提交 5b3a8e90 编写于 作者: B Brad Love 提交者: Mauro Carvalho Chehab

media: lgdt3306a: Set fe ops.release to NULL if probed

If release is part of frontend ops then it is called in the
course of dvb_frontend_detach. The process also decrements
the module usage count. The problem is if the lgdt3306a
driver is reached via i2c_new_device, then when it is
eventually destroyed remove is called, which further
decrements the module usage count to negative. After this
occurs the driver is in a bad state and no longer works.
Also fixed by NULLing out the release callback is a double
kfree of state, which introduces arbitrary oopses/GPF.
This problem is only currently reachable via the em28xx driver.

On disconnect of Hauppauge SoloHD before:

lsmod | grep lgdt3306a
lgdt3306a              28672  -1
i2c_mux                16384  1 lgdt3306a

On disconnect of Hauppauge SoloHD after:

lsmod | grep lgdt3306a
lgdt3306a              28672  0
i2c_mux                16384  1 lgdt3306a
Signed-off-by: NBrad Love <brad@nextdimension.cc>
Signed-off-by: NMauro Carvalho Chehab <mchehab@s-opensource.com>
上级 cc4406d9
......@@ -2177,6 +2177,7 @@ static int lgdt3306a_probe(struct i2c_client *client,
i2c_set_clientdata(client, fe->demodulator_priv);
state = fe->demodulator_priv;
state->frontend.ops.release = NULL;
/* create mux i2c adapter for tuner */
state->muxc = i2c_mux_alloc(client->adapter, &client->dev,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册