Heippa! On Fri, Jan 27, 2017 at 12:32:56PM +0200, Tuukka Toivonen wrote: > v4l2-async had several functions doing some operations and then > not undoing the operations in a failure situation. For example, > v4l2_async_test_notify() moved a subdev into notifier's done list > even if registering the subdev (v4l2_device_register_subdev) failed. > If the subdev was allocated and v4l2_async_register_subdev() called > from the driver's probe() function, as usually, the probe() > function freed the allocated subdev and returned a failure. > Nevertheless, the subdev was still left into the notifier's done > list, causing an access to already freed memory when the notifier > was later unregistered. > > A hand-edited call trace leaving freed subdevs into the notifier: > > v4l2_async_register_notifier(notifier, asd) > cameradrv_probe > sd = devm_kzalloc() > v4l2_async_register_subdev(sd) > v4l2_async_test_notify(notifier, sd, asd) > list_move(sd, ¬ifier->done) > v4l2_device_register_subdev(notifier->v4l2_dev, sd) > cameradrv_registered(sd) -> fails > ->v4l2_async_register_subdev returns failure > ->cameradrv_probe returns failure > ->devres frees the allocated sd > ->sd was freed but it still remains in the notifier's list. > > This patch fixes this and several other cases where a failing > function could leave nodes into a linked list while the caller > might free the node due to a failure. > > Signed-off-by: Tuukka Toivonen <tuukka.toivonen@xxxxxxxxx> Acked-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx> -- Terveisin, Sakari Ailus e-mail: sakari.ailus@xxxxxx XMPP: sailus@xxxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
