 		tx->need_boot = 1;
-- 
2.14.3

[PATCH stable v4.15 3/3] media: staging: lirc_zilog: incorrect reference counting

[Sean Young]

Whenever poll is called, the reference count is increased but never
decreased. This means that on rmmod, the lirc_thread is not stopped,
and will trample over freed memory.

Zilog/Hauppauge IR driver unloaded
BUG: unable to handle kernel paging request at ffffffffc17ba640
Oops: 0010 [#1] SMP
CPU: 1 PID: 667 Comm: zilog-rx-i2c-1 Tainted: P         C OE   4.13.16-302.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
task: ffff964eb452ca00 task.stack: ffffb254414dc000
RIP: 0010:0xffffffffc17ba640
RSP: 0018:ffffb254414dfe78 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff964ec1b35890 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffffb254414dff00 R08: 000000000000036e R09: ffff964ecfc8dfd0
R10: ffffb254414dfe78 R11: 00000000000f4240 R12: ffff964ec2bf28a0
R13: ffff964ec1b358a8 R14: ffff964ec1b358d0 R15: ffff964ec1b35800
FS:  0000000000000000(0000) GS:ffff964ecfc80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffc17ba640 CR3: 000000023058c000 CR4: 00000000000006e0
Call Trace:
 kthread+0x125/0x140
 ? kthread_park+0x60/0x60
 ? do_syscall_64+0x67/0x140
 ret_from_fork+0x25/0x30
Code:  Bad RIP value.
RIP: 0xffffffffc17ba640 RSP: ffffb254414dfe78
CR2: ffffffffc17ba640

Note that zilog-rx-i2c-1 should have exited by now, but hasn't due to
the missing put in poll().

This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Cc: stable@vger.kernel.org # v4.15- (all up to and including v4.15)
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index e8d6c1abc6d8..022720210f70 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1227,6 +1227,7 @@ static unsigned int poll(struct file *filep, poll_table *wait)
 
 	dev_dbg(ir->dev, "%s result = %s\n", __func__,
 		ret ? "POLLIN|POLLRDNORM" : "none");
+	put_ir_rx(rx, false);
 	return ret;
 }
 
-- 
2.14.3

Re: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting

[Sean Young]

On Mon, Apr 23, 2018 at 07:34:22AM -0300, Mauro Carvalho Chehab wrote:
> Em Mon, 23 Apr 2018 10:04:20 +0100
> Sean Young <sean@mess.org> escreveu:
> 
> > On Sun, Apr 22, 2018 at 11:47:51AM +0200, Greg KH wrote:
> > > On Mon, Apr 16, 2018 at 10:15:28AM +0100, Sean Young wrote:  
> > > > On Mon, Apr 16, 2018 at 10:50:15AM +0200, Greg KH wrote:  
> > > > > On Mon, Apr 16, 2018 at 09:43:45AM +0100, Sean Young wrote:  
> > > > > > On Mon, Apr 16, 2018 at 09:52:28AM +0200, Greg KH wrote:  
> > > > > > > What is the git commit id of this patch, and the other patches in this
> > > > > > > series and the 4.14 patch series that you sent out?  
> > > > > > 
> > > > > > lirc_zilog was dropped in v4.16, so this can't be patched upstream.  
> > > > > 
> > > > > Ah you are right, should we just ditch them here as well as they
> > > > > obviously do not work? :)
> > > > >   
> > > > > > > Please read:
> > > > > > >     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > > > > > > for how to do this in a way that I can pick them up.  
> > > > > > 
> > > > > > These patches have been tested with different types of hardware. Is there
> > > > > > anything else I can do to get these patches included?  
> > > > > 
> > > > > When submitting patches to stable, you need to be explicit as to why
> > > > > they are needed, and if they are not upstream, why not.
> > > > > 
> > > > > In this case, for obviously broken code that is not used anymore (as
> > > > > it is gone in 4.16), why don't we just take the patch that removed the
> > > > > driver to the stable trees as well?  
> > > > 
> > > > Well in v4.16 the ir-kbd-i2c.c driver can do what the lirc_zilog does in
> > > > v4.15 (and earlier), so it wasn't ditched as such. It's a case of replaced
> > > > by mainline.
> > > > 
> > > > Since I was getting bug reports on it, there must be users of the lirc_zilog
> > > > driver.
> > > > 
> > > > That being said, the old lirc_dev and lirc_zilog is pretty awful code.  
> > > 
> > > Ok, I've queued these up for 4.14.y now.  4.15 is end-of-life, so I
> > > can't apply these patches there, sorry.  
> > 
> > Ok, thanks.
> > 
> > I wonder why Ubuntu picked 4.15 as the kernel for their upcoming 18.04 LTS
> > release.
> 
> I've no idea. Maybe it might be due to spectre/meltdown? Anyway, they'll
> need to maintain it for a long time. So, I won't be surprised if they
> decide to take over LTS maintainership upstream. In the mean time, if the
> bug is seriously enough, you may consider sending them fixup patches
> directly, although I guess that they use a bugzilla instead for patches
> to the distro, with makes harder/painful to send them fixups.
> 
> The Ubuntu FAQ (https://wiki.ubuntu.com/Kernel/FAQ) points to an IRC
> freenode channel (#ubuntu-kernel). Perhaps you could ping them there
> and ask them about that.

Following their advice, I've resent the patches to 
kernel-team@lists.ubuntu.com; I'm afraid stable got cc'ed again in the
process, please ignore (sorry!)


Sean