From: Sean Young <sean@mess.org>
To: linux-media@vger.kernel.org,
Warren Sturm <warren.sturm@gmail.com>,
Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Andy Walls <awalls.cx18@gmail.com>,
stable@vger.kernel.org, #@mess.org, v4.15@mess.org
Subject: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting
Date: Sun, 15 Apr 2018 10:54:20 +0100 [thread overview]
Message-ID: <2bd4184fbea37ecdfcb0a334c6bef45786feb486.1523785117.git.sean@mess.org> (raw)
In-Reply-To: <cover.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P C OE 4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS: 0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
? __schedule+0x247/0x880
? get_ir_tx+0x40/0x40 [lirc_zilog]
kthread+0x113/0x130
? kthread_create_worker_on_cpu+0x70/0x70
? do_syscall_64+0x74/0x180
? SyS_exit_group+0x10/0x10
ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").
Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")
Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
drivers/staging/media/lirc/lirc_zilog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
lirc_init_pdata(node, filep);
ir = lirc_get_pdata(filep);
+ get_ir_device(ir, false);
atomic_inc(&ir->open_count);
--
2.14.3
WARNING: multiple messages have this Message-ID (diff)
From: Sean Young <sean@mess.org>
To: kernel-team@lists.ubuntu.com, Warren Sturm <warren.sturm@gmail.com>
Cc: stable@vger.kernel.org, #@mess.org, v4.15@mess.org
Subject: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting
Date: Mon, 23 Apr 2018 13:08:04 +0100 [thread overview]
Message-ID: <2bd4184fbea37ecdfcb0a334c6bef45786feb486.1523785117.git.sean@mess.org> (raw)
In-Reply-To: <cover.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P C OE 4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS: 0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
? __schedule+0x247/0x880
? get_ir_tx+0x40/0x40 [lirc_zilog]
kthread+0x113/0x130
? kthread_create_worker_on_cpu+0x70/0x70
? do_syscall_64+0x74/0x180
? SyS_exit_group+0x10/0x10
ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").
Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")
Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
drivers/staging/media/lirc/lirc_zilog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
lirc_init_pdata(node, filep);
ir = lirc_get_pdata(filep);
+ get_ir_device(ir, false);
atomic_inc(&ir->open_count);
--
2.14.3
next prev parent reply other threads:[~2018-04-15 9:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-15 9:54 [PATCH stable v4.15 0/3] lirc_zilog bugs Sean Young
2018-04-15 9:54 ` Sean Young [this message]
2018-04-23 12:08 ` [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting Sean Young
2018-04-16 7:52 ` Greg KH
2018-04-16 8:43 ` Sean Young
2018-04-16 8:50 ` Greg KH
2018-04-16 9:15 ` Sean Young
2018-04-22 9:47 ` Greg KH
2018-04-23 9:04 ` Sean Young
2018-04-23 10:34 ` Mauro Carvalho Chehab
2018-04-23 12:13 ` Sean Young
2018-04-15 9:54 ` [PATCH stable v4.15 2/3] Revert "media: lirc_zilog: driver only sends LIRCCODE" Sean Young
2018-04-23 12:08 ` Sean Young
2018-04-15 9:54 ` [PATCH stable v4.15 3/3] media: staging: lirc_zilog: incorrect reference counting Sean Young
2018-04-23 12:09 ` Sean Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2bd4184fbea37ecdfcb0a334c6bef45786feb486.1523785117.git.sean@mess.org \
--to=sean@mess.org \
--cc=#@mess.org \
--cc=awalls.cx18@gmail.com \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@s-opensource.com \
--cc=stable@vger.kernel.org \
--cc=v4.15@mess.org \
--cc=warren.sturm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.