From: Greg Kroah-Hartman Date: Fri, 28 Apr 2017 07:59:23 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.4.65~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=caf5a521dd7e7f9beea86a650be5fb78f7f9130e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ping-implement-proper-locking.patch staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch vfio-pci-fix-integer-overflows-bitmask-check.patch xc2028-avoid-use-after-free.patch --- diff --git a/queue-3.18/ping-implement-proper-locking.patch b/queue-3.18/ping-implement-proper-locking.patch new file mode 100644 index 00000000000..7ceb56815fe --- /dev/null +++ b/queue-3.18/ping-implement-proper-locking.patch @@ -0,0 +1,55 @@ +From 43a6684519ab0a6c52024b5e25322476cabad893 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 24 Mar 2017 19:36:13 -0700 +Subject: ping: implement proper locking + +From: Eric Dumazet + +commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream. + +We got a report of yet another bug in ping + +http://www.openwall.com/lists/oss-security/2017/03/24/6 + +->disconnect() is not called with socket lock held. + +Fix this by acquiring ping rwlock earlier. + +Thanks to Daniel, Alexander and Andrey for letting us know this problem. + +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Signed-off-by: Eric Dumazet +Reported-by: Daniel Jiang +Reported-by: Solar Designer +Reported-by: Andrey Konovalov +Signed-off-by: David S. Miller +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ping.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -154,17 +154,18 @@ void ping_hash(struct sock *sk) + void ping_unhash(struct sock *sk) + { + struct inet_sock *isk = inet_sk(sk); ++ + pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num); ++ write_lock_bh(&ping_table.lock); + if (sk_hashed(sk)) { +- write_lock_bh(&ping_table.lock); + hlist_nulls_del(&sk->sk_nulls_node); + sk_nulls_node_init(&sk->sk_nulls_node); + sock_put(sk); + isk->inet_num = 0; + isk->inet_sport = 0; + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); +- write_unlock_bh(&ping_table.lock); + } ++ write_unlock_bh(&ping_table.lock); + } + EXPORT_SYMBOL_GPL(ping_unhash); + diff --git a/queue-3.18/series b/queue-3.18/series index 69e4c87e866..568813f6580 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -42,3 +42,7 @@ aic94xx-skip-reading-user-settings-if-flash-is-not-found.patch mips-ralink-cosmetic-change-to-prom_init.patch kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch arm-8383-1-nommu-avoid-deprecated-source-register-on-mov.patch +xc2028-avoid-use-after-free.patch +vfio-pci-fix-integer-overflows-bitmask-check.patch +staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch +ping-implement-proper-locking.patch diff --git a/queue-3.18/staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch b/queue-3.18/staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch new file mode 100644 index 00000000000..7dec84cf9e5 --- /dev/null +++ b/queue-3.18/staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch @@ -0,0 +1,177 @@ +From 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 Mon Sep 17 00:00:00 2001 +From: EunTaik Lee +Date: Wed, 24 Feb 2016 04:38:06 +0000 +Subject: staging/android/ion : fix a race condition in the ion driver + +From: EunTaik Lee + +commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7 upstream. + +There is a use-after-free problem in the ion driver. +This is caused by a race condition in the ion_ioctl() +function. + +A handle has ref count of 1 and two tasks on different +cpus calls ION_IOC_FREE simultaneously. + +cpu 0 cpu 1 +------------------------------------------------------- +ion_handle_get_by_id() +(ref == 2) + ion_handle_get_by_id() + (ref == 3) + +ion_free() +(ref == 2) + +ion_handle_put() +(ref == 1) + + ion_free() + (ref == 0 so ion_handle_destroy() is + called + and the handle is freed.) + + ion_handle_put() is called and it + decreases the slub's next free pointer + +The problem is detected as an unaligned access in the +spin lock functions since it uses load exclusive + instruction. In some cases it corrupts the slub's +free pointer which causes a mis-aligned access to the +next free pointer.