[PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The v4l2_async_unbind_subdev_one() deallocates the pointer
&asc->asc_subdev_entry. The same pointer is again used to
deallocate in list_del() leading to the below kernel crash.

Unable to handle kernel paging request at virtual address dead000000000108
v4l2_async_unregister_subdev+0xf8/0x164
rzg2l_csi2_remove+0x30/0x5c
platform_remove+0x28/0x64
device_remove+0x48/0x74
device_release_driver_internal+0x1d8/0x234
device_driver_detach+0x14/0x1c
unbind_store+0xac/0xb0

Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities")
Signed-off-by: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
---
 drivers/media/v4l2-core/v4l2-async.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 091e8cf4114b..8cfd593d293d 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
 				  &asc->notifier->waiting_list);
 
 			v4l2_async_unbind_subdev_one(asc->notifier, asc);
-			list_del(&asc->asc_subdev_entry);
 		}
 	}
 
-- 
2.25.1
[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux