Re: [PATCH 5/5] media: i2c: max9286: Allocate v4l2_async_subdev dynamically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Laurent,

On Tue, Aug 11, 2020 at 11:59:39PM +0300, Laurent Pinchart wrote:
> v4l2_async_notifier_add_subdev() requires the asd to be allocated
> dynamically, but the max9286 driver embeds it in the max9286_source
> structure. This causes memory corruption when the notifier is destroyed
> at remove time with v4l2_async_notifier_cleanup().
>
> Fix this issue by registering the asd with
> v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
> internally. A new max9286_asd structure is introduced, to store a
> pointer to the corresonding max9286_source that needs to be accessed
> from bound and unbind callbacks. There's no need to take an extra
> explicit reference to the fwnode anymore as
> v4l2_async_notifier_add_fwnode_subdev() does so internally.
>
> While at it, use %u instead of %d to print the unsigned index in the
> error message from the v4l2_async_notifier_add_fwnode_subdev() error
> path.
>
> Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver")
> Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>
> ---
>  drivers/media/i2c/max9286.c | 38 +++++++++++++++++++------------------
>  1 file changed, 20 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c
> index 47f280518fdb..5d890dddb376 100644
> --- a/drivers/media/i2c/max9286.c
> +++ b/drivers/media/i2c/max9286.c
> @@ -135,13 +135,19 @@
>  #define MAX9286_SRC_PAD			4
>
>  struct max9286_source {
> -	struct v4l2_async_subdev asd;
>  	struct v4l2_subdev *sd;
>  	struct fwnode_handle *fwnode;
>  };
>
> -#define asd_to_max9286_source(_asd) \
> -	container_of(_asd, struct max9286_source, asd)
> +struct max9286_asd {
> +	struct v4l2_async_subdev base;
> +	struct max9286_source *source;
> +};
> +
> +static inline struct max9286_asd *to_max9286_asd(struct v4l2_async_subdev *asd)
> +{
> +	return container_of(asd, struct max9286_asd, base);
> +}
>
>  struct max9286_priv {
>  	struct i2c_client *client;
> @@ -480,7 +486,7 @@ static int max9286_notify_bound(struct v4l2_async_notifier *notifier,
>  				struct v4l2_async_subdev *asd)
>  {
>  	struct max9286_priv *priv = sd_to_max9286(notifier->sd);
> -	struct max9286_source *source = asd_to_max9286_source(asd);
> +	struct max9286_source *source = to_max9286_asd(asd)->source;
>  	unsigned int index = to_index(priv, source);
>  	unsigned int src_pad;
>  	int ret;
> @@ -544,7 +550,7 @@ static void max9286_notify_unbind(struct v4l2_async_notifier *notifier,
>  				  struct v4l2_async_subdev *asd)
>  {
>  	struct max9286_priv *priv = sd_to_max9286(notifier->sd);
> -	struct max9286_source *source = asd_to_max9286_source(asd);
> +	struct max9286_source *source = to_max9286_asd(asd)->source;
>  	unsigned int index = to_index(priv, source);
>
>  	source->sd = NULL;
> @@ -569,23 +575,19 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv)
>
>  	for_each_source(priv, source) {
>  		unsigned int i = to_index(priv, source);
> +		struct v4l2_async_subdev *asd;
>
> -		source->asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
> -		source->asd.match.fwnode = source->fwnode;
> -
> -		ret = v4l2_async_notifier_add_subdev(&priv->notifier,
> -						     &source->asd);
> -		if (ret) {
> -			dev_err(dev, "Failed to add subdev for source %d", i);
> +		asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier,
> +							    source->fwnode,
> +							    sizeof(*asd));

This should be sizeof(struct max9286_asd), but suprisingly, it doesn't
fail at runtime :)

I'll send a patch for this in the meantime.

Thanks
  j

> +		if (IS_ERR(asd)) {
> +			dev_err(dev, "Failed to add subdev for source %u: %ld",
> +				i, PTR_ERR(asd));
>  			v4l2_async_notifier_cleanup(&priv->notifier);
> -			return ret;
> +			return PTR_ERR(asd);
>  		}
>
> -		/*
> -		 * Balance the reference counting handled through
> -		 * v4l2_async_notifier_cleanup()
> -		 */
> -		fwnode_handle_get(source->fwnode);
> +		to_max9286_asd(asd)->source = source;
>  	}
>
>  	priv->notifier.ops = &max9286_notify_ops;
> --
> Regards,
>
> Laurent Pinchart
>



[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux