On 10/1/19 1:50 PM, Dafna Hirschfeld wrote: > vimc_sen_add function first registers the subdevice and then > calls tpg_alloc. If tpg_alloc fails it unregisters the subdevice > and then frees vsen, this cause double free since the release > callback that follows subdevice unregistration also frees vsen. > > Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@xxxxxxxxxxxxx> Acked-by: Helen Koike <helen.koike@xxxxxxxxxxxxx> > --- > drivers/media/platform/vimc/vimc-sensor.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/drivers/media/platform/vimc/vimc-sensor.c b/drivers/media/platform/vimc/vimc-sensor.c > index 46dc6a535abe..ee2306c08569 100644 > --- a/drivers/media/platform/vimc/vimc-sensor.c > +++ b/drivers/media/platform/vimc/vimc-sensor.c > @@ -358,6 +358,13 @@ struct vimc_ent_device *vimc_sen_add(struct vimc_device *vimc, > goto err_free_vsen; > } > > + /* Initialize the test pattern generator */ > + tpg_init(&vsen->tpg, vsen->mbus_format.width, > + vsen->mbus_format.height); > + ret = tpg_alloc(&vsen->tpg, VIMC_FRAME_MAX_WIDTH); > + if (ret) > + goto err_free_hdl; > + > /* Initialize ved and sd */ > ret = vimc_ent_sd_register(&vsen->ved, &vsen->sd, v4l2_dev, > vcfg_name, > @@ -365,7 +372,7 @@ struct vimc_ent_device *vimc_sen_add(struct vimc_device *vimc, > (const unsigned long[1]) {MEDIA_PAD_FL_SOURCE}, > &vimc_sen_int_ops, &vimc_sen_ops); > if (ret) > - goto err_free_hdl; > + goto err_free_tpg; > > vsen->ved.process_frame = vimc_sen_process_frame; > vsen->dev = &vimc->pdev.dev; > @@ -373,17 +380,10 @@ struct vimc_ent_device *vimc_sen_add(struct vimc_device *vimc, > /* Initialize the frame format */ > vsen->mbus_format = fmt_default; > > - /* Initialize the test pattern generator */ > - tpg_init(&vsen->tpg, vsen->mbus_format.width, > - vsen->mbus_format.height); > - ret = tpg_alloc(&vsen->tpg, VIMC_FRAME_MAX_WIDTH); > - if (ret) > - goto err_unregister_ent_sd; > - > return &vsen->ved; > > -err_unregister_ent_sd: > - vimc_ent_sd_unregister(&vsen->ved, &vsen->sd); > +err_free_tpg: > + tpg_free(&vsen->tpg); > err_free_hdl: > v4l2_ctrl_handler_free(&vsen->hdl); > err_free_vsen: >