Is this a bug between dvb_usb_adapter_frontend_init and cinergyt2_frontend_attach?
From: 慕冬亮
Date: Mon May 24 2021 - 12:00:25 EST
Hi kernel developers,
I doubt there is a bug between dvb_usb_adapter_frontend_init [1] and
cinergyt2_frontend_attach [2]. The following source code includes the
critical part.
-----------------------------------------------------------------------------------------------------
int dvb_usb_adapter_frontend_init(struct dvb_usb_adapter *adap)
{
......
/* register all given adapter frontends */
for (i = 0; i < adap->props.num_frontends; i++) {
ret = adap->props.fe[i].frontend_attach(adap);
if (ret || adap->fe_adap[i].fe == NULL) {
return 0;
}
}
......
}
static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
{
......
adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
......
return ret;
}
-----------------------------------------------------------------------------------------------------
In the dvb_usb_adapter_frontend_init, the function pointer -
frontend_attach points to cinergyt2_frontend_attach. Then the parent
function dvb_usb_adapter_frontend_init checks the return value and
adap->fe_adap[i].fe to verify the execution of the child function.
However, the child function - cinergyt2_frontend_attach passes the
allocated dvb_frontend with adap->fe_adap[0].fe, but the check is
performed on adap->fe_adap[i].fe. At the same time, the adap in both
expressions should be the same data pointer.
Please correct me if you have any opinions with the above statements.
[1] dvb_usb_adapter_frontend_init:
https://elixir.bootlin.com/linux/latest/source/drivers/media/usb/dvb-usb/dvb-usb-dvb.c#L276
[2] cinergyt2_frontend_attach:
https://elixir.bootlin.com/linux/latest/source/drivers/media/usb/dvb-usb/cinergyT2-core.c#L68
--
My best regards to you.
No System Is Safe!
Dongliang Mu