tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[media] s5p-jpeg: Eliminate double kfree()

video_unregister_device() calls device_unregister(), which calls
put_device(), which calls kobject_put(), and if this is the last reference
then kobject_release() is called, which calls kobject_cleanup(), which
calls ktype's release method which happens to be device_release() in this
case, which calls dev->release(), which happens to be
v4l2_device_release() in this case, which calls vdev->release(), which
happens to be video_device_release(). But video_device_release() is
called explicitly both in error recovery path of s5p_jpeg_probe() and
in s5p_jpeg_remove(). The pointers in question are not nullified between
the two calls, so this is harmful.

This patch fixes the driver so that video_device_release() is not called
twice for the same object.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

authored by

Andrzej Pietrasiewicz and committed by
Mauro Carvalho Chehab 7a1d4e7c 1af21985

+4 -10
+4 -10
drivers/media/platform/s5p-jpeg/jpeg-core.c
··· 2544 2544 ret = video_register_device(jpeg->vfd_encoder, VFL_TYPE_GRABBER, -1); 2545 2545 if (ret) { 2546 2546 v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); 2547 - goto enc_vdev_alloc_rollback; 2547 + video_device_release(jpeg->vfd_encoder); 2548 + goto vb2_allocator_rollback; 2548 2549 } 2549 2550 2550 2551 video_set_drvdata(jpeg->vfd_encoder, jpeg); ··· 2573 2572 ret = video_register_device(jpeg->vfd_decoder, VFL_TYPE_GRABBER, -1); 2574 2573 if (ret) { 2575 2574 v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); 2576 - goto dec_vdev_alloc_rollback; 2575 + video_device_release(jpeg->vfd_decoder); 2576 + goto enc_vdev_register_rollback; 2577 2577 } 2578 2578 2579 2579 video_set_drvdata(jpeg->vfd_decoder, jpeg); ··· 2591 2589 2592 2590 return 0; 2593 2591 2594 - dec_vdev_alloc_rollback: 2595 - video_device_release(jpeg->vfd_decoder); 2596 - 2597 2592 enc_vdev_register_rollback: 2598 2593 video_unregister_device(jpeg->vfd_encoder); 2599 - 2600 - enc_vdev_alloc_rollback: 2601 - video_device_release(jpeg->vfd_encoder); 2602 2594 2603 2595 vb2_allocator_rollback: 2604 2596 vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); ··· 2618 2622 pm_runtime_disable(jpeg->dev); 2619 2623 2620 2624 video_unregister_device(jpeg->vfd_decoder); 2621 - video_device_release(jpeg->vfd_decoder); 2622 2625 video_unregister_device(jpeg->vfd_encoder); 2623 - video_device_release(jpeg->vfd_encoder); 2624 2626 vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); 2625 2627 v4l2_m2m_release(jpeg->m2m_dev); 2626 2628 v4l2_device_unregister(&jpeg->v4l2_dev);