[pvrusb2] [PATCH] pvrusb2: Fix oops on tear-down when radio support is not present
Diego Rivera
diego.rivera.cr at gmail.com
Sun Oct 27 17:00:09 CDT 2019
I'll do that today. I'm setting up a kernel build system now, should be able to fire off a build
soon.
Cheers!
On Sun, 2019-10-27 at 16:47 -0500, Mike Isely wrote:
> If I can get independent confirmation that this definitely helps matters, I will post the patch
> upstream. Just being absolutely paranoid...
> -Mike
> On Sun, 27 Oct 2019, Mike Isely wrote:
> > In some device configurations there's no radio or radio support in thedriver. That's OK, as the
> > driver sets itself up accordingly. Howeveron tear-down in these caes it's still trying to tear
> > down radiorelated context when there isn't anything there, leading todereferences through a null
> > pointer and chaos follows.
> > How this bug survived unfixed for 11 years in the pvrusb2 driver is a mystery to me.
> > Signed-off-by: Mike Isely <isely at pobox.com>--- drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 8
> > ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
> > diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-
> > v4l2.cindex aa4fbc3e88cc..0a831849a2b0 100644--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c+++
> > b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c@@ -909,8 +909,11 @@ static void
> > pvr2_v4l2_internal_check(struct pvr2_channel *chp) pvr2_v4l2_dev_disassociate_parent(vp-
> > >dev_video); pvr2_v4l2_dev_disassociate_parent(vp->dev_radio); if (!list_empty(&vp-
> > >dev_video->devbase.fh_list) ||- !list_empty(&vp->dev_radio->devbase.fh_list))+ ((vp
> > ->dev_radio != NULL) &&+ !list_empty(&vp->dev_radio->devbase.fh_list))) {+
> > pvr2_trace(PVR2_TRACE_STRUCT,"pvr2_v4l2 internal_check exit-empty id=%p",vp); return;+
> > } pvr2_v4l2_destroy_no_lock(vp); } @@ -946,7 +949,8 @@ static int
> > pvr2_v4l2_release(struct file *file) kfree(fhp); if (vp->channel.mc_head-
> > >disconnect_flag && list_empty(&vp->dev_video->devbase.fh_list) &&- list_empty(&
> > vp->dev_radio->devbase.fh_list)) {+ ((vp->dev_radio == NULL) ||+ list_empty(&vp-
> > >dev_radio->devbase.fh_list))) { pvr2_v4l2_destroy_no_lock(vp); } return
> > 0;-- 2.20.1_______________________________________________pvrusb2 mailing listpvrusb2 at isely.net
> > http://www.isely.net/cgi-bin/mailman/listinfo/pvrusb2
> >
--
Diego Rivera
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part
URL: <http://www.isely.net/pipermail/pvrusb2/attachments/20191027/ae511926/attachment.sig>
More information about the pvrusb2
mailing list