| Message ID | ed0e67f9c56e42827f34d6e2991e6572070f8996.1521544143.git.arvind.yadav.cs@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Arvind, Yes, I know, this is an extremely reply. I'm cleaning up some old patches that fell through the cracks, and this is one of them. My apologies. On 3/20/18 12:16 PM, Arvind Yadav wrote: > Here, double-free is happening on error path of hdpvr_probe. > > error_v4l2_unregister: > v4l2_device_unregister(&dev->v4l2_dev); > => > v4l2_device_disconnect > => > put_device > => > kobject_put > => > kref_put > => > v4l2_device_release > => > hdpvr_device_release (CALLBACK) This isn't right: the release callback of struct v4l2_device isn't used by this driver. The hdpvr_device_release function you refer to is that of struct video_device. > => > kfree(dev) > > error_free_dev: > kfree(dev) > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> > --- > reported by: > Dan Carpenter<dan.carpenter@oracle.com> Do you have a pointer to the original report by Dan Carpenter? Regards, Hans > > drivers/media/usb/hdpvr/hdpvr-core.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c > index 29ac7fc..cab100a0 100644 > --- a/drivers/media/usb/hdpvr/hdpvr-core.c > +++ b/drivers/media/usb/hdpvr/hdpvr-core.c > @@ -395,6 +395,7 @@ static int hdpvr_probe(struct usb_interface *interface, > kfree(dev->usbc_buf); > error_v4l2_unregister: > v4l2_device_unregister(&dev->v4l2_dev); > + dev = NULL; > error_free_dev: > kfree(dev); > error: >
diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c index 29ac7fc..cab100a0 100644 --- a/drivers/media/usb/hdpvr/hdpvr-core.c +++ b/drivers/media/usb/hdpvr/hdpvr-core.c @@ -395,6 +395,7 @@ static int hdpvr_probe(struct usb_interface *interface, kfree(dev->usbc_buf); error_v4l2_unregister: v4l2_device_unregister(&dev->v4l2_dev); + dev = NULL; error_free_dev: kfree(dev); error:
Here, double-free is happening on error path of hdpvr_probe. error_v4l2_unregister: v4l2_device_unregister(&dev->v4l2_dev); => v4l2_device_disconnect => put_device => kobject_put => kref_put => v4l2_device_release => hdpvr_device_release (CALLBACK) => kfree(dev) error_free_dev: kfree(dev) Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> --- reported by: Dan Carpenter<dan.carpenter@oracle.com> drivers/media/usb/hdpvr/hdpvr-core.c | 1 + 1 file changed, 1 insertion(+)