From: Andrzej Pietrasiewicz Date: Fri, 3 Jul 2015 10:04:38 +0000 (-0300) Subject: [media] s5p-jpeg: Eliminate double kfree() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7a1d4e7c064c0eddd90f0204cecd294d0dc5b36a;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [media] s5p-jpeg: Eliminate double kfree() video_unregister_device() calls device_unregister(), which calls put_device(), which calls kobject_put(), and if this is the last reference then kobject_release() is called, which calls kobject_cleanup(), which calls ktype's release method which happens to be device_release() in this case, which calls dev->release(), which happens to be v4l2_device_release() in this case, which calls vdev->release(), which happens to be video_device_release(). But video_device_release() is called explicitly both in error recovery path of s5p_jpeg_probe() and in s5p_jpeg_remove(). The pointers in question are not nullified between the two calls, so this is harmful. This patch fixes the driver so that video_device_release() is not called twice for the same object. Signed-off-by: Andrzej Pietrasiewicz Signed-off-by: Sylwester Nawrocki Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c index bfbf1575677c..9690f9dcb0ca 100644 --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c @@ -2544,7 +2544,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev) ret = video_register_device(jpeg->vfd_encoder, VFL_TYPE_GRABBER, -1); if (ret) { v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); - goto enc_vdev_alloc_rollback; + video_device_release(jpeg->vfd_encoder); + goto vb2_allocator_rollback; } video_set_drvdata(jpeg->vfd_encoder, jpeg); @@ -2572,7 +2573,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev) ret = video_register_device(jpeg->vfd_decoder, VFL_TYPE_GRABBER, -1); if (ret) { v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); - goto dec_vdev_alloc_rollback; + video_device_release(jpeg->vfd_decoder); + goto enc_vdev_register_rollback; } video_set_drvdata(jpeg->vfd_decoder, jpeg); @@ -2589,15 +2591,9 @@ static int s5p_jpeg_probe(struct platform_device *pdev) return 0; -dec_vdev_alloc_rollback: - video_device_release(jpeg->vfd_decoder); - enc_vdev_register_rollback: video_unregister_device(jpeg->vfd_encoder); -enc_vdev_alloc_rollback: - video_device_release(jpeg->vfd_encoder); - vb2_allocator_rollback: vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); @@ -2622,9 +2618,7 @@ static int s5p_jpeg_remove(struct platform_device *pdev) pm_runtime_disable(jpeg->dev); video_unregister_device(jpeg->vfd_decoder); - video_device_release(jpeg->vfd_decoder); video_unregister_device(jpeg->vfd_encoder); - video_device_release(jpeg->vfd_encoder); vb2_dma_contig_cleanup_ctx(jpeg->alloc_ctx); v4l2_m2m_release(jpeg->m2m_dev); v4l2_device_unregister(&jpeg->v4l2_dev);