[v3,bug/urgent] dvb-usb-v2: Fix incorrect use of transfer_flags URB_FREE_BUFFER

In commit 1a0c10ed7b media: dvb-usb-v2: stop using coherent memory for URBs
incorrectly adds URB_FREE_BUFFER after every urb transfer.

It cannot use this flag because it reconfigures the URBs accordingly
to suit connected devices. In doing a call to usb_free_urb is made and
invertedly frees the buffers.

The stream buffer should remain constant while driver is up.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
CC: stable@vger.kernel.org # v4.18+
---
v3 change commit message to the actual cause

 drivers/media/usb/dvb-usb-v2/usb_urb.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
  

On Mon, 2018-11-26 at 20:18 +0000, Malcolm Priestley wrote:
> In commit 1a0c10ed7b media: dvb-usb-v2: stop using coherent memory
> for URBs
> incorrectly adds URB_FREE_BUFFER after every urb transfer.
> 
> It cannot use this flag because it reconfigures the URBs accordingly
> to suit connected devices. In doing a call to usb_free_urb is made
> and
> invertedly frees the buffers.
> 
> The stream buffer should remain constant while driver is up.
> 
> Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
> CC: stable@vger.kernel.org # v4.18+
> ---
> v3 change commit message to the actual cause
> 
>  drivers/media/usb/dvb-usb-v2/usb_urb.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> index 024c751eb165..2ad2ddeaff51 100644
> --- a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> +++ b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> @@ -155,7 +155,6 @@ static int usb_urb_alloc_bulk_urbs(struct
> usb_data_stream *stream)
>  				stream->props.u.bulk.buffersize,
>  				usb_urb_complete, stream);
>  
> -		stream->urb_list[i]->transfer_flags = URB_FREE_BUFFER;
>  		stream->urbs_initialized++;
>  	}
>  	return 0;
> @@ -186,7 +185,7 @@ static int usb_urb_alloc_isoc_urbs(struct
> usb_data_stream *stream)
>  		urb->complete = usb_urb_complete;
>  		urb->pipe = usb_rcvisocpipe(stream->udev,
>  				stream->props.endpoint);
> -		urb->transfer_flags = URB_ISO_ASAP | URB_FREE_BUFFER;
> +		urb->transfer_flags = URB_ISO_ASAP;
>  		urb->interval = stream->props.u.isoc.interval;
>  		urb->number_of_packets = stream-
> >props.u.isoc.framesperurb;
>  		urb->transfer_buffer_length = stream-
> >props.u.isoc.framesize *
> @@ -210,7 +209,7 @@ static int usb_free_stream_buffers(struct
> usb_data_stream *stream)
>  	if (stream->state & USB_STATE_URB_BUF) {
>  		while (stream->buf_num) {
>  			stream->buf_num--;
> -			stream->buf_list[stream->buf_num] = NULL;
> +			kfree(stream->buf_list[stream->buf_num]);
>  		}
>  	}
>  

I have tested this against Arch Linux's kernel packages for both linux
4.20 and linux-lts 4.19.13.  For both, the patch seems to fix the
crashes I reported here:
https://bugzilla.kernel.org/show_bug.cgi?id=201055

Thanks,
Dan Ziemba
  

Em Sat, 05 Jan 2019 20:49:00 -0500
Dan Ziemba <zman0900@gmail.com> escreveu:

> On Mon, 2018-11-26 at 20:18 +0000, Malcolm Priestley wrote:
> > In commit 1a0c10ed7b media: dvb-usb-v2: stop using coherent memory
> > for URBs
> > incorrectly adds URB_FREE_BUFFER after every urb transfer.
> > 
> > It cannot use this flag because it reconfigures the URBs accordingly
> > to suit connected devices. In doing a call to usb_free_urb is made
> > and
> > invertedly frees the buffers.
> > 
> > The stream buffer should remain constant while driver is up.
> > 
> > Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
> > CC: stable@vger.kernel.org # v4.18+

The patch is already there at Kernel 5.0-rc1. Greg merged it today on
his stable trees in order to be merged on Kernels 4.19 and 4.20.

> > ---
> > v3 change commit message to the actual cause
> > 
> >  drivers/media/usb/dvb-usb-v2/usb_urb.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> > b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> > index 024c751eb165..2ad2ddeaff51 100644
> > --- a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> > +++ b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> > @@ -155,7 +155,6 @@ static int usb_urb_alloc_bulk_urbs(struct
> > usb_data_stream *stream)
> >  				stream->props.u.bulk.buffersize,
> >  				usb_urb_complete, stream);
> >  
> > -		stream->urb_list[i]->transfer_flags = URB_FREE_BUFFER;
> >  		stream->urbs_initialized++;
> >  	}
> >  	return 0;
> > @@ -186,7 +185,7 @@ static int usb_urb_alloc_isoc_urbs(struct
> > usb_data_stream *stream)
> >  		urb->complete = usb_urb_complete;
> >  		urb->pipe = usb_rcvisocpipe(stream->udev,
> >  				stream->props.endpoint);
> > -		urb->transfer_flags = URB_ISO_ASAP | URB_FREE_BUFFER;
> > +		urb->transfer_flags = URB_ISO_ASAP;
> >  		urb->interval = stream->props.u.isoc.interval;
> >  		urb->number_of_packets = stream-
> > >props.u.isoc.framesperurb;
> >  		urb->transfer_buffer_length = stream-
> > >props.u.isoc.framesize *
> > @@ -210,7 +209,7 @@ static int usb_free_stream_buffers(struct
> > usb_data_stream *stream)
> >  	if (stream->state & USB_STATE_URB_BUF) {
> >  		while (stream->buf_num) {
> >  			stream->buf_num--;
> > -			stream->buf_list[stream->buf_num] = NULL;
> > +			kfree(stream->buf_list[stream->buf_num]);
> >  		}
> >  	}
> >  
> 
> I have tested this against Arch Linux's kernel packages for both linux
> 4.20 and linux-lts 4.19.13.  For both, the patch seems to fix the
> crashes I reported here:
> https://bugzilla.kernel.org/show_bug.cgi?id=201055
> 
> Thanks,
> Dan Ziemba
> 
> 



Thanks,
Mauro