On 11/5/19 4:55 PM, Pan Bian wrote: > The variable vga->vfd is an alias for vfd. Therefore, releasing vfd and > then unregister vga->vfd will lead to a use after free bug. In fact, the > free operation and the unregister operation are reversed. > > Signed-off-by: Pan Bian <bianpan2016@xxxxxxx> > --- > drivers/media/platform/rockchip/rga/rga.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c > index e9ff12b6b5bb..613b868fce33 100644 > --- a/drivers/media/platform/rockchip/rga/rga.c > +++ b/drivers/media/platform/rockchip/rga/rga.c > @@ -901,9 +901,9 @@ static int rga_probe(struct platform_device *pdev) > return 0; > > rel_vdev: > - video_device_release(vfd); > -unreg_video_dev: > video_unregister_device(rga->vfd); > +unreg_video_dev: > + video_device_release(vfd); > unreg_v4l2_dev: > v4l2_device_unregister(&rga->v4l2_dev); > err_put_clk: > This isn't right, you need to update the goto labels as well. With this change unreg_video_dev releases the vdev, while rel_vdev unregisters it. Very confusing. I'd also rename unreg_video_dev to unreg_vdev to be consistent with rel_vdev. Regards, Hans
