On 12/10/19 4:15 AM, Chuhong Yuan wrote: > allegro_open() misses a check for v4l2_m2m_ctx_init(). > Add a check and error handling code to fix it. > > Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") > Signed-off-by: Chuhong Yuan <hslester96@xxxxxxxxx> > --- > Changes in v2: > - Fix the use-after-free in v1. > > drivers/staging/media/allegro-dvt/allegro-core.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/staging/media/allegro-dvt/allegro-core.c b/drivers/staging/media/allegro-dvt/allegro-core.c > index 6f0cd0784786..66736beb67af 100644 > --- a/drivers/staging/media/allegro-dvt/allegro-core.c > +++ b/drivers/staging/media/allegro-dvt/allegro-core.c > @@ -2270,6 +2270,7 @@ static int allegro_open(struct file *file) > struct allegro_channel *channel = NULL; > struct v4l2_ctrl_handler *handler; > u64 mask; > + int ret; > > channel = kzalloc(sizeof(*channel), GFP_KERNEL); > if (!channel) > @@ -2341,6 +2342,14 @@ static int allegro_open(struct file *file) > channel->fh.m2m_ctx = v4l2_m2m_ctx_init(dev->m2m_dev, channel, > allegro_queue_init); > > + if (IS_ERR(channel->fh.m2m_ctx)) { > + ret = PTR_ERR(channel->fh.m2m_ctx); > + v4l2_fh_del(&channel->fh); > + v4l2_fh_exit(&channel->fh); Just move the v4l2_fh_init/add calls to just before the return 0, i.e. when everything is right. Then you don't need to call del/exit on error. Also, I see that the result of all the v4l2_ctrl_new* calls isn't checked. Just after the last v4l2_ctrl_new_std() call you need to check handler->error: if not 0, then there was an error and you need to call v4l2_ctrl_handler_free to clean it up. Regards, Hans > + kfree(channel); > + return ret; > + } > + > return 0; > } > >