v4l2_async_notifier_add_subdev() requires the asd to be allocated dynamically, but the max9286 driver embeds it in the max9286_source structure. This causes memory corruption when the notifier is destroyed at remove time with v4l2_async_notifier_cleanup(). Fix this issue by registering the asd with v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically internally. A new max9286_asd structure is introduced, to store a pointer to the corresonding max9286_source that needs to be accessed from bound and unbind callbacks. There's no need to take an extra explicit reference to the fwnode anymore as v4l2_async_notifier_add_fwnode_subdev() does so internally. While at it, use %u instead of %d to print the unsigned index in the error message from the v4l2_async_notifier_add_fwnode_subdev() error path. Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver") Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx> --- drivers/media/i2c/max9286.c | 38 +++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c index 47f280518fdb..5d890dddb376 100644 --- a/drivers/media/i2c/max9286.c +++ b/drivers/media/i2c/max9286.c @@ -135,13 +135,19 @@ #define MAX9286_SRC_PAD 4 struct max9286_source { - struct v4l2_async_subdev asd; struct v4l2_subdev *sd; struct fwnode_handle *fwnode; }; -#define asd_to_max9286_source(_asd) \ - container_of(_asd, struct max9286_source, asd) +struct max9286_asd { + struct v4l2_async_subdev base; + struct max9286_source *source; +}; + +static inline struct max9286_asd *to_max9286_asd(struct v4l2_async_subdev *asd) +{ + return container_of(asd, struct max9286_asd, base); +} struct max9286_priv { struct i2c_client *client; @@ -480,7 +486,7 @@ static int max9286_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_async_subdev *asd) { struct max9286_priv *priv = sd_to_max9286(notifier->sd); - struct max9286_source *source = asd_to_max9286_source(asd); + struct max9286_source *source = to_max9286_asd(asd)->source; unsigned int index = to_index(priv, source); unsigned int src_pad; int ret; @@ -544,7 +550,7 @@ static void max9286_notify_unbind(struct v4l2_async_notifier *notifier, struct v4l2_async_subdev *asd) { struct max9286_priv *priv = sd_to_max9286(notifier->sd); - struct max9286_source *source = asd_to_max9286_source(asd); + struct max9286_source *source = to_max9286_asd(asd)->source; unsigned int index = to_index(priv, source); source->sd = NULL; @@ -569,23 +575,19 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) for_each_source(priv, source) { unsigned int i = to_index(priv, source); + struct v4l2_async_subdev *asd; - source->asd.match_type = V4L2_ASYNC_MATCH_FWNODE; - source->asd.match.fwnode = source->fwnode; - - ret = v4l2_async_notifier_add_subdev(&priv->notifier, - &source->asd); - if (ret) { - dev_err(dev, "Failed to add subdev for source %d", i); + asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, + source->fwnode, + sizeof(*asd)); + if (IS_ERR(asd)) { + dev_err(dev, "Failed to add subdev for source %u: %ld", + i, PTR_ERR(asd)); v4l2_async_notifier_cleanup(&priv->notifier); - return ret; + return PTR_ERR(asd); } - /* - * Balance the reference counting handled through - * v4l2_async_notifier_cleanup() - */ - fwnode_handle_get(source->fwnode); + to_max9286_asd(asd)->source = source; } priv->notifier.ops = &max9286_notify_ops; -- Regards, Laurent Pinchart