media: pvrusb2: Fix oops on tear-down when radio support is not present

[ Upstream commit 7f404ae9cf2a285f73b3c18ab9303d54b7a3d8e1 ]

In some device configurations there's no radio or radio support in the
driver.  That's OK, as the driver sets itself up accordingly.  However
on tear-down in these caes it's still trying to tear down radio
related context when there isn't anything there, leading to
dereferences through a null pointer and chaos follows.

How this bug survived unfixed for 11 years in the pvrusb2 driver is a
mystery to me.

[hverkuil: fix two checkpatch warnings]

Signed-off-by: Mike Isely <isely@pobox.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
index e53a80b..04d3341 100644 (file)
--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
@@ -916,8 +916,12 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel *chp)
        pvr2_v4l2_dev_disassociate_parent(vp->dev_video);
        pvr2_v4l2_dev_disassociate_parent(vp->dev_radio);
        if (!list_empty(&vp->dev_video->devbase.fh_list) ||
-           !list_empty(&vp->dev_radio->devbase.fh_list))
+           (vp->dev_radio &&
+            !list_empty(&vp->dev_radio->devbase.fh_list))) {
+               pvr2_trace(PVR2_TRACE_STRUCT,
+                          "pvr2_v4l2 internal_check exit-empty id=%p", vp);
                return;
+       }
        pvr2_v4l2_destroy_no_lock(vp);
 }
 
@@ -953,7 +957,8 @@ static int pvr2_v4l2_release(struct file *file)
        kfree(fhp);
        if (vp->channel.mc_head->disconnect_flag &&
            list_empty(&vp->dev_video->devbase.fh_list) &&
-           list_empty(&vp->dev_radio->devbase.fh_list)) {
+           (!vp->dev_radio ||
+            list_empty(&vp->dev_radio->devbase.fh_list))) {
                pvr2_v4l2_destroy_no_lock(vp);
        }
        return 0;