From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <linux-media-owner@vger.kernel.org>
Received: from gofer.mess.org ([88.97.38.141]:56529 "EHLO gofer.mess.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752297AbeDOJyZ (ORCPT <rfc822;linux-media@vger.kernel.org>);
        Sun, 15 Apr 2018 05:54:25 -0400
From: Sean Young <sean@mess.org>
To: linux-media@vger.kernel.org, Warren Sturm <warren.sturm@gmail.com>,
        Mauro Carvalho Chehab <mchehab@s-opensource.com>
Cc: Andy Walls <awalls.cx18@gmail.com>, stable@vger.kernel.org,
        #@mess.org, v4.15@mess.org
Subject: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting
Date: Sun, 15 Apr 2018 10:54:20 +0100
Message-Id: <2bd4184fbea37ecdfcb0a334c6bef45786feb486.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
References: <cover.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
References: <cover.1523785117.git.sean@mess.org>
Sender: linux-media-owner@vger.kernel.org
List-ID: <linux-media.vger.kernel.org>

commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
 ? __schedule+0x247/0x880
 ? get_ir_tx+0x40/0x40 [lirc_zilog]
 kthread+0x113/0x130
 ? kthread_create_worker_on_cpu+0x70/0x70
 ? do_syscall_64+0x74/0x180
 ? SyS_exit_group+0x10/0x10
 ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
 
 	lirc_init_pdata(node, filep);
 	ir = lirc_get_pdata(filep);
+	get_ir_device(ir, false);
 
 	atomic_inc(&ir->open_count);
 
-- 
2.14.3

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from gofer.mess.org ([88.97.38.141]:47337 "EHLO gofer.mess.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754718AbeDWMII (ORCPT <rfc822;stable@vger.kernel.org>);
        Mon, 23 Apr 2018 08:08:08 -0400
From: Sean Young <sean@mess.org>
To: kernel-team@lists.ubuntu.com, Warren Sturm <warren.sturm@gmail.com>
Cc: stable@vger.kernel.org, #@mess.org, v4.15@mess.org
Subject: [PATCH stable v4.15 1/3] media: staging: lirc_zilog: broken reference counting
Date: Mon, 23 Apr 2018 13:08:04 +0100
Message-Id: <2bd4184fbea37ecdfcb0a334c6bef45786feb486.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
References: <cover.1523785117.git.sean@mess.org>
In-Reply-To: <cover.1523785117.git.sean@mess.org>
References: <cover.1523785117.git.sean@mess.org>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

commit 615cd3fe6ccc ("[media] media: lirc_dev: make better use of
file->private_data") removed the reference get from open, so on the first
close the reference count hits zero and the lirc device is freed.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: lirc_thread+0x94/0x520 [lirc_zilog]
PGD 22d69c067 P4D 22d69c067 PUD 22d69d067 PMD 0
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 701 Comm: zilog-rx-i2c-7 Tainted: P         C OE    4.15.14-300.fc27.x86_64 #1
Hardware name: Gigabyte Technology Co., Ltd. GA-MA790FXT-UD5P/GA-MA790FXT-UD5P, BIOS F6 08/06/2009
RIP: 0010:lirc_thread+0x94/0x520 [lirc_zilog]
RSP: 0018:ffffb482c131be98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8fdabf056000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff8fdab740af00 R08: ffff8fdacfd214a0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000040 R12: ffffb482c10dba48
R13: ffff8fdabea89e00 R14: ffff8fdab740af00 R15: ffffffffc0b5e500
FS:  0000000000000000(0000) GS:ffff8fdacfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002124c0000 CR4: 00000000000006e0
Call Trace:
 ? __schedule+0x247/0x880
 ? get_ir_tx+0x40/0x40 [lirc_zilog]
 kthread+0x113/0x130
 ? kthread_create_worker_on_cpu+0x70/0x70
 ? do_syscall_64+0x74/0x180
 ? SyS_exit_group+0x10/0x10
 ret_from_fork+0x22/0x40
Code: 20 8b 85 80 00 00 00 85 c0 0f 84 a6 00 00 00 bf 04 01 00 00 e8 ee 34 d4 d7 e8 69 88 56 d7 84 c0 75 69 48 8b 45 18 c6 44 24 37 00 <48> 8b 58 40 4c 8d 6b 18 4c 89 ef e8 fc 4d d4 d7 4c 89 ef 48 89
RIP: lirc_thread+0x94/0x520 [lirc_zilog] RSP: ffffb482c131be98
CR2: 0000000000000040
This code has been replaced completely in kernel v4.16 by a new driver,
see commit acaa34bf06e9 ("media: rc: implement zilog transmitter"), and
commit f95367a7b758 ("media: staging: remove lirc_zilog driver").

Fixes: 615cd3fe6ccc ("[media] media: lirc_dev: make better use of file->private_data")

Cc: stable@vger.kernel.org # v4.15
Reported-by: Warren Sturm <warren.sturm@gmail.com>
Tested-by: Warren Sturm <warren.sturm@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
---
 drivers/staging/media/lirc/lirc_zilog.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/media/lirc/lirc_zilog.c b/drivers/staging/media/lirc/lirc_zilog.c
index 6bd0717bf76e..bf6869e48a0f 100644
--- a/drivers/staging/media/lirc/lirc_zilog.c
+++ b/drivers/staging/media/lirc/lirc_zilog.c
@@ -1291,6 +1291,7 @@ static int open(struct inode *node, struct file *filep)
 
 	lirc_init_pdata(node, filep);
 	ir = lirc_get_pdata(filep);
+	get_ir_device(ir, false);
 
 	atomic_inc(&ir->open_count);
 
-- 
2.14.3