From d48de1c73b41d27e3cc6e500eb9588449edb2f14 Mon Sep 17 00:00:00 2001 From: Antonio Ospite Date: Thu, 15 Aug 2013 07:29:32 -0300 Subject: [PATCH] [media] gspca-ov534: don't call sd_start() from sd_init() sd_start() operates on device controls but after the conversion to the v4l2 control framework in commits 62bba5d and 1bd7d6a controls are initialized in sd_init_controls() which is called _after_ sd_init(): The change fixes a NULL pointer dereference for Hercules Blog Webcam; the problem is observable since 3.6: gspca_main: v2.14.0 registered gspca_main: ov534-2.14.0 probing 06f8:3002 BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 IP: [] v4l2_ctrl_g_ctrl+0x11/0x60 [videodev] PGD 0 Oops: 0000 [#1] SMP Modules linked in: gspca_ov534(+) gspca_main videodev rfcomm bnep ppdev bluetooth binfmt_misc snd_hda_codec_hdmi snd_hda_codec_realtek stir4200 irda crc_ccitt usblp snd_hda_intel snd_hda_codec snd_hwdep snd_pcm hid_generic snd_page_alloc snd_seq_midi snd_seq_midi_event usbhid snd_rawmidi snd_seq snd_seq_device snd_timer hid i915 snd psmouse drm_kms_helper serio_raw mei_me drm mei soundcore video i2c_algo_bit lpc_ich mac_hid coretemp lp parport firewire_ohci firewire_core crc_itu_t ahci libahci alx mdio r8169 mii [last unloaded: parport_pc] CPU: 3 PID: 4352 Comm: modprobe Not tainted 3.11.0-031100rc2-generic #201307211535 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./Z77-DS3H, BIOS F9 09/19/2012 task: ffff8801c20f9770 ti: ffff8801ceaa0000 task.ti: ffff8801ceaa0000 RIP: 0010:[] [] v4l2_ctrl_g_ctrl+0x11/0x60 [videodev] RSP: 0018:ffff8801ceaa1af8 EFLAGS: 00010292 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 000000000001988b RDX: 000000000001988a RSI: ffffffffa032745a RDI: 0000000000000000 RBP: ffff8801ceaa1b28 R08: 0000000000017380 R09: ffffea0008419d80 R10: ffffffff81538f5a R11: 0000000000000002 R12: ffffffffa03273dc R13: ffffffffa03273dc R14: 0000000000000000 R15: ffffffffa03270a0 FS: 00007f72d564a740(0000) GS:ffff88021f380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000050 CR3: 00000001bd1f0000 CR4: 00000000001407e0 Stack: ffff8801ceaa1b28 ffffffffa0325cff ffff8801000001f4 ffff8801ceb44000 ffffffffa03273dc ffff8801ceb44000 ffff8801ceaa1b58 ffffffffa032688e ffff8801ceb44000 ffffffffa03274f0 ffffffffa03274f0 ffff8801ceb44380 Call Trace: [] ? sccb_w_array+0x3f/0x80 [gspca_ov534] [] sd_start+0xce/0x2b0 [gspca_ov534] [] sd_init+0x189/0x1e8 [gspca_ov534] [] gspca_dev_probe2+0x285/0x410 [gspca_main] [] gspca_dev_probe+0x38/0x60 [gspca_main] [] sd_probe+0x21/0x30 [gspca_ov534] [] usb_probe_interface+0x1c0/0x2f0 [] really_probe+0x6c/0x330 [] driver_probe_device+0x47/0xa0 [] __driver_attach+0xab/0xb0 [] ? driver_probe_device+0xa0/0xa0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0x10c/0x290 [] driver_register+0x7d/0x160 [] usb_register_driver+0xa0/0x160 [] ? 0xffffffffa0066fff [] sd_driver_init+0x1e/0x1000 [gspca_ov534] [] do_one_initcall+0xfa/0x1b0 [] ? set_memory_nx+0x43/0x50 [] do_init_module+0x80/0x1d1 [] load_module+0x4c9/0x5f0 [] ? add_kallsyms+0x210/0x210 [] SyS_init_module+0xb4/0x100 [] tracesys+0xe1/0xe6 Code: a0 09 00 00 48 c7 c7 30 c3 3c a0 e8 7a 38 ca e0 eb cf 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 83 ec 28 <8b> 47 50 83 e8 05 83 f8 02 77 09 80 b8 20 8c 3c a0 00 74 1d 48 RIP [] v4l2_ctrl_g_ctrl+0x11/0x60 [videodev] RSP CR2: 0000000000000050 ---[ end trace 6786f15abfd2ac90 ]--- Original bug report from: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1173723/ Signed-off-by: Antonio Ospite Tested-by: Yaroslav Zakharuk Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab --- drivers/media/usb/gspca/ov534.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/usb/gspca/ov534.c b/drivers/media/usb/gspca/ov534.c index 2e28c81a03ab..03a33c46ca2c 100644 --- a/drivers/media/usb/gspca/ov534.c +++ b/drivers/media/usb/gspca/ov534.c @@ -1305,8 +1305,7 @@ static int sd_init(struct gspca_dev *gspca_dev) ov534_set_led(gspca_dev, 1); sccb_w_array(gspca_dev, sensor_init[sd->sensor].val, sensor_init[sd->sensor].len); - if (sd->sensor == SENSOR_OV767x) - sd_start(gspca_dev); + sd_stopN(gspca_dev); /* set_frame_rate(gspca_dev); */ -- 2.20.1