summaryrefslogtreecommitdiffstats
path: root/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
diff options
context:
space:
mode:
authorMike Isely <isely@pobox.com>2019-11-06 12:11:14 +0100
committerMauro Carvalho Chehab <mchehab@kernel.org>2019-11-09 09:10:06 +0100
commit7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1 (patch)
tree306c88f351e7698c23ddeab4ca8bc150de02cb21 /drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
parentmedia: MAINTAINERS: ao-cec: Update path for yaml bindings (diff)
downloadlinux-7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1.tar.xz
linux-7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1.zip
media: pvrusb2: Fix oops on tear-down when radio support is not present
In some device configurations there's no radio or radio support in the driver. That's OK, as the driver sets itself up accordingly. However on tear-down in these caes it's still trying to tear down radio related context when there isn't anything there, leading to dereferences through a null pointer and chaos follows. How this bug survived unfixed for 11 years in the pvrusb2 driver is a mystery to me. [hverkuil: fix two checkpatch warnings] Signed-off-by: Mike Isely <isely@pobox.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Diffstat (limited to 'drivers/media/usb/pvrusb2/pvrusb2-v4l2.c')
-rw-r--r--drivers/media/usb/pvrusb2/pvrusb2-v4l2.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
index a34717eba409..eaa08c7999d4 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
@@ -898,8 +898,12 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel *chp)
pvr2_v4l2_dev_disassociate_parent(vp->dev_video);
pvr2_v4l2_dev_disassociate_parent(vp->dev_radio);
if (!list_empty(&vp->dev_video->devbase.fh_list) ||
- !list_empty(&vp->dev_radio->devbase.fh_list))
+ (vp->dev_radio &&
+ !list_empty(&vp->dev_radio->devbase.fh_list))) {
+ pvr2_trace(PVR2_TRACE_STRUCT,
+ "pvr2_v4l2 internal_check exit-empty id=%p", vp);
return;
+ }
pvr2_v4l2_destroy_no_lock(vp);
}
@@ -935,7 +939,8 @@ static int pvr2_v4l2_release(struct file *file)
kfree(fhp);
if (vp->channel.mc_head->disconnect_flag &&
list_empty(&vp->dev_video->devbase.fh_list) &&
- list_empty(&vp->dev_radio->devbase.fh_list)) {
+ (!vp->dev_radio ||
+ list_empty(&vp->dev_radio->devbase.fh_list))) {
pvr2_v4l2_destroy_no_lock(vp);
}
return 0;