From patchwork Tue Feb 24 17:29:18 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Devin Heitmueller <dheitmueller@kernellabs.com>
X-Patchwork-Id: 28394
Received: from mail.tu-berlin.de ([130.149.7.33])
	by www.linuxtv.org with esmtp (Exim 4.72)
	(envelope-from <linux-media-owner@vger.kernel.org>)
	id 1YQJIt-0000Z4-2f; Tue, 24 Feb 2015 18:29:51 +0100
X-tubIT-Incoming-IP: 209.132.180.67
Received: from vger.kernel.org ([209.132.180.67])
	by mail.tu-berlin.de (exim-4.72/mailfrontend-6) with esmtp
	id 1YQJIq-0002YV-4n; Tue, 24 Feb 2015 18:29:50 +0100
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753239AbbBXR3n (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other);
	Tue, 24 Feb 2015 12:29:43 -0500
Received: from mail-qa0-f44.google.com ([209.85.216.44]:38194 "EHLO
	mail-qa0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753251AbbBXR33 (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Tue, 24 Feb 2015 12:29:29 -0500
Received: by mail-qa0-f44.google.com with SMTP id n8so28118741qaq.3
	for <linux-media@vger.kernel.org>;
	Tue, 24 Feb 2015 09:29:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=WpwW5Od5Z2iyEG2IrblinSUj5evWYw1ju9GllJlGrSo=;
	b=g3M7NEb8kGt2dmd36Cqi8Sh6nsJ7PBw9nSKb2nyGexT0BJPDWpc24/5KcnD47/55ul
	L1Q7ThsOBUeOcChDMNmEWz9mkU73qQ4YlXjhtxDkUDYtKpTOfxKeU20f3mnzZQyFfi7i
	cnWcgQNTLHCXuNVz7bCfvBeC1HzIVcvEaJBc4WREgiAZD1z5+HzCAik3X60cbUVCuNgM
	JweaJ4/g7HX7QN8SXn9OUn+k5clCEndQK5SH8/SBLnSK4Wxr2BA5ZqB6rcSvdQS3ysac
	5PRdk6m9qThqtbNEIlHmOo+cZiy6NBJoTFUmIERSL0p6+uFRLPzt1N6hlvyBx02MQv3f
	tKbA==
X-Gm-Message-State: 
 ALoCoQnJE5s4qIKEoxuXRw50Rxc3fvtfe4pDyoLxqGIlZ+KGt3AHutN9JDnjVuydyYj/jBc7Nz0c
X-Received: by 10.140.108.201 with SMTP id j67mr36373095qgf.86.1424798968828;
	Tue, 24 Feb 2015 09:29:28 -0800 (PST)
Received: from localhost.localdomain (cpe-74-71-114-159.nyc.res.rr.com.
	[74.71.114.159]) by mx.google.com with ESMTPSA id
	76sm19850783qhs.5.2015.02.24.09.29.28
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 24 Feb 2015 09:29:28 -0800 (PST)
From: Devin Heitmueller <dheitmueller@kernellabs.com>
To: linux-media@vger.kernel.org
Cc: Devin Heitmueller <dheitmueller@kernellabs.com>,
	Shuah Khan <shuahkh@osg.samsung.com>
Subject: [PATCH] xc5000: fix memory corruption when unplugging device
Date: Tue, 24 Feb 2015 12:29:18 -0500
Message-Id: <1424798958-2819-1-git-send-email-dheitmueller@kernellabs.com>
X-Mailer: git-send-email 1.9.1
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409,
	Antispam-Data: 2015.2.24.172118
X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report='
	MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05,
	BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1700_1799 0,
	BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_7000_LESS 0, DATE_TZ_NA 0, URI_ENDS_IN_HTML 0,
	__ANY_URI 0, __CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0,
	__HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0,
	__MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0,
	__TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS ,
	__YOUTUBE_RCVD 0'

This patch addresses a regression introduced in the following patch:

commit 5264a522a597032c009f9143686ebf0fa4e244fb
Author: Shuah Khan <shuahkh@osg.samsung.com>
Date:   Mon Sep 22 21:30:46 2014 -0300
    [media] media: tuner xc5000 - release firmwware from xc5000_release()

The "priv" struct is actually reference counted, so the xc5000_release()
function gets called multiple times for hybrid devices.  Because
release_firmware() was always being called, it would work fine as expected
on the first call but then the second call would corrupt aribtrary memory.

Set the pointer to NULL after releasing so that we don't call
release_firmware() twice.

This problem was detected in the HVR-950q where plugging/unplugging the
device multiple times would intermittently show panics in completely
unrelated areas of the kernel.

Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
---
 drivers/media/tuners/xc5000.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c
index 40f9db6..74b2092 100644
--- a/drivers/media/tuners/xc5000.c
+++ b/drivers/media/tuners/xc5000.c
@@ -1314,7 +1314,10 @@ static int xc5000_release(struct dvb_frontend *fe)
 
 	if (priv) {
 		cancel_delayed_work(&priv->timer_sleep);
-		release_firmware(priv->firmware);
+		if (priv->firmware) {
+			release_firmware(priv->firmware);
+			priv->firmware = NULL;
+		}
 		hybrid_tuner_release_state(priv);
 	}