From: Evgeny Novikov <novikov@ispras.ru>
To: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media <linux-media@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"ldv-project@linuxtesting.org" <ldv-project@linuxtesting.org>
Subject: Re: [PATCH] media: davinci: vpif_capture: fix potential double free
Date: Fri, 24 Jul 2020 23:00:06 +0300 [thread overview]
Message-ID: <20927111595619342@mail.yandex.ru> (raw)
In-Reply-To: <CA+V-a8uNfscxiM1fMjfdvZstZkkzxW41p40jpBXT3NeyiS9-Qw@mail.gmail.com>
Hi Lad,
Yet again I can not demonstrate you a nice error trace corresponding to the bug fixed by the patch. Indeed, there is a branch in vpif_probe() that explicitly invokes vpif_probe_complete() and the patch targets the possible issue that can happen during this.
When I developed the patch I saw on vpif_display.ko. It looks very similar regarding things touched by the patch. In particular, it does not free vpif_obj.sd in its vpif_probe_complete(). But now I see that it does this in vpif_remove()!
Do you think that vpif_capture.ko should do the same? If so, I guess that I should fix the patch appropriately since likely it just replaces one (very rare) bug with another one (on a typical execution path).
--
Evgeny Novikov
Linux Verification Center, ISP RAS
http://linuxtesting.org
24.07.2020, 17:17, "Lad, Prabhakar" <prabhakar.csengg@gmail.com>:
> Hi Evgeny,
>
> Thank you for the patch.
>
> On Thu, Jul 23, 2020 at 6:04 PM Evgeny Novikov <novikov@ispras.ru> wrote:
>> In case of errors vpif_probe_complete() releases memory for vpif_obj.sd
>> and unregisters the V4L2 device. But then this is done again by
>> vpif_probe() itself. The patch removes the cleaning from
>> vpif_probe_complete().
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
>> ---
>> drivers/media/platform/davinci/vpif_capture.c | 2 --
>> 1 file changed, 2 deletions(-)
>>
>> diff --git a/drivers/media/platform/davinci/vpif_capture.c b/drivers/media/platform/davinci/vpif_capture.c
>> index d9ec439faefa..72a0e94e2e21 100644
>> --- a/drivers/media/platform/davinci/vpif_capture.c
>> +++ b/drivers/media/platform/davinci/vpif_capture.c
>> @@ -1482,8 +1482,6 @@ static int vpif_probe_complete(void)
>> /* Unregister video device */
>> video_unregister_device(&ch->video_dev);
>> }
>> - kfree(vpif_obj.sd);
>> - v4l2_device_unregister(&vpif_obj.v4l2_dev);
>
> vpif_probe_complete() is a async callback and probe() should have
> already completed by then.
>
> Cheers,
> --Prabhakar
>
>> return err;
>> }
>> --
>> 2.16.4
next prev parent reply other threads:[~2020-07-24 20:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-23 17:04 [PATCH] media: davinci: vpif_capture: fix potential double free Evgeny Novikov
2020-07-24 14:16 ` Lad, Prabhakar
2020-07-24 20:00 ` Evgeny Novikov [this message]
2020-07-24 22:05 ` Lad, Prabhakar
2020-08-02 18:38 ` Evgeny Novikov
2020-07-23 20:15 Markus Elfring
2020-07-23 20:15 ` Markus Elfring
2020-07-24 20:08 ` Evgeny Novikov
2020-07-24 20:08 ` Evgeny Novikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20927111595619342@mail.yandex.ru \
--to=novikov@ispras.ru \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=prabhakar.csengg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.