(kmalloc returns a pointer like +ffffc0745b4580aa). And it causes lots of other +hard-to-debug problems. + +This symptom is caused since the first member in the +ion_handle structure is the reference count and the +ion driver decrements the reference after it has been +freed. + +To fix this problem client->lock mutex is extended +to protect all the codes that uses the handle. + +Signed-off-by: Eun Taik Lee +Reviewed-by: Laura Abbott +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +index 7ff2a7ec871f..33b390e7ea31 +--- + drivers/staging/android/ion/ion.c | 55 +++++++++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 13 deletions(-) + +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -389,13 +389,22 @@ static void ion_handle_get(struct ion_ha + kref_get(&handle->ref); + } + +-static int ion_handle_put(struct ion_handle *handle) ++static int ion_handle_put_nolock(struct ion_handle *handle) ++{ ++ int ret; ++ ++ ret = kref_put(&handle->ref, ion_handle_destroy); ++ ++ return ret; ++} ++ ++int ion_handle_put(struct ion_handle *handle) + { + struct ion_client *client = handle->client; + int ret; + + mutex_lock(&client->lock); +- ret = kref_put(&handle->ref, ion_handle_destroy); ++ ret = ion_handle_put_nolock(handle); + mutex_unlock(&client->lock); + + return ret; +@@ -419,20 +428,30 @@ static struct ion_handle *ion_handle_loo + return ERR_PTR(-EINVAL); + } + +-static struct ion_handle *ion_handle_get_by_id(struct ion_client *client, ++static struct ion_handle *ion_handle_get_by_id_nolock(struct ion_client *client, + int id) + { + struct ion_handle *handle; + +- mutex_lock(&client->lock); + handle = idr_find(&client->idr, id); + if (handle) + ion_handle_get(handle); +- mutex_unlock(&client->lock); + + return handle ? handle : ERR_PTR(-EINVAL); + } + ++struct ion_handle *ion_handle_get_by_id(struct ion_client *client, ++ int id) ++{ ++ struct ion_handle *handle; ++ ++ mutex_lock(&client->lock); ++ handle = ion_handle_get_by_id_nolock(client, id); ++ mutex_unlock(&client->lock); ++ ++ return handle; ++} ++ + static bool ion_handle_validate(struct ion_client *client, + struct ion_handle *handle) + { +@@ -534,22 +553,28 @@ struct ion_handle *ion_alloc(struct ion_ + } + EXPORT_SYMBOL(ion_alloc); + +-void ion_free(struct ion_client *client, struct ion_handle *handle) ++static void ion_free_nolock(struct ion_client *client, struct ion_handle *handle) + { + bool valid_handle; + + BUG_ON(client != handle->client); + +- mutex_lock(&client->lock); + valid_handle = ion_handle_validate(client, handle); + + if (!valid_handle) { + WARN(1, "%s: invalid handle passed to free.\n", __func__); +- mutex_unlock(&client->lock); + return; + } ++ ion_handle_put_nolock(handle); ++} ++ ++void ion_free(struct ion_client *client, struct ion_handle *handle) ++{ ++ BUG_ON(client != handle->client); ++ ++ mutex_lock(&client->lock); ++ ion_free_nolock(client, handle); + mutex_unlock(&client->lock); +- ion_handle_put(handle); + } + EXPORT_SYMBOL(ion_free); + +@@ -1278,11 +1303,15 @@ static long ion_ioctl(struct file *filp, + { + struct ion_handle *handle; + +- handle = ion_handle_get_by_id(client, data.handle.handle); +- if (IS_ERR(handle)) ++ mutex_lock(&client->lock); ++ handle = ion_handle_get_by_id_nolock(client, data.handle.handle); ++ if (IS_ERR(handle)) { ++ mutex_unlock(&client->lock); + return PTR_ERR(handle); +- ion_free(client, handle); +- ion_handle_put(handle); ++ } ++ ion_free_nolock(client, handle); ++ ion_handle_put_nolock(handle); ++ mutex_unlock(&client->lock); + break; + } + case ION_IOC_SHARE: diff --git a/queue-3.18/vfio-pci-fix-integer-overflows-bitmask-check.patch b/queue-3.18/vfio-pci-fix-integer-overflows-bitmask-check.patch new file mode 100644 index 00000000000..ec29d9a9bd5 --- /dev/null +++ b/queue-3.18/vfio-pci-fix-integer-overflows-bitmask-check.patch @@ -0,0 +1,100 @@ +From 05692d7005a364add85c6e25a6c4447ce08f913a Mon Sep 17 00:00:00 2001 +From: Vlad Tsyrklevich +Date: Wed, 12 Oct 2016 18:51:24 +0200 +Subject: vfio/pci: Fix integer overflows, bitmask check + +From: Vlad Tsyrklevich + +commit 05692d7005a364add85c6e25a6c4447ce08f913a upstream. + +The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize +user-supplied integers, potentially allowing memory corruption. This +patch adds appropriate integer overflow checks, checks the range bounds +for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element +in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set. +VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in +vfio_pci_set_irqs_ioctl(). + +Furthermore, a kzalloc is changed to a kcalloc because the use of a +kzalloc with an integer multiplication allowed an integer overflow +condition to be reached without this patch. kcalloc checks for overflow +and should prevent a similar occurrence. + +Signed-off-by: Vlad Tsyrklevich +Signed-off-by: Alex Williamson +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci.c | 35 ++++++++++++++++++++++------------- + drivers/vfio/pci/vfio_pci_intrs.c | 2 +- + 2 files changed, 23 insertions(+), 14 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -489,8 +489,9 @@ static long vfio_pci_ioctl(void *device_ + + } else if (cmd == VFIO_DEVICE_SET_IRQS) { + struct vfio_irq_set hdr; ++ size_t size; + u8 *data = NULL; +- int