| Message ID | 1424798958-2819-1-git-send-email-dheitmueller@kernellabs.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from <linux-media-owner@vger.kernel.org>) id 1YQJIt-0000Z4-2f; Tue, 24 Feb 2015 18:29:51 +0100 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.72/mailfrontend-6) with esmtp id 1YQJIq-0002YV-4n; Tue, 24 Feb 2015 18:29:50 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753239AbbBXR3n (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Tue, 24 Feb 2015 12:29:43 -0500 Received: from mail-qa0-f44.google.com ([209.85.216.44]:38194 "EHLO mail-qa0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753251AbbBXR33 (ORCPT <rfc822;linux-media@vger.kernel.org>); Tue, 24 Feb 2015 12:29:29 -0500 Received: by mail-qa0-f44.google.com with SMTP id n8so28118741qaq.3 for <linux-media@vger.kernel.org>; Tue, 24 Feb 2015 09:29:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=WpwW5Od5Z2iyEG2IrblinSUj5evWYw1ju9GllJlGrSo=; b=g3M7NEb8kGt2dmd36Cqi8Sh6nsJ7PBw9nSKb2nyGexT0BJPDWpc24/5KcnD47/55ul L1Q7ThsOBUeOcChDMNmEWz9mkU73qQ4YlXjhtxDkUDYtKpTOfxKeU20f3mnzZQyFfi7i cnWcgQNTLHCXuNVz7bCfvBeC1HzIVcvEaJBc4WREgiAZD1z5+HzCAik3X60cbUVCuNgM JweaJ4/g7HX7QN8SXn9OUn+k5clCEndQK5SH8/SBLnSK4Wxr2BA5ZqB6rcSvdQS3ysac 5PRdk6m9qThqtbNEIlHmOo+cZiy6NBJoTFUmIERSL0p6+uFRLPzt1N6hlvyBx02MQv3f tKbA== X-Gm-Message-State: ALoCoQnJE5s4qIKEoxuXRw50Rxc3fvtfe4pDyoLxqGIlZ+KGt3AHutN9JDnjVuydyYj/jBc7Nz0c X-Received: by 10.140.108.201 with SMTP id j67mr36373095qgf.86.1424798968828; Tue, 24 Feb 2015 09:29:28 -0800 (PST) Received: from localhost.localdomain (cpe-74-71-114-159.nyc.res.rr.com. [74.71.114.159]) by mx.google.com with ESMTPSA id 76sm19850783qhs.5.2015.02.24.09.29.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 Feb 2015 09:29:28 -0800 (PST) From: Devin Heitmueller <dheitmueller@kernellabs.com> To: linux-media@vger.kernel.org Cc: Devin Heitmueller <dheitmueller@kernellabs.com>, Shuah Khan <shuahkh@osg.samsung.com> Subject: [PATCH] xc5000: fix memory corruption when unplugging device Date: Tue, 24 Feb 2015 12:29:18 -0500 Message-Id: <1424798958-2819-1-git-send-email-dheitmueller@kernellabs.com> X-Mailer: git-send-email 1.9.1 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.2.24.172118 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1700_1799 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS , __YOUTUBE_RCVD 0' |
Commit Message
Devin Heitmueller
Feb. 24, 2015, 5:29 p.m. UTC
This patch addresses a regression introduced in the following patch:
commit 5264a522a597032c009f9143686ebf0fa4e244fb
Author: Shuah Khan <shuahkh@osg.samsung.com>
Date: Mon Sep 22 21:30:46 2014 -0300
[media] media: tuner xc5000 - release firmwware from xc5000_release()
The "priv" struct is actually reference counted, so the xc5000_release()
function gets called multiple times for hybrid devices. Because
release_firmware() was always being called, it would work fine as expected
on the first call but then the second call would corrupt aribtrary memory.
Set the pointer to NULL after releasing so that we don't call
release_firmware() twice.
This problem was detected in the HVR-950q where plugging/unplugging the
device multiple times would intermittently show panics in completely
unrelated areas of the kernel.
