media: lgdt3306a: Set fe ops.release to NULL if probed
authorBrad Love <brad@nextdimension.cc>
Fri, 5 Jan 2018 00:04:17 +0000 (19:04 -0500)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Tue, 6 Mar 2018 09:35:28 +0000 (04:35 -0500)
If release is part of frontend ops then it is called in the
course of dvb_frontend_detach. The process also decrements
the module usage count. The problem is if the lgdt3306a
driver is reached via i2c_new_device, then when it is
eventually destroyed remove is called, which further
decrements the module usage count to negative. After this
occurs the driver is in a bad state and no longer works.
Also fixed by NULLing out the release callback is a double
kfree of state, which introduces arbitrary oopses/GPF.
This problem is only currently reachable via the em28xx driver.

On disconnect of Hauppauge SoloHD before:

lsmod | grep lgdt3306a
lgdt3306a              28672  -1
i2c_mux                16384  1 lgdt3306a

On disconnect of Hauppauge SoloHD after:

lsmod | grep lgdt3306a
lgdt3306a              28672  0
i2c_mux                16384  1 lgdt3306a

Signed-off-by: Brad Love <brad@nextdimension.cc>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/dvb-frontends/lgdt3306a.c

index 6356815..d2477ed 100644 (file)
@@ -2177,6 +2177,7 @@ static int lgdt3306a_probe(struct i2c_client *client,
 
        i2c_set_clientdata(client, fe->demodulator_priv);
        state = fe->demodulator_priv;
+       state->frontend.ops.release = NULL;
 
        /* create mux i2c adapter for tuner */
        state->muxc = i2c_mux_alloc(client->adapter, &client->dev,