Re: [v4.9-rc4] dvb-usb/cinergyT2 NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
To: Benjamin Larsson <benjamin@southpole.se>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
	"Jörg Otte" <jrg.otte@gmail.com>,
	"Patrick Boettcher" <patrick.boettcher@posteo.de>,
	"Mauro Carvalho Chehab" <mchehab@kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
	"Linux Media Mailing List" <linux-media@vger.kernel.org>
Subject: Re: [v4.9-rc4] dvb-usb/cinergyT2 NULL pointer dereference
Date: Tue, 8 Nov 2016 19:38:34 -0200	[thread overview]
Message-ID: <20161108193834.4b90145b@vento.lan> (raw)
In-Reply-To: <354bc87c-79a1-bb37-6225-988c8fa429a5@southpole.se>

Em Tue, 8 Nov 2016 22:15:24 +0100
Benjamin Larsson <benjamin@southpole.se> escreveu:

> On 11/08/2016 09:22 PM, Mauro Carvalho Chehab wrote:
> > Em Tue, 8 Nov 2016 10:42:03 -0800
> > Linus Torvalds <torvalds@linux-foundation.org> escreveu:
> >
> >> On Sun, Nov 6, 2016 at 7:40 AM, Jörg Otte <jrg.otte@gmail.com> wrote:
> >>> Since v4.9-rc4 I get following crash in dvb-usb-cinergyT2 module.
> >>
> >> Looks like it's commit 5ef8ed0e5608f ("[media] cinergyT2-core: don't
> >> do DMA on stack"), which movced the DMA data array from the stack to
> >> the "private" pointer. In the process it also added serialization in
> >> the form of "data_mutex", but and now it oopses on that mutex because
> >> the private pointer is NULL.
> >>
> >> It looks like the "->private" pointer is allocated in dvb_usb_adapter_init()
> >>
> >> cinergyt2_usb_probe ->
> >>   dvb_usb_device_init ->
> >>     dvb_usb_init() ->
> >>       dvb_usb_adapter_init()
> >>
> >> but the dvb_usb_init() function calls dvb_usb_device_power_ctrl()
> >> (which calls the "power_ctrl" function, which is
> >> cinergyt2_power_ctrl() for that drive) *before* it initializes the
> >> private field.
> >>
> >> Mauro, Patrick, could dvb_usb_adapter_init() be called earlier, perhaps?
> >
> > Calling it earlier won't work, as we need to load the firmware before
> > sending the power control commands on some devices.
> >
> > Probably the best here is to pass an extra optional function parameter
> > that will initialize the mutex before calling any functions.
> >
> > Btw, if it broke here, the DMA fixes will likely break on other drivers.
> > So, after Jörg tests this patch, I'll work on a patch series addressing
> > this issue on the other drivers I touched.
> >
> > Regards,
> > Mauro
> 
> Just for reference I got the following call trace a week ago. I looks 
> like this confirms that other drivers are affected also.

Yeah, I avoided serializing the logic that detects if the firmware is
loaded, but forgot that the power control had the same issue. The
newer dvb usb drivers use the dvb-usb-v2, so I didn't touch this
code for a while.

I'll need to review all touched drivers to be sure that they'll all
do the right thing. The good news is that it will likely simplify
the drivers' logic a little bit.

Thanks,
Mauro

next prev parent reply	other threads:[~2016-11-08 21:38 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-06 15:40 [v4.9-rc4] dvb-usb/cinergyT2 NULL pointer dereference Jörg Otte
2016-11-08 18:42 ` Linus Torvalds
2016-11-08 20:22   ` Mauro Carvalho Chehab
2016-11-08 21:15     ` Benjamin Larsson
2016-11-08 21:38       ` Mauro Carvalho Chehab [this message]
2016-11-09 19:57         ` Malcolm Priestley
2016-11-09 20:25           ` Mauro Carvalho Chehab
2016-11-09 11:09     ` Jörg Otte
2016-11-09 19:07       ` Linus Torvalds
2016-11-09 20:21         ` Mauro Carvalho Chehab
2016-11-10  8:40         ` Mauro Carvalho Chehab
2016-11-10 11:15           ` Jörg Otte
2016-11-11 13:55             ` Mauro Carvalho Chehab
2016-11-11 16:43               ` Jörg Otte
2016-11-12 18:24               ` Benjamin Larsson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161108193834.4b90145b@vento.lan \
    --to=mchehab@s-opensource.com \
    --cc=benjamin@southpole.se \
    --cc=jrg.otte@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=patrick.boettcher@posteo.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.