From patchwork Fri Jan  5 00:04:17 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brad Love <brad@nextdimension.cc>
X-Patchwork-Id: 10145809
Return-Path: <linux-media-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	F0BEE6034B for <patchwork-linux-media@patchwork.kernel.org>;
	Fri,  5 Jan 2018 00:05:23 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A30227F82
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri,  5 Jan 2018 00:05:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2F18C288A2; Fri,  5 Jan 2018 00:05:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D8E6F27F82
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri,  5 Jan 2018 00:05:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751276AbeAEAFU (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Thu, 4 Jan 2018 19:05:20 -0500
Received: from hapkido.dreamhost.com ([66.33.216.122]:43542 "EHLO
	hapkido.dreamhost.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751240AbeAEAFS (ORCPT
	<rfc822; linux-media@vger.kernel.org>); Thu, 4 Jan 2018 19:05:18 -0500
Received: from homiemail-a116.g.dreamhost.com (sub5.mail.dreamhost.com
	[208.113.200.129])
	by hapkido.dreamhost.com (Postfix) with ESMTP id 08ABF8ED96
	for <linux-media@vger.kernel.org>;
	Thu,  4 Jan 2018 16:05:18 -0800 (PST)
Received: from homiemail-a116.g.dreamhost.com (localhost [127.0.0.1])
	by homiemail-a116.g.dreamhost.com (Postfix) with ESMTP id
	AC4D560001342; Thu,  4 Jan 2018 16:05:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nextdimension.cc; h=from
	:to:cc:subject:date:message-id:in-reply-to:references; s=
	nextdimension.cc; bh=C2Dh0ifRB7OYid/wqJyiGWvDKZY=; b=AcA9ck6ms4q
	FxJ172JiuDMdBcquprCxVkuax61xLhflCBbydB5/LaHiJ6ei/D/4lIRtJt9yp/wK
	oyI+U7A4kSHc8YADR7pIGwELF3dxUFrKurb6HAoVzSiCgz9sQsffjjoOUd++/c8O
	6dCubUU6044oyPH9YGERLDvNGCpgwSII=
Received: from localhost.localdomain (66-90-189-166.dyn.grandenetworks.net
	[66.90.189.166])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: brad@nextdimension.ws)
	by homiemail-a116.g.dreamhost.com (Postfix) with ESMTPSA id
	5DD7B60001C0A; Thu,  4 Jan 2018 16:05:17 -0800 (PST)
From: Brad Love <brad@nextdimension.cc>
To: linux-media@vger.kernel.org
Cc: Brad Love <brad@nextdimension.cc>
Subject: [PATCH 7/9] lgdt3306a: Set fe ops.release to NULL if probed
Date: Thu,  4 Jan 2018 18:04:17 -0600
Message-Id: <1515110659-20145-8-git-send-email-brad@nextdimension.cc>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1515110659-20145-1-git-send-email-brad@nextdimension.cc>
References: <1515110659-20145-1-git-send-email-brad@nextdimension.cc>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If release is part of frontend ops then it is called in the
course of dvb_frontend_detach. The process also decrements
the module usage count. The problem is if the lgdt3306a
driver is reached via i2c_new_device, then when it is
eventually destroyed remove is called, which further
decrements the module usage count to negative. After this
occurs the driver is in a bad state and no longer works.
Also fixed by NULLing out the release callback is a double
kfree of state, which introduces arbitrary oopses/GPF.
This problem is only currently reachable via the em28xx driver.

On disconnect of Hauppauge SoloHD before:

lsmod | grep lgdt3306a
lgdt3306a              28672  -1
i2c_mux                16384  1 lgdt3306a

On disconnect of Hauppauge SoloHD after:

lsmod | grep lgdt3306a
lgdt3306a              28672  0
i2c_mux                16384  1 lgdt3306a

Signed-off-by: Brad Love <brad@nextdimension.cc>
---
 drivers/media/dvb-frontends/lgdt3306a.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/dvb-frontends/lgdt3306a.c b/drivers/media/dvb-frontends/lgdt3306a.c
index 6356815..d2477ed 100644
--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@@ -2177,6 +2177,7 @@ static int lgdt3306a_probe(struct i2c_client *client,
 
 	i2c_set_clientdata(client, fe->demodulator_priv);
 	state = fe->demodulator_priv;
+	state->frontend.ops.release = NULL;
 
 	/* create mux i2c adapter for tuner */
 	state->muxc = i2c_mux_alloc(client->adapter, &client->dev,