From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.5 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3ABA1C433E2 for ; Tue, 1 Sep 2020 18:43:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F0F520767 for ; Tue, 1 Sep 2020 18:43:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730546AbgIASnF (ORCPT ); Tue, 1 Sep 2020 14:43:05 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:45336 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726102AbgIASnC (ORCPT ); Tue, 1 Sep 2020 14:43:02 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 21B441C0B9B; Tue, 1 Sep 2020 20:43:00 +0200 (CEST) Date: Tue, 1 Sep 2020 20:42:58 +0200 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Evgeny Novikov , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: Re: [PATCH 4.19 047/125] media: davinci: vpif_capture: fix potential double free Message-ID: <20200901183912.GA5295@duo.ucw.cz> References: <20200901150934.576210879@linuxfoundation.org> <20200901150936.857115610@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline In-Reply-To: <20200901150936.857115610@linuxfoundation.org> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --bCsyhTFzCvuiizWE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > [ Upstream commit 602649eadaa0c977e362e641f51ec306bc1d365d ] >=20 > In case of errors vpif_probe_complete() releases memory for vpif_obj.sd > and unregisters the V4L2 device. But then this is done again by > vpif_probe() itself. The patch removes the cleaning from > vpif_probe_complete(). > Signed-off-by: Evgeny Novikov > Signed-off-by: Hans Verkuil > Signed-off-by: Mauro Carvalho Chehab > Signed-off-by: Sasha Levin > --- > drivers/media/platform/davinci/vpif_capture.c | 2 -- > 1 file changed, 2 deletions(-) >=20 > diff --git a/drivers/media/platform/davinci/vpif_capture.c b/drivers/medi= a/platform/davinci/vpif_capture.c > index a96f53ce80886..cf1d11e6dd8c4 100644 > --- a/drivers/media/platform/davinci/vpif_capture.c > +++ b/drivers/media/platform/davinci/vpif_capture.c > @@ -1489,8 +1489,6 @@ probe_out: > /* Unregister video device */ > video_unregister_device(&ch->video_dev); > } > - kfree(vpif_obj.sd); > - v4l2_device_unregister(&vpif_obj.v4l2_dev); > =20 > return err; > } This one is wrong. Unlike mainline, 4.19 does check return value of vpif_probe_complete(), and thus it will lead to memory leak in 4.19. Furthermore, I believe mainline still has a problems after this patch. There is sync and async path where vpif_probe_complete(), and while this fixes the sync path in mainline, I believe it will cause memory leak on the async path. Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX06WMgAKCRAw5/Bqldv6 8oVYAJ0bhGBctKpJkKysPtiS8fIF7oACrwCgp0ZfdNdUxd0xmdcm83RhLUXGHk4= =Cn3J -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE--