From: Antti Palosaari <crope@iki.fi>
To: Benjamin Larsson <benjamin@southpole.se>,
Akihiro TSUKADA <tskd08@gmail.com>,
linux-media@vger.kernel.org
Subject: Re: Random memory corruption of fe[1]->dvb pointer
Date: Tue, 02 Dec 2014 12:59:30 +0200 [thread overview]
Message-ID: <547D9B92.8060900@iki.fi> (raw)
In-Reply-To: <547D976D.2040205@southpole.se>
On 12/02/2014 12:41 PM, Benjamin Larsson wrote:
> On 2014-12-02 11:02, Antti Palosaari wrote:
>>
>>
>> On 12/02/2014 11:47 AM, Akihiro TSUKADA wrote:
>>>> So at first it would be nice if someone could confirm my findings.
>>>> Applying the same kind of code like my patch and unplug something that
>>>> uses the affected frontend should be enough.
>>>
>>> I tried that for tc90522, and I could remove earth-pt3
>>> (which uses tc90522), tc90522 and tuner modules without any problem,
>>> although earth-pt3 is a pci driver and does not use dvb-usb-v2.
>>>
>>>> From your log(?) output,
>>> I guess that rtl28xxu_exit() removed the attached demod module
>>> (mn88472) and thus free'ed fe BEFORE calling dvb_usbv2_exit(),
>>> from where dvb_unregister_frontend(fe) is called.
>>> I think that the demod i2c device is removed automatically by
>>> dvb_usbv2_i2c_exit() in dvb_usbv2_exit(), if you registered
>>> the demod i2c device, and your adapter/bridge driver
>>> should not try to remove it.
>>
>> Yes. You must unregister frontend before you remove driver. I have
>> already added new callbacks detach tuner and frontend to avoid that,
>> but there was yet again new issue as it removes rtl2832 demod driver
>> first and mn88472 slave demod was put to i2c bus / adapter which is
>> owned by rtl2832. So it will crash too. Solution is to convert rtl2832
>> to I2C binding (or convert mn88472 legacy DVB binding (which I don't
>> allow :)). When rtl2832 driver is converted to I2C model it is not
>> unloaded automatically and you could remove those in a correct order.
>>
>> But hey, mn88472 is still on staging :D
>>
>> regards
>> Antti
>>
>
> So the solution is to change rtl2832.c to the I2C model? And does this
> issue only affect the mn8847x drivers ?
It likely affects some other dvb-usb-v2 drivers too. But not af9035 as I
fixed it initially there I think.
> If this is the case would a patch that does not free the buffer but
> leaks the memory be ok ? I can add a todo item and log it in syslog.
> That would for sure be better then crashing the subsystem and the driver
> is still in staging for a reason.
Maybe yes, but it does not sound absolute any good. I think you will
need to set FE pointer NULL after driver is removed. Then unregister
frontend will not call members of that struct anymore, but leak memory?
regards
Antti
--
http://palosaari.fi/
next prev parent reply other threads:[~2014-12-02 10:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-30 23:47 Random memory corruption of fe[1]->dvb pointer Benjamin Larsson
2014-12-01 23:30 ` Benjamin Larsson
2014-12-02 9:47 ` Akihiro TSUKADA
2014-12-02 10:02 ` Antti Palosaari
2014-12-02 10:41 ` Benjamin Larsson
2014-12-02 10:59 ` Antti Palosaari [this message]
2014-12-02 11:52 ` Benjamin Larsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=547D9B92.8060900@iki.fi \
--to=crope@iki.fi \
--cc=benjamin@southpole.se \
--cc=linux-media@vger.kernel.org \
--cc=tskd08@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).