 c06fb25d1f
			
		
	
	c06fb25d1f
	
	
		
			
	
		
	
	
		
			Some checks failed
		
		
	
	Build Kernel / Build all affected Kernels (push) Has been cancelled
				
			Build all core packages / Build all core packages for selected target (push) Has been cancelled
				
			Build and Push prebuilt tools container / Build and Push all prebuilt containers (push) Has been cancelled
				
			Build Toolchains / Build Toolchains for each target (push) Has been cancelled
				
			Build host tools / Build host tools for linux and macos based systems (push) Has been cancelled
				
			Coverity scan build / Coverity x86/64 build (push) Has been cancelled
				
			
		
			
				
	
	
		
			49 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			49 lines
		
	
	
		
			1.4 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From d2c3a9ad53012bb3fd918fa0bd851da2bc092d8b Mon Sep 17 00:00:00 2001
 | |
| From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
 | |
| Date: Thu, 28 Sep 2023 11:33:53 +0300
 | |
| Subject: [PATCH 0639/1085] media: rp1: cfe: Fix use of freed memory on errors
 | |
| 
 | |
| cfe_probe_complete() calls cfe_put() on both success and fail code paths.
 | |
| This works for the success path, but causes the cfe_device struct to be
 | |
| freed, even if it will be used later in the teardown code.
 | |
| 
 | |
| Fix this by making the ref handling a bit saner: Let the video nodes
 | |
| have the refs as they do now, but also keep a ref in the "main" driver,
 | |
| released only at cfe_remove() time. This way the driver does not depend
 | |
| on the video nodes keeping the refs.
 | |
| 
 | |
| Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
 | |
| ---
 | |
|  drivers/media/platform/raspberrypi/rp1_cfe/cfe.c | 9 ++-------
 | |
|  1 file changed, 2 insertions(+), 7 deletions(-)
 | |
| 
 | |
| --- a/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
 | |
| +++ b/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
 | |
| @@ -1837,17 +1837,10 @@ static int cfe_probe_complete(struct cfe
 | |
|  		goto unregister;
 | |
|  	}
 | |
|  
 | |
| -	/*
 | |
| -	 * Release the initial reference, all references are now owned by the
 | |
| -	 * video devices.
 | |
| -	 */
 | |
| -	cfe_put(cfe);
 | |
|  	return 0;
 | |
|  
 | |
|  unregister:
 | |
|  	cfe_unregister_nodes(cfe);
 | |
| -	cfe_put(cfe);
 | |
| -
 | |
|  	return ret;
 | |
|  }
 | |
|  
 | |
| @@ -2129,6 +2122,8 @@ static int cfe_remove(struct platform_de
 | |
|  
 | |
|  	v4l2_device_unregister(&cfe->v4l2_dev);
 | |
|  
 | |
| +	cfe_put(cfe);
 | |
| +
 | |
|  	return 0;
 | |
|  }
 | |
|  
 |