From nobody Sun Jun 14 07:36:49 2026 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8ED5C37DE96 for ; Fri, 1 May 2026 09:09:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777626564; cv=none; b=ZBTkgcDHrJYK+MdofXKJgpjhTzN8rVdfnY9wzG9o9n7jdKFlosfqpkzvUSDfdWH4bnSjfwlKKXazx6TtnfxI2fDtdtu25+MItIU2URFKuCFlaf0E9sqGDr7kINO1YrlC0GB0a/jefSARiKU+2fAV8L4kMDv5MG90ay8PVzkfZQs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777626564; c=relaxed/simple; bh=89jlVxW1k1DaDpOVsCpZaDI95QQVTHGjkXHGWhY6j08=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VkNMY2GVpCvJ/SNp/LwG5vUjH6isjmdPSNJMxoLw2WyaWyyHbdn9cE1Fa1JYALG4fMsr/CUOzwrLSBhl4jeph/p8/wgPBrW2t8uDDnkAmy/bT/RJaUw4uRNrfYVHuzDttPgzFijobHnyX2MYv8gZiSD2yL0lrEtkieI+P8bPTXo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KJW07Cpc; arc=none smtp.client-ip=209.85.215.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KJW07Cpc" Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-c7973bbc16dso1049103a12.0 for ; Fri, 01 May 2026 02:09:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777626563; x=1778231363; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zyTlFLeJ1G6PI38qtRjcufp4nAkxnC1Ry8Nmrz84v+c=; b=KJW07CpcKPsjZ7NONt6vid4z1zuUsyQF1VlkSfB/qYfG+KX63QzQVo+dcnGhaqSIwI Gm0h03uXIuYiiq1Mc2NIX1NxCScNJIzT5NfWtOZg9JxuQMsvDkHuN6hcfx2cWeELARGN 1WUKO5qSpVFxdkP2ojjQ3tAuOZKyp//qPVCLwY7w2rX3DkMT8FTVB/UOR0/cUwsMqSic OkmZeQ0oI1vEk8mGCYlLY3VdM49NNL29dx/wIJ+ZVUDmakAlDk9blJS548bfXN8PHbsz EcLJfhkV5NV+gIh9hRrAePe41Rb2evl4BUuoC6HEQ7l1Q+YYKpGcH3wXbRgiM56MWdzq yh+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777626563; x=1778231363; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zyTlFLeJ1G6PI38qtRjcufp4nAkxnC1Ry8Nmrz84v+c=; b=bGYEKq4eWZ3m0C/+1n3XLv010z4KhxtyxufmpAN8hVUaCXW47cjxW/q/Ix8RV+Ue/D bsiYW1sJ5u5Hi9uE15gnS4wAGSppKsuND9oAOqul0jcH4UjL4EDXx2dyqPukgDQL1lP9 Cy7gweVeaSDZDDFrUKdNq5qm/PwbM3D+aHj0+s/L5s4gytZmSEGF7ZuKGUIfa+MiOxjC m4ZHYadLmjfqsyw59fBLQ8VDLROiosoCyWe3u+MslbjdcxVDS2KhrbGDlq1Yjzq2LJfJ eWaJq0IyPR3vvt/B/3Xf7ejOjA+jvCUtBxaqKH4b+N4cEduZ3b7PUOl/JqLr2gpNN+W3 4p+w== X-Forwarded-Encrypted: i=1; AFNElJ+cpz8bmSIPJ35Rw3VKg5k2clh//Lqo68IQjPXK28Oe9hPeaY2zhBAydLJJAclva3TYkb6hwdUVm6XY/7I=@vger.kernel.org X-Gm-Message-State: AOJu0Yz0HHtyKdnMCG8xydovfRMJmFq/V/zT0d1OH2tBo0GL7O4L/5un HrfNjfMNF6dUo65EFcOPD3GRISdyVcuiw9SQOhVk+zI/BRtrwyFvtUNG X-Gm-Gg: AeBDietXi00mq1l2myZZfMwuIruAGn8hYpsPnRstgJpfV0xReLfXm8Czgn8jsiyIHjA Wvw2I3TCE+H+vYiNP8aSx3rJSY2KZmIR2Ce/YvjByEl5XJfpolsIgsy6200eq0EIiENXlqwcOw0 gbpxjkjdsl013HWof+8DAkX2IVPSF5Rclgru5/jyquB31bAiEct5xZuONvhjP7kkBAqtsgxTQDN vAbC/I1YmQTxJMLNxoxOIGWOjf1fyYCXjldwq9Tp8nAbfxOYG+tOXadrPhP1xfiwsSsWhDUWndH N3ij6RowCv7h9LuFeb1kISrH6p+slxKbm6ZEAxUoyegyve2nCZbDS8LqXi+a+odM/aHsZ7tYj// lRQj7CRwHvyKVoSY5PNoWfWGu/Lwf5i5eN7CqbJCRnsaU+1tB7PaDDVhKi3VCCLkU6eXbv3VEwF idUOhw1fdzVXLC4Q6z X-Received: by 2002:a05:6a21:e081:b0:3a2:d79c:416d with SMTP id adf61e73a8af0-3a3cf86c261mr7683626637.43.1777626562812; Fri, 01 May 2026 02:09:22 -0700 (PDT) Received: from lgs.. ([2001:250:5800:1000::5a26]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7ffbbbc9dasm1675365a12.9.2026.05.01.02.09.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 02:09:22 -0700 (PDT) From: Guangshuo Li To: Abylay Ospan , Mauro Carvalho Chehab , Katsuhiro Suzuki , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] media: helene: fix possible double free in helene_probe() Date: Fri, 1 May 2026 17:06:57 +0800 Message-ID: <20260501090657.492534-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" helene_probe() allocates the private data with devm_kzalloc(), so the memory is managed by the i2c client's device and will be released automatically on driver detach. However, helene_probe() copies helene_tuner_ops into fe->ops.tuner_ops, including the .release callback. helene_release() frees fe->tuner_priv with kfree(), which is correct for the non-devm helene_attach() paths, but not for the devm allocation used by helene_probe(). Clear the .release callback in the i2c probe path after copying the tuner ops, so the devm-managed private data is not freed by helene_release(). This issue was found by a static analysis tool I am developing. Fixes: 817dc4b579d8 ("media: helene: add I2C device probe function") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/media/dvb-frontends/helene.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/dvb-frontends/helene.c b/drivers/media/dvb-front= ends/helene.c index 1402d124544e..1ff8c06d06fb 100644 --- a/drivers/media/dvb-frontends/helene.c +++ b/drivers/media/dvb-frontends/helene.c @@ -1091,6 +1091,7 @@ static int helene_probe(struct i2c_client *client) =20 memcpy(&fe->ops.tuner_ops, &helene_tuner_ops, sizeof(struct dvb_tuner_ops)); + fe->ops.tuner_ops.release =3D NULL; fe->tuner_priv =3D priv; i2c_set_clientdata(client, priv); =20 --=20 2.43.0