Re: [PATCH v3] [bug/urgent] dvb-usb-v2: Fix incorrect use of transfer_flags URB_FREE_BUFFER

Dan Ziemba <zman0900@xxxxxxxxx> · Sat, 05 Jan 2019 20:49:00 -0500

On Mon, 2018-11-26 at 20:18 +0000, Malcolm Priestley wrote:
> In commit 1a0c10ed7b media: dvb-usb-v2: stop using coherent memory
> for URBs
> incorrectly adds URB_FREE_BUFFER after every urb transfer.
> 
> It cannot use this flag because it reconfigures the URBs accordingly
> to suit connected devices. In doing a call to usb_free_urb is made
> and
> invertedly frees the buffers.
> 
> The stream buffer should remain constant while driver is up.
> 
> Signed-off-by: Malcolm Priestley <tvboxspy@xxxxxxxxx>
> CC: stable@xxxxxxxxxxxxxxx # v4.18+
> ---
> v3 change commit message to the actual cause
> 
>  drivers/media/usb/dvb-usb-v2/usb_urb.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> index 024c751eb165..2ad2ddeaff51 100644
> --- a/drivers/media/usb/dvb-usb-v2/usb_urb.c
> +++ b/drivers/media/usb/dvb-usb-v2/usb_urb.c
> @@ -155,7 +155,6 @@ static int usb_urb_alloc_bulk_urbs(struct
> usb_data_stream *stream)
>  				stream->props.u.bulk.buffersize,
>  				usb_urb_complete, stream);
>  
> -		stream->urb_list[i]->transfer_flags = URB_FREE_BUFFER;
>  		stream->urbs_initialized++;
>  	}
>  	return 0;
> @@ -186,7 +185,7 @@ static int usb_urb_alloc_isoc_urbs(struct
> usb_data_stream *stream)
>  		urb->complete = usb_urb_complete;
>  		urb->pipe = usb_rcvisocpipe(stream->udev,
>  				stream->props.endpoint);
> -		urb->transfer_flags = URB_ISO_ASAP | URB_FREE_BUFFER;
> +		urb->transfer_flags = URB_ISO_ASAP;
>  		urb->interval = stream->props.u.isoc.interval;
>  		urb->number_of_packets = stream-
> >props.u.isoc.framesperurb;
>  		urb->transfer_buffer_length = stream-
> >props.u.isoc.framesize *
> @@ -210,7 +209,7 @@ static int usb_free_stream_buffers(struct
> usb_data_stream *stream)
>  	if (stream->state & USB_STATE_URB_BUF) {
>  		while (stream->buf_num) {
>  			stream->buf_num--;
> -			stream->buf_list[stream->buf_num] = NULL;
> +			kfree(stream->buf_list[stream->buf_num]);
>  		}
>  	}
>  

I have tested this against Arch Linux's kernel packages for both linux
4.20 and linux-lts 4.19.13.  For both, the patch seems to fix the
crashes I reported here:
https://bugzilla.kernel.org/show_bug.cgi?id=201055

Thanks,
Dan Ziemba