Re: [pvrusb2] [PATCH] pvrusb2: Fix oops on tear-down when radio support is not present

Sun, 27 Oct 2019 14:47:36 -0700 

If I can get independent confirmation that this definitely helps 
matters, I will post the patch upstream.  Just being absolutely 
paranoid...

  -Mike

On Sun, 27 Oct 2019, Mike Isely wrote:

> In some device configurations there's no radio or radio support in the
> driver.  That's OK, as the driver sets itself up accordingly.  However
> on tear-down in these caes it's still trying to tear down radio
> related context when there isn't anything there, leading to
> dereferences through a null pointer and chaos follows.
> 
> How this bug survived unfixed for 11 years in the pvrusb2 driver is a mystery 
> to me.
> 
> Signed-off-by: Mike Isely <[email protected]>
> ---
>  drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c 
> b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> index aa4fbc3e88cc..0a831849a2b0 100644
> --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
> @@ -909,8 +909,11 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel 
> *chp)
>       pvr2_v4l2_dev_disassociate_parent(vp->dev_video);
>       pvr2_v4l2_dev_disassociate_parent(vp->dev_radio);
>       if (!list_empty(&vp->dev_video->devbase.fh_list) ||
> -         !list_empty(&vp->dev_radio->devbase.fh_list))
> +         ((vp->dev_radio != NULL) &&
> +          !list_empty(&vp->dev_radio->devbase.fh_list))) {
> +             pvr2_trace(PVR2_TRACE_STRUCT,"pvr2_v4l2 internal_check 
> exit-empty id=%p",vp);
>               return;
> +     }
>       pvr2_v4l2_destroy_no_lock(vp);
>  }
>  
> @@ -946,7 +949,8 @@ static int pvr2_v4l2_release(struct file *file)
>       kfree(fhp);
>       if (vp->channel.mc_head->disconnect_flag &&
>           list_empty(&vp->dev_video->devbase.fh_list) &&
> -         list_empty(&vp->dev_radio->devbase.fh_list)) {
> +         ((vp->dev_radio == NULL) ||
> +          list_empty(&vp->dev_radio->devbase.fh_list))) {
>               pvr2_v4l2_destroy_no_lock(vp);
>       }
>       return 0;
> -- 
> 2.20.1
> _______________________________________________
> pvrusb2 mailing list
> [email protected]
> http://www.isely.net/cgi-bin/mailman/listinfo/pvrusb2
> 

-- 

Mike Isely
isely @ isely (dot) net
PGP: 03 54 43 4D 75 E5 CC 92 71 16 01 E2 B5 F5 C1 E8
_______________________________________________
pvrusb2 mailing list
[email protected]
http://www.isely.net/cgi-bin/mailman/listinfo/pvrusb2

Reply via email to