From 5b3a8e906973540b61dbf402c6b6f8d64d4ae119 Mon Sep 17 00:00:00 2001 From: Brad Love Date: Thu, 4 Jan 2018 19:04:17 -0500 Subject: [PATCH] media: lgdt3306a: Set fe ops.release to NULL if probed If release is part of frontend ops then it is called in the course of dvb_frontend_detach. The process also decrements the module usage count. The problem is if the lgdt3306a driver is reached via i2c_new_device, then when it is eventually destroyed remove is called, which further decrements the module usage count to negative. After this occurs the driver is in a bad state and no longer works. Also fixed by NULLing out the release callback is a double kfree of state, which introduces arbitrary oopses/GPF. This problem is only currently reachable via the em28xx driver. On disconnect of Hauppauge SoloHD before: lsmod | grep lgdt3306a lgdt3306a 28672 -1 i2c_mux 16384 1 lgdt3306a On disconnect of Hauppauge SoloHD after: lsmod | grep lgdt3306a lgdt3306a 28672 0 i2c_mux 16384 1 lgdt3306a Signed-off-by: Brad Love Signed-off-by: Mauro Carvalho Chehab --- drivers/media/dvb-frontends/lgdt3306a.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/dvb-frontends/lgdt3306a.c b/drivers/media/dvb-frontends/lgdt3306a.c index 6356815cf3e1..d2477edae197 100644 --- a/drivers/media/dvb-frontends/lgdt3306a.c +++ b/drivers/media/dvb-frontends/lgdt3306a.c @@ -2177,6 +2177,7 @@ static int lgdt3306a_probe(struct i2c_client *client, i2c_set_clientdata(client, fe->demodulator_priv); state = fe->demodulator_priv; + state->frontend.ops.release = NULL; /* create mux i2c adapter for tuner */ state->muxc = i2c_mux_alloc(client->adapter, &client->dev, -- 2.11.0