From e65f8c4e3eef3a0946f8e8fba1fb6aabde734f50 Mon Sep 17 00:00:00 2001 From: Guy Martin Date: Fri, 7 May 2010 04:34:40 -0300 Subject: V4L/DVB: stv6110x: Fix kernel null pointer deref The following OOPS happened when plugging two TT s2-1600: [ 96.521023] saa7146: register extension 'budget dvb'. [ 96.521052] budget dvb 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 [ 96.521070] IRQ 16/: IRQF_DISABLED is not guaranteed on shared IRQs [ 96.521076] saa7146: found saa7146 @ mem ffffc90011182c00 (revision 1, irq 16) (0x13c2,0x101c). [ 96.521080] saa7146 (0): dma buffer size 192512 [ 96.521081] DVB: registering new adapter (TT-Budget S2-1600 PCI) [ 96.539929] adapter has MAC addr = 00:d0:5c:cc:b0:a2 [ 96.890149] stv6110x_attach: Attaching STV6110x [ 96.912516] DVB: registering adapter 0 frontend 0 (STV090x Multistandard)... [ 96.912600] budget dvb 0000:05:01.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 [ 96.912639] IRQ 17/: IRQF_DISABLED is not guaranteed on shared IRQs [ 96.912667] saa7146: found saa7146 @ mem ffffc90011314800 (revision 1, irq 17) (0x13c2,0x101c). [ 96.912673] saa7146 (1): dma buffer size 192512 [ 96.912676] DVB: registering new adapter (TT-Budget S2-1600 PCI) [ 96.930893] adapter has MAC addr = 00:d0:5c:cc:b0:a3 [ 97.233478] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 [ 97.233647] IP: [] stv6110x_set_mode+0x70/0x80 [stv6110x] [ 97.233753] PGD 3c16f067 PUD 3c383067 PMD 0 [ 97.234147] CPU 0 [ 97.234246] Pid: 5200, comm: modprobe Not tainted 2.6.33.2 #1 P5QSE/P5Q SE [ 97.234317] RIP: 0010:[] [] stv6110x_set_mode+0x70/0x80 [stv6110x] [ 97.234456] RSP: 0018:ffff88003c125c98 EFLAGS: 00010246 [ 97.234461] RAX: ffffffffa029c460 RBX: ffff88003f84d800 RCX: ffff88003a19e140 [ 97.234461] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 97.234461] RBP: ffff88003f84d828 R08: 0000000000000002 R09: 0000000000000004 [ 97.234461] R10: 0000000000000003 R11: 0000000000000010 R12: ffff88003f84d800 [ 97.234461] R13: ffff88003f84d828 R14: ffff88003f84d828 R15: 0000000000000001 [ 97.234461] FS: 00007f9f7253e6f0(0000) GS:ffff880001800000(0000) knlGS:0000000000000000 [ 97.234461] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 97.234461] CR2: 0000000000000010 CR3: 000000003c382000 CR4: 00000000000006b0 [ 97.234461] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 97.234461] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 97.234461] Process modprobe (pid: 5200, threadinfo ffff88003c124000, task ffff88003e893ac0) [ 97.234461] ffff88003f84d800 ffff88003f84d828 ffff88003f84d800 ffffffffa0292343 [ 97.234461] <0> ffff88003f84d828 ffff88003ef70ae0 ffffffffa0280800 ffffffffa02934d2 [ 97.234461] <0> ffffffffa0295260 0000000000000000 ffffffffa02948b0 ffff88003df79800 [ 97.234461] [] ? stv090x_sleep+0x33/0x120 [stv090x] [ 97.234461] [] ? stv090x_attach+0x1e2/0x73c [stv090x] [ 97.234461] [] ? dma_generic_alloc_coherent+0xa5/0x160 [ 97.234461] [] ? saa7146_init_one+0x7d5/0x910 [saa7146] [ 97.234461] [] ? local_pci_probe+0x12/0x20 [ 97.234461] [] ? pci_device_probe+0x110/0x120 [ 97.234461] [] ? driver_probe_device+0x98/0x1b0 [ 97.234461] [] ? __driver_attach+0x93/0xa0 [ 97.234461] [] ? __driver_attach+0x0/0xa0 [ 97.234461] [] ? bus_for_each_dev+0x58/0x80 [ 97.234461] [] ? bus_add_driver+0x14d/0x280 [ 97.234461] [] ? budget_init+0x0/0xc [budget] [ 97.234461] [] ? driver_register+0x79/0x170 [ 97.234461] [] ? budget_init+0x0/0xc [budget] [ 97.234461] [] ? __pci_register_driver+0x58/0xe0 [ 97.234461] [] ? budget_init+0x0/0xc [budget] [ 97.234461] [] ? do_one_initcall+0x35/0x190 [ 97.234461] [] ? sys_init_module+0xe7/0x260 [ 97.234461] [] ? system_call_fastpath+0x16/0x1b [ 97.234461] RIP [] stv6110x_set_mode+0x70/0x80 [stv6110x] [ 97.234461] RSP [ 97.240074] ---[ end trace b53ecbbbbef15e99 ]--- Prevents calling stv6110x_set_mode() if fe->tuner_priv is not defined, in order to avoid the above bug. Signed-off-by: Guy Martin Signed-off-by: Mauro Carvalho Chehab diff --git a/drivers/media/dvb/frontends/stv6110x.c b/drivers/media/dvb/frontends/stv6110x.c index 42591ce..f36cab1 100644 --- a/drivers/media/dvb/frontends/stv6110x.c +++ b/drivers/media/dvb/frontends/stv6110x.c @@ -303,7 +303,10 @@ static int stv6110x_set_mode(struct dvb_frontend *fe, enum tuner_mode mode) static int stv6110x_sleep(struct dvb_frontend *fe) { - return stv6110x_set_mode(fe, TUNER_SLEEP); + if (fe->tuner_priv) + return stv6110x_set_mode(fe, TUNER_SLEEP); + + return 0; } static int stv6110x_get_status(struct dvb_frontend *fe, u32 *status) -- cgit v0.10.2