Hi Arvind, Yes, I know, this is an extremely reply. I'm cleaning up some old patches that fell through the cracks, and this is one of them. My apologies. On 3/20/18 12:16 PM, Arvind Yadav wrote: > Here, double-free is happening on error path of hdpvr_probe. > > error_v4l2_unregister: > v4l2_device_unregister(&dev->v4l2_dev); > => > v4l2_device_disconnect > => > put_device > => > kobject_put > => > kref_put > => > v4l2_device_release > => > hdpvr_device_release (CALLBACK) This isn't right: the release callback of struct v4l2_device isn't used by this driver. The hdpvr_device_release function you refer to is that of struct video_device. > => > kfree(dev) > > error_free_dev: > kfree(dev) > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@xxxxxxxxx> > --- > reported by: > Dan Carpenter<dan.carpenter@xxxxxxxxxx> Do you have a pointer to the original report by Dan Carpenter? Regards, Hans > > drivers/media/usb/hdpvr/hdpvr-core.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c b/drivers/media/usb/hdpvr/hdpvr-core.c > index 29ac7fc..cab100a0 100644 > --- a/drivers/media/usb/hdpvr/hdpvr-core.c > +++ b/drivers/media/usb/hdpvr/hdpvr-core.c > @@ -395,6 +395,7 @@ static int hdpvr_probe(struct usb_interface *interface, > kfree(dev->usbc_buf); > error_v4l2_unregister: > v4l2_device_unregister(&dev->v4l2_dev); > + dev = NULL; > error_free_dev: > kfree(dev); > error: >
