media: pvrusb2: Fix oops on tear-down when radio support is not present

In some device configurations there's no radio or radio support in the
driver.  That's OK, as the driver sets itself up accordingly.  However
on tear-down in these caes it's still trying to tear down radio
related context when there isn't anything there, leading to
dereferences through a null pointer and chaos follows.

How this bug survived unfixed for 11 years in the pvrusb2 driver is a
mystery to me.

[hverkuil: fix two checkpatch warnings]

Signed-off-by: Mike Isely <isely@pobox.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
index a34717e..eaa08c7 100644 (file)
--- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c
@@ -898,8 +898,12 @@ static void pvr2_v4l2_internal_check(struct pvr2_channel *chp)
        pvr2_v4l2_dev_disassociate_parent(vp->dev_video);
        pvr2_v4l2_dev_disassociate_parent(vp->dev_radio);
        if (!list_empty(&vp->dev_video->devbase.fh_list) ||
-           !list_empty(&vp->dev_radio->devbase.fh_list))
+           (vp->dev_radio &&
+            !list_empty(&vp->dev_radio->devbase.fh_list))) {
+               pvr2_trace(PVR2_TRACE_STRUCT,
+                          "pvr2_v4l2 internal_check exit-empty id=%p", vp);
                return;
+       }
        pvr2_v4l2_destroy_no_lock(vp);
 }
 
@@ -935,7 +939,8 @@ static int pvr2_v4l2_release(struct file *file)
        kfree(fhp);
        if (vp->channel.mc_head->disconnect_flag &&
            list_empty(&vp->dev_video->devbase.fh_list) &&
-           list_empty(&vp->dev_radio->devbase.fh_list)) {
+           (!vp->dev_radio ||
+            list_empty(&vp->dev_radio->devbase.fh_list))) {
                pvr2_v4l2_destroy_no_lock(vp);
        }
        return 0;