media: exynos4-is: fix wrong mdev and v4l2 dev order in error path
diff mbox series

Message ID 1571623084-2705-1-git-send-email-sw0312.kim@samsung.com
State Not Applicable
Headers show
Series
  • media: exynos4-is: fix wrong mdev and v4l2 dev order in error path
Related show

Commit Message

Seung-Woo Kim Oct. 21, 2019, 1:58 a.m. UTC
When driver is built as module and probe during insmod is deferred
because of sensor subdevs, there is NULL pointer deference because
mdev is cleaned up and then access it from v4l2_device_unregister().
Fix the wrong mdev and v4l2 dev odder in error path of probe.

This fixes below null pointer deference:
   Unable to handle kernel NULL pointer dereference at virtual address 00000000
   pgd = ca026f68
   [00000000] *pgd=00000000
   Internal error: Oops: 5 [#1] PREEMPT SMP ARM
   [...]
   Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
   PC is at ida_free+0x7c/0x160
   LR is at xas_start+0x44/0x204
   [...]
   [<c0dafd60>] (ida_free) from [<c083c20c>] (__media_device_unregister_entity+0x18/0xc0)
   [<c083c20c>] (__media_device_unregister_entity) from [<c083c2e0>] (media_device_unregister_entity+0x2c/0x38)
   [<c083c2e0>] (media_device_unregister_entity) from [<c0843404>] (v4l2_device_release+0xd0/0x104)
   [<c0843404>] (v4l2_device_release) from [<c0632558>] (device_release+0x28/0x98)
   [<c0632558>] (device_release) from [<c0db1204>] (kobject_put+0xa4/0x208)
   [<c0db1204>] (kct_put) from [<bf00bac4>] (fimc_capture_subdev_unregistered+0x58/0x6c [s5p_fimc])
   [<bf00bac4>] (fimc_capture_subdev_unregistered [s5p_fimc]) from [<c084a1cc>] (v4l2_device_unregister_subdev+0x6c/0xa8)
   [<c084a1cc>] (v4l2_device_unregister_subdev) from [<c084a350>] (v4l2_device_unregister+0x64/0x94)
   [<c084a350>] (v4l2_device_unregister) from [<bf0101ac>] (fimc_md_probe+0x4ec/0xaf8 [s5p_fimc])
   [...]

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---
 drivers/media/platform/exynos4-is/media-dev.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Comments

Sylwester Nawrocki Nov. 4, 2019, 9:18 a.m. UTC | #1
Hi Seung-Woo,

On 10/21/19 03:58, Seung-Woo Kim wrote:
> When driver is built as module and probe during insmod is deferred
> because of sensor subdevs, there is NULL pointer deference because
> mdev is cleaned up and then access it from v4l2_device_unregister().
> Fix the wrong mdev and v4l2 dev odder in error path of probe.

> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

The patch looks good, however we need to also call media_device_cleanup()
when v4l2_device_register() fails.

Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>

> ---
>  drivers/media/platform/exynos4-is/media-dev.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
> index a838189..3685c91e6 100644
> --- a/drivers/media/platform/exynos4-is/media-dev.c
> +++ b/drivers/media/platform/exynos4-is/media-dev.c
> @@ -1520,8 +1520,8 @@ static int fimc_md_probe(struct platform_device *pdev)
>  err_clk:
>  	fimc_md_put_clocks(fmd);
>  err_md:
> -	media_device_cleanup(&fmd->media_dev);
>  	v4l2_device_unregister(&fmd->v4l2_dev);
> +	media_device_cleanup(&fmd->media_dev);
>  	return ret;
>  }
Seung-Woo Kim Nov. 4, 2019, 9:37 a.m. UTC | #2
Hi Sylwester,

On 2019년 11월 04일 18:18, Sylwester Nawrocki wrote:
> Hi Seung-Woo,
> 
> On 10/21/19 03:58, Seung-Woo Kim wrote:
>> When driver is built as module and probe during insmod is deferred
>> because of sensor subdevs, there is NULL pointer deference because
>> mdev is cleaned up and then access it from v4l2_device_unregister().
>> Fix the wrong mdev and v4l2 dev odder in error path of probe.
> 
>> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
> 
> The patch looks good, however we need to also call media_device_cleanup()
> when v4l2_device_register() fails.

You are right. I will send the 2nd version with the missing error handle.

Thanks,
- Seung-Woo Kim

> 
> Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
> 
>> ---
>>  drivers/media/platform/exynos4-is/media-dev.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
>> index a838189..3685c91e6 100644
>> --- a/drivers/media/platform/exynos4-is/media-dev.c
>> +++ b/drivers/media/platform/exynos4-is/media-dev.c
>> @@ -1520,8 +1520,8 @@ static int fimc_md_probe(struct platform_device *pdev)
>>  err_clk:
>>  	fimc_md_put_clocks(fmd);
>>  err_md:
>> -	media_device_cleanup(&fmd->media_dev);
>>  	v4l2_device_unregister(&fmd->v4l2_dev);
>> +	media_device_cleanup(&fmd->media_dev);
>>  	return ret;
>>  }
>

Patch
diff mbox series

diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index a838189..3685c91e6 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1520,8 +1520,8 @@  static int fimc_md_probe(struct platform_device *pdev)
 err_clk:
 	fimc_md_put_clocks(fmd);
 err_md:
-	media_device_cleanup(&fmd->media_dev);
 	v4l2_device_unregister(&fmd->v4l2_dev);
+	media_device_cleanup(&fmd->media_dev);
 	return ret;
 }