media: lgdt3306a: Set fe ops.release to NULL if probed

If release is part of frontend ops then it is called in the course of dvb_frontend_detach. The process also decrements the module usage count. The problem is if the lgdt3306a driver is reached via i2c_new_device, then when it is eventually destroyed remove is called, which further decrements the module usage count to negative. After this occurs the driver is in a bad state and no longer works. Also fixed by NULLing out the release callback is a double kfree of state, which introduces arbitrary oopses/GPF. This problem is only currently reachable via the em28xx driver. On disconnect of Hauppauge SoloHD before: lsmod | grep lgdt3306a lgdt3306a 28672 -1 i2c_mux 16384 1 lgdt3306a On disconnect of Hauppauge SoloHD after: lsmod | grep lgdt3306a lgdt3306a 28672 0 i2c_mux 16384 1 lgdt3306a Signed-off-by: Brad Love <brad@nextdimension.cc> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2024-11-01 17:08:10 +00:00 · 2018-01-04 19:04:17 -05:00 · 2018-01-04 19:04:17 -05:00 · 5b3a8e9069
commit 5b3a8e9069
parent cc4406d919
1 changed files with 1 additions and 0 deletions
--- a/drivers/media/dvb-frontends/lgdt3306a.c
+++ b/drivers/media/dvb-frontends/lgdt3306a.c
@ -2177,6 +2177,7 @@ static int lgdt3306a_probe(struct i2c_client *client,

 	i2c_set_clientdata(client, fe->demodulator_priv);
 	state = fe->demodulator_priv;
+	state->frontend.ops.release = NULL;

 	/* create mux i2c adapter for tuner */
 	state->muxc = i2c_mux_alloc(client->adapter, &client->dev,