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
---
drivers/media/tuners/xc5000.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Comments
On 02/24/2015 10:29 AM, Devin Heitmueller wrote: > This patch addresses a regression introduced in the following patch: > > commit 5264a522a597032c009f9143686ebf0fa4e244fb > Author: Shuah Khan <shuahkh@osg.samsung.com> > Date: Mon Sep 22 21:30:46 2014 -0300 > [media] media: tuner xc5000 - release firmwware from xc5000_release() > > The "priv" struct is actually reference counted, so the xc5000_release() > function gets called multiple times for hybrid devices. Because > release_firmware() was always being called, it would work fine as expected > on the first call but then the second call would corrupt aribtrary memory. > > Set the pointer to NULL after releasing so that we don't call > release_firmware() twice. > > This problem was detected in the HVR-950q where plugging/unplugging the > device multiple times would intermittently show panics in completely > unrelated areas of the kernel. Thanks for finding and fixing the problem. > > Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com> > Cc: Shuah Khan <shuahkh@osg.samsung.com> > --- > drivers/media/tuners/xc5000.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c > index 40f9db6..74b2092 100644 > --- a/drivers/media/tuners/xc5000.c > +++ b/drivers/media/tuners/xc5000.c > @@ -1314,7 +1314,10 @@ static int xc5000_release(struct dvb_frontend *fe) > > if (priv) { > cancel_delayed_work(&priv->timer_sleep); > - release_firmware(priv->firmware); I would request you to add a comment here indicating the hybrid case scenario to avoid any future cleanup type work deciding there is no need to set priv->firmware to null since priv gets released in hybrid_tuner_release_state(priv); > + if (priv->firmware) { > + release_firmware(priv->firmware); > + priv->firmware = NULL; > + } > hybrid_tuner_release_state(priv); > } > > Adding Mauro as will to the thread. This should go into stable as well. thanks, -- Shuah
> I would request you to add a comment here indicating the > hybrid case scenario to avoid any future cleanup type work > deciding there is no need to set priv->firmware to null > since priv gets released in hybrid_tuner_release_state(priv); No, I'm not going to rebase my tree and regenerate the patch just to add a comment explaining how hybrid_tuner_[request/release]_state() works (which, btw, is how it works in all hybrid tuner drivers). I already wasted enough of my time tracking down the source of the memory corruption and providing a fix for this regression. If you want to submit a subsequent patch with a comment, be my guest. Devin
On 02/25/2015 07:56 PM, Devin Heitmueller wrote: >> I would request you to add a comment here indicating the >> hybrid case scenario to avoid any future cleanup type work >> deciding there is no need to set priv->firmware to null >> since priv gets released in hybrid_tuner_release_state(priv); > > No, I'm not going to rebase my tree and regenerate the patch just to > add a comment explaining how hybrid_tuner_[request/release]_state() > works (which, btw, is how it works in all hybrid tuner drivers). I > already wasted enough of my time tracking down the source of the > memory corruption and providing a fix for this regression. If you > want to submit a subsequent patch with a comment, be my guest. These are just the issues I would like to implement drivers as standard I2C driver model =) Attaching driver for one chip twice is ugly hack! regards Antti
> These are just the issues I would like to implement drivers as standard I2C > driver model =) Attaching driver for one chip twice is ugly hack! While I'm not arguing the merits of using the standard I2C driver model, it won't actually help in this case since we would still need a structure representing shared state accessible by both the DVB and V4L2 subsystems. And that struct will need to be referenced counted, which is exactly what hybrid_tuner_request_state() does. In short, what you're proposing doesn't have any relevance to this case - it just moves the problem to some other mechanism for sharing private state between two drivers and having to reference count it. And at least in this case it's done the same way for all the tuner drivers (as opposed to different tuners re-inventing their own mechanism for sharing state between the different consumers). If you ever get around to implementing support for a hybrid device (where you actually have to worry about how both digital and analog share a single tuner), you'll appreciate some of these challenges and why what was done was not as bad/crazy as you might think. If anything, this little regression is yet another point of evidence that innocent refactoring and "cleanup" of existing code without really understanding what it does and/or performing significant testing can leave everybody worse off than if the well-intentioned committer had done nothing at all. Devin
Em Wed, 25 Feb 2015 13:37:07 -0500 Devin Heitmueller <dheitmueller@kernellabs.com> escreveu: > > These are just the issues I would like to implement drivers as standard I2C > > driver model =) Attaching driver for one chip twice is ugly hack! > > While I'm not arguing the merits of using the standard I2C driver > model, it won't actually help in this case since we would still need a > structure representing shared state accessible by both the DVB and > V4L2 subsystems. And that struct will need to be referenced counted, > which is exactly what hybrid_tuner_request_state() does. ... > If you ever get around to implementing support for a hybrid device > (where you actually have to worry about how both digital and analog > share a single tuner), you'll appreciate some of these challenges and > why what was done was not as bad/crazy as you might think. The I2C model that Antti is proposing may work, but, for that, we'll very likely need to re-write the tuner core. Currently, the binding model is: for analog: tuner driver -> tuner-core module <==> V4L2 driver The interface between V4L2 driver and tuner core is the I2C high level API. for digital tuner driver <==> DVB driver The interface between the tuner driver and the DVB driver is the I2C low level API. Antti's proposal makes the DVB driver to use the high level I2C API, with makes the DVB driver a little closer to what V4L2 does. Yet, for V4L2, the tuner-core module is required. The binding code at the tuner-core is very complex, as it needs to talk both V4L2 and DVB "dialogs". This should be simplified. In other words, If we want to use the same model for all tuners, we'll need to rewrite the binding schema to avoid the need of a tuner core module, or to replace it by something better/simpler. For locking the tuner between analog/digital usage, the best approach seems to be to use the media controller. Regards, Mauro -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c index 40f9db6..74b2092 100644 --- a/drivers/media/tuners/xc5000.c +++ b/drivers/media/tuners/xc5000.c @@ -1314,7 +1314,10 @@ static int xc5000_release(struct dvb_frontend *fe) if (priv) { cancel_delayed_work(&priv->timer_sleep); - release_firmware(priv->firmware); + if (priv->firmware) { + release_firmware(priv->firmware); + priv->firmware = NULL; + } hybrid_tuner_release_state(priv); }