ret = 0; ++ int max, ret = 0; + + minsz = offsetofend(struct vfio_irq_set, count); + +@@ -498,23 +499,31 @@ static long vfio_pci_ioctl(void *device_ + return -EFAULT; + + if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS || ++ hdr.count >= (U32_MAX - hdr.start) || + hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK | + VFIO_IRQ_SET_ACTION_TYPE_MASK)) + return -EINVAL; + +- if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) { +- size_t size; +- int max = vfio_pci_get_irq_count(vdev, hdr.index); +- +- if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL) +- size = sizeof(uint8_t); +- else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD) +- size = sizeof(int32_t); +- else +- return -EINVAL; ++ max = vfio_pci_get_irq_count(vdev, hdr.index); ++ if (hdr.start >= max || hdr.start + hdr.count > max) ++ return -EINVAL; ++ ++ switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) { ++ case VFIO_IRQ_SET_DATA_NONE: ++ size = 0; ++ break; ++ case VFIO_IRQ_SET_DATA_BOOL: ++ size = sizeof(uint8_t); ++ break; ++ case VFIO_IRQ_SET_DATA_EVENTFD: ++ size = sizeof(int32_t); ++ break; ++ default: ++ return -EINVAL; ++ } + +- if (hdr.argsz - minsz < hdr.count * size || +- hdr.start >= max || hdr.start + hdr.count > max) ++ if (size) { ++ if (hdr.argsz - minsz < hdr.count * size) + return -EINVAL; + + data = memdup_user((void __user *)(arg + minsz), +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -466,7 +466,7 @@ static int vfio_msi_enable(struct vfio_p + if (!is_irq_none(vdev)) + return -EINVAL; + +- vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); ++ vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); + if (!vdev->ctx) + return -ENOMEM; + diff --git a/queue-3.18/xc2028-avoid-use-after-free.patch b/queue-3.18/xc2028-avoid-use-after-free.patch new file mode 100644 index 00000000000..df0889d826f --- /dev/null +++ b/queue-3.18/xc2028-avoid-use-after-free.patch @@ -0,0 +1,164 @@ +From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Thu, 28 Jan 2016 09:22:44 -0200 +Subject: [media] xc2028: avoid use after free + +From: Mauro Carvalho Chehab + +commit 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 upstream. + +If struct xc2028_config is passed without a firmware name, +the following trouble may happen: + +[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner +[11009.907491] ================================================================== +[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40 +[11009.907992] Read of size 1 by task modprobe/28992 +[11009.907994] ============================================================================= +[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected +[11009.907999] ----------------------------------------------------------------------------- + +[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992 +[11009.908012] ___slab_alloc+0x581/0x5b0 +[11009.908014] __slab_alloc+0x51/0x90 +[11009.908017] __kmalloc+0x27b/0x350 +[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] +[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60 +[11009.908029] usb_submit_urb+0xb0e/0x1200 +[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0 +[11009.908035] usb_serial_generic_write+0x92/0xc0 +[11009.908039] usb_console_write+0x38a/0x560 +[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0 +[11009.908051] console_unlock+0x40d/0x900 +[11009.908056] vprintk_emit+0x4b4/0x830 +[11009.908061] vprintk_default+0x1f/0x30 +[11009.908064] printk+0x99/0xb5 +[11009.908067] kasan_report_error+0x10a/0x550 +[11009.908070] __asan_report_load1_noabort+0x43/0x50 +[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992 +[11009.908077] __slab_free+0x2ec/0x460 +[11009.908080] kfree+0x266/0x280 +[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028] +[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028] +[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb] +[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb] +[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb] +[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx] +[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb] +[11009.908108] do_one_initcall+0x141/0x300 +[11009.908111] do_init_module+0x1d0/0x5ad +[11009.908114] load_module+0x6666/0x9ba0 +[11009.908117] SyS_finit_module+0x108/0x130 +[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76 +[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080 +[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001 + +[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(...... +[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j.... +[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43 +[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 +[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80 +[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280 +[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4 +[11009.908158] Call Trace: +[11009.908162] [] dump_stack+0x4b/0x64 +[11009.908165] [] print_trailer+0xf9/0x150 +[11009.908168] [] object_err+0x34/0x40 +[11009.908171] [] kasan_report_error+0x230/0x550 +[11009.908175] [] ? trace_hardirqs_off_caller+0x21/0x290 +[11009.908179] [] ? kasan_unpoison_shadow+0x36/0x50 +[11009.908182] [] __asan_report_load1_noabort+0x43/0x50 +[11009.908185] [] ? __asan_register_globals+0x50/0xa0 +[11009.908189] [] ? strcmp+0x96/0xb0 +[11009.908192] [] strcmp+0x96/0xb0 +[11009.908196] [] xc2028_set_config+0x15c/0x630 [tuner_xc2028] +[11009.908200] [] xc2028_attach+0x310/0x8a0 [tuner_xc2028] +[11009.908203] [] ? memset+0x28/0x30 +[11009.908206] [] ? xc2028_set_config+0x630/0x630 [tuner_xc2028] +[11009.908211] [] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb] +[11009.908215] [] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb] +[11009.908219] [] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb] +[11009.908222] [] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x] +[11009.908226] [] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x] +[11009.908230] [] ? ref_module.part.15+0x10/0x10 +[11009.908233] [] ? module_assert_mutex_or_preempt+0x80/0x80 +[11009.908238] [] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb] +[11009.908242] [] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb] +[11009.908245] [] ? string+0x14d/0x1f0 +[11009.908249] [] ? symbol_string+0xff/0x1a0 +[11009.908253] [] ? uuid_string+0x6f0/0x6f0 +[11009.908257] [] ? __kernel_text_address+0x7e/0xa0 +[11009.908260] [] ? print_context_stack+0x7f/0xf0 +[11009.908264] [] ? __module_address+0xb6/0x360 +[11009.908268] [] ? is_ftrace_trampoline+0x99/0xe0 +[11009.908271] [] ? __kernel_text_address+0x7e/0xa0 +[11009.908275] [] ? debug_check_no_locks_freed+0x290/0x290 +[11009.908278] [] ? dump_trace+0x11b/0x300 +[11009.908282] [] ? em28xx_register_extension+0x23/0x190 [em28xx] +[11009.908285] [] ? trace_hardirqs_off_caller+0x21/0x290 +[11009.908289] [] ? trace_hardirqs_on_caller+0x16/0x590 +[11009.908292] [] ? trace_hardirqs_on+0xd/0x10 +[11009.908296] [] ? em28xx_register_extension+0x23/0x190 [em28xx] +[11009.908299] [] ? mutex_trylock+0x400/0x400 +[11009.908302] [] ? do_one_initcall+0x131/0x300 +[11009.908306] [] ? call_rcu_sched+0x17/0x20 +[11009.908309] [] ? put_object+0x48/0x70 +[11009.908314] [] em28xx_dvb_init+0x81/0x8a [em28xx_dvb] +[11009.908317] [] em28xx_register_extension+0xd9/0x190 [em28xx] +[11009.908320] [] ? 0xffffffffa0150000 +[11009.908324] [] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb] +[11009.908327] [] do_one_initcall+0x141/0x300 +[11009.908330] [] ? try_to_run_init_process+0x40/0x40 +[11009.908333] [] ? trace_hardirqs_on_caller+0x16/0x590 +[11009.908337] [] ? kasan_unpoison_shadow+0x36/0x50 +[11009.908340] [] ? kasan_unpoison_shadow+0x36/0x50 +[11009.908343] [] ? kasan_unpoison_shadow+0x36/0x50 +[11009.908346] [] ? __asan_register_globals+0x87/0xa0 +[11009.908350] [] do_init_module+0x1d0/0x5ad +[11009.908353] [] load_module+0x6666/0x9ba0 +[11009.908356] [] ? symbol_put_addr+0x50/0x50 +[11009.908361] [] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb] +[11009.908366] [] ? module_frob_arch_sections+0x20/0x20 +[11009.908369] [] ? open_exec+0x50/0x50 +[11009.908374] [] ? ns_capable+0x5b/0xd0 +[11009.908377] [] SyS_finit_module+0x108/0x130 +[11009.908379] [] ? SyS_init_module+0x1f0/0x1f0 +[11009.908383] [] ? lockdep_sys_exit_thunk+0x12/0x14 +[11009.908394] [] entry_SYSCALL_64_fastpath+0x16/0x76 +[11009.908396] Memory state around the buggy address: +[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc +[11009.908405] ^ +[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[11009.908411] ================================================================== + +In order to avoid it, let's set the cached value of the firmware +name to NULL after freeing it. While here, return an error if +the memory allocation fails. + +Signed-off-by: Mauro Carvalho Chehab +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/tuner-xc2028.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/tuners/tuner-xc2028.c ++++ b/drivers/media/tuners/tuner-xc2028.c +@@ -1403,11 +1403,12 @@ static int xc2028_set_config(struct dvb_ + * in order to avoid troubles during device release. + */ + kfree(priv->ctrl.fname); ++ priv->ctrl.fname = NULL; + memcpy(&priv->ctrl, p, sizeof(priv->ctrl)); + if (p->fname) { + priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL); + if (priv->ctrl.fname == NULL) +- rc = -ENOMEM; ++ return -ENOMEM; + } + + /*