From patchwork Fri Jul 3 10:04:38 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrzej Pietrasiewicz X-Patchwork-Id: 30445 X-Patchwork-Delegate: sylvester.nawrocki@gmail.com Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1ZAxqh-0008Cw-DZ; Fri, 03 Jul 2015 12:05:35 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.76/mailfrontend-7) with esmtp id 1ZAxqe-0000K2-2s; Fri, 03 Jul 2015 12:05:34 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754945AbbGCKF3 (ORCPT + 1 other); Fri, 3 Jul 2015 06:05:29 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:59743 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754644AbbGCKF1 (ORCPT ); Fri, 3 Jul 2015 06:05:27 -0400 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout4.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NQW0089UPD1RN10@mailout4.w1.samsung.com>; Fri, 03 Jul 2015 11:05:25 +0100 (BST) X-AuditID: cbfec7f5-f794b6d000001495-4e-55965e6511a2 Received: from eusync2.samsung.com ( [203.254.199.212]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id B1.F4.05269.56E56955; Fri, 3 Jul 2015 11:05:25 +0100 (BST) Received: from mcdsrvbld02.digital.local ([106.116.37.23]) by eusync2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NQW006OCPCWCS70@eusync2.samsung.com>; Fri, 03 Jul 2015 11:05:24 +0100 (BST) From: Andrzej Pietrasiewicz To: linux-samsung-soc@vger.kernel.org, linux-media@vger.kernel.org Cc: Andrzej Pietrasiewicz , Bartlomiej Zolnierkiewicz , Mauro Carvalho Chehab , Sylwester Nawrocki , Jacek Anaszewski Subject: [PATCH] media: s5p-jpeg: Eliminate double kfree Date: Fri, 03 Jul 2015 12:04:38 +0200 Message-id: <1435917878-27545-1-git-send-email-andrzej.p@samsung.com> X-Mailer: git-send-email 1.7.10.4 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPJMWRmVeSWpSXmKPExsVy+t/xK7qpcdNCDRbcYLSY9bKdxWLjjPWs Fr1XnzNa9GzYymox4/w+JovVzyosDr9pZ3Vg99jSf5fdo2/LKkaPz5vkApijuGxSUnMyy1KL 9O0SuDLuPL7MVLBPrOLF5OQGxl3CXYycHBICJhJtc+8xQthiEhfurWfrYuTiEBJYyiixsmUj C4TTwiQxqe06O0gVm4CxxN6DHWAdIgJOEov3/2MFKWIW+MUocXPGJ7CEsICFxO6Fk5i7GNk5 WARUJX7Vg0R5BVwlFvy6yAKxTFGi+9kEtgmM3AsYGVYxiqaWJhcUJ6XnGukVJ+YWl+al6yXn 525ihATD1x2MS49ZHWIU4GBU4uG9cHpqqBBrYllxZe4hRgkOZiUR3ufB00KFeFMSK6tSi/Lj i0pzUosPMUpzsCiJ887c9T5ESCA9sSQ1OzW1ILUIJsvEwSnVwKjJraMcnapXt6IrWu5ncOr0 1qqlLgXtF2NW2i99uTtUYoaxo3NHh2HpLIla83d2KWv9irvXyDU2GEfmNT+/sNzxzbQYM8VE /kTtKReP5l05lPZgR43Hkpsvb0y408y7WuTDyfUb+16zzCyrYLjA/0O52kD14q01/3/Fdaen 7D27Odf3tsr8KiWW4oxEQy3mouJEAMCjrYICAgAA Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.3.95415 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, NO_URI_HTTPS 0, SINGLE_URI_IN_BODY 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_MEDIA_BODY 0, __CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NO_WWW 0, __URI_NS ' video_unregister_device() calls device_unregister(), which calls put_device(), which calls kobject_put(), and if this is the last reference then kobject_release() is called, which calls kobject_cleanup(), which calls ktype's release method which happens to be device_release() in this case, which calls dev->release(), which happens to be v4l2_device_release() in this case, which calls vdev->release(), which happens to be video_device_release(). But video_device_release() is called explicitly both in error recovery path of s5p_jpeg_probe() and in s5p_jpeg_remove(). The pointers in question are not nullified between the two calls, so this is harmful. This patch fixes the driver so that video_device_release() is not called twice for the same object. Rebased onto Mauro's master. Signed-off-by: Andrzej Pietrasiewicz --- drivers/media/platform/s5p-jpeg/jpeg-core.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c index bfbf157..9690f9d 100644 --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c @@ -2544,7 +2544,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev) ret = video_register_device(jpeg->vfd_encoder, VFL_TYPE_GRABBER, -1); if (ret) { v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); - goto enc_vdev_alloc_rollback; + video_device_release(jpeg->vfd_encoder); + goto vb2_allocator_rollback; } video_set_drvdata(jpeg->vfd_encoder, jpeg); @@ -2572,7 +2573,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev) ret = video_register_device(jpeg->vfd_decoder, VFL_TYPE_GRABBER, -1); if (ret) { v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); - goto dec_vdev_alloc_rollback; + video_device_release(jpeg->vfd_decoder); + goto enc_vdev_register_rollback; } video_set_drvdata(jpeg->vfd_decoder, jpeg); @@ -2589,15 +2591,9 @@ static int s5p_jpeg_probe(struct platform_device *pdev) return 0; -dec_vdev_alloc_rollback: - video_device_release(jpeg->vfd_decoder); - enc_vdev_register_rollback: video_unregister_device(jpeg->vfd_encoder); -enc_vdev_alloc_rollback: - video_device_release(jpeg->vfd_encoder); - vb2_allocator_rollback: vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); @@ -2622,9 +2618,7 @@ static int s5p_jpeg_remove(struct platform_device *pdev) pm_runtime_disable(jpeg->dev); video_unregister_device(jpeg->vfd_decoder); - video_device_release(jpeg->vfd_decoder); video_unregister_device(jpeg->vfd_encoder); - video_device_release(jpeg->vfd_encoder); vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); v4l2_m2m_release(jpeg->m2m_dev); v4l2_device_unregister(&jpeg->v4l2_dev);