From nobody Mon May 25 06:41:57 2026
Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com
 [209.85.215.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11A4E1F3B85
	for <linux-kernel@vger.kernel.org>; Sun, 17 May 2026 10:33:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.179
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779013995; cv=none;
 b=l9x5FcR2+xeiWBuKHlqTvNKVwMl6A4djK0j46E0CIQucv1rgOaQwmcCsSAXpEvzyJ4M/RDnyCaygQz4IjAKP053DDAe0+icr046XDiY7S6ph5yeagBHH8JxeRSCSQAEqOTe9SymFOJ3u/yv9xSwP8CNSdzlAuHFAgrWyYZFPaZs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779013995; c=relaxed/simple;
	bh=RNfWrcNuMMdAktZ+QfKHuUTMe74Q0MuSB1WuvMsxwEY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=p8kMrLEI2aXKH+xrdLWODEcpzaERRTZtP3skeBp5G12O34GO7ITOqe+vMbBLJIx0hDSWQhCXaagnd2TIxJ/f5IscYhtNbxb/c1dR71FXc/oJswvnfTNGcGY0ZW+lZuKLOzWWgpEVLGdgIw84MMVxwkbQKZQRIM6iP9GnKbhlrUw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=eItSEa4x; arc=none smtp.client-ip=209.85.215.179
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="eItSEa4x"
Received: by mail-pg1-f179.google.com with SMTP id
 41be03b00d2f7-c82471904fcso450405a12.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 17 May 2026 03:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779013993; x=1779618793;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=thBEA4Dix+rpZLGN0ylMuIWOXzTqgDFwroQtspug36M=;
        b=eItSEa4xSueulEzlX6l/rJJNcw7NCABseRhBozyTQ6cyclMjOyHLNu1AxZQKVIthK7
         LdQeYc9q+AngepnkKFGZ2GRISDlSt0l1f1imb0sXWh7dJ1M+1TIMhMpb7HqylTpD/BkS
         PQBJl0grpjYGgXsMkpN0U7juO4TikxORMi6/w8Y6FJjZWyJAutP6MB3hv01mmkv/k1s0
         KK0o5ninHq02eg1TuZ0b+/V0lewPPmY3wXlValScw6fb+4Ecl7TorC1bHxUIgpJrAbkF
         1qLA8YM1bhfmluChPMPtrPjQM4WjDlluZNYc8dEHua67F6k+wqGBuzlXGINErJzOYJgI
         y7xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779013993; x=1779618793;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=thBEA4Dix+rpZLGN0ylMuIWOXzTqgDFwroQtspug36M=;
        b=XuPtKUKQVVLrBphgIBnWrdsRjsUJazuj+4A3e4CYH7gzqgMgIQhbPcqF/D72cRsk7g
         uf7oKRfdrFPBlJ3TUzx31QAPQIyoGG1R+AQko+GKqqyxbFldyc22gnrClOnmE9JIVTV6
         xtTOkRxFqi0L95HpsdvwEJSW/90llU81TcbtKmNU6KAKRseB0cCTGAhh0EccKKuwC2m7
         Zp+lM3PHiCXOEtSrRpYKrswiGyCcIDKvGk1NHt4Q93Yyl9MJv682q9vP3LynhMBsFTmt
         KVNHpv6J0zvEVXRGm3Zq6YenU8bs8xCe99JOgu/PLBDJt3NUshnyAr9xQPHNttSNGRsX
         7Jkw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+thNxD2H8vd/50kb5W/Ws20nTxNYfGiDkggcy+oIV1tDAQ0YlWDphT0mxxzWGCUe7nOAG3ljuLq5r/Rbc=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx2m8fO5XWFpCNUz6exZt7ttTfQwUA5Q5kP7yd3UYr0CZ/exyyF
	6y89qXYNOjKL9/9hDMt/1YDjnQeHUYF1S3qHfR464OVfW/SwzZAAtYRp
X-Gm-Gg: Acq92OFU9oX4uCP45cM1C4qQUdu3Egn6c3+cij69sds9Fl11pHKDAMFhoIYOlDWyivB
	KGD2pyuZDUO+6dIdLZbv1Ot0lSeP0Zsmx0MoMuEVKbZYChkk9nM6SZnALZsCewhcZMeKHMw5OqT
	LyCMisEcQ2FIQ16evUeeV4xKJXGWrzsWdpmHTXIIgFL6lGBVZ8ShRFE9jgSHXcG//YHaACt/WYx
	wvaQNhlvjaUj0wgFpra6yzj7yuDNBqZO4mh1l78IYLn2nkBHYCP4APn8rMixToCqADz8EKjQpTQ
	Swwb8/NdDuJq9aZ7whVGeuDHsC/FvAQNjhah5gNW1BiIuJE7gEWS7R16xEEuU4wv9OZTjKdCSmI
	+bLVs+AZwXCjMViGf883ARnhL+yEqqn18xU9NnQ7z2AYQ+KM7jwvYgUkBrp4O2paB/veBtqusaU
	gzo+e9eDCX4xUxOYBMylTjPFE=
X-Received: by 2002:a17:902:c2cf:b0:2bd:3bff:432 with SMTP id
 d9443c01a7336-2bd7e97e0damr79504205ad.25.1779013993296;
        Sun, 17 May 2026 03:33:13 -0700 (PDT)
Received: from lgs.. ([152.32.188.52])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2bd5d12372bsm142689725ad.75.2026.05.17.03.33.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 17 May 2026 03:33:12 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Hans Verkuil <hverkuil+cisco@kernel.org>,
	Benoit Parrot <bparrot@ti.com>,
	Dale Farnsworth <dale@farnsworth.org>,
	Sukrut Bellary <sbellary@baylibre.com>,
	linux-media@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH] media: ti-vpe: vip: avoid double free on video register
 failure
Date: Sun, 17 May 2026 18:32:33 +0800
Message-ID: <20260517103233.944142-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

alloc_stream() allocates a video_device with video_device_alloc() and
releases it from the do_free_vfd error path if video_register_device()
fails.

This can double free the video_device when __video_register_device()
reaches device_register() and that call fails:

  video_register_device()
    -> __video_register_device()
       -> device_register() fails
          -> put_device(&vdev->dev)
             -> v4l2_device_release()
                -> vdev->release(vdev)
                   -> video_device_release(vdev)

  alloc_stream()
    -> do_free_vfd
       -> video_device_release(vfd)

Use video_device_release_empty() while registering the device so that
registration failure paths do not free vfd through vdev->release().
alloc_stream() then releases vfd exactly once from do_free_vfd. Restore
video_device_release() after successful registration so the registered
device keeps its normal lifetime handling.

This issue was found by a static analysis tool I am developing.

Fixes: fc2873aa4a21 ("media: ti: vpe: Add the VIP driver")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/media/platform/ti/vpe/vip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/platform/ti/vpe/vip.c b/drivers/media/platform/t=
i/vpe/vip.c
index a4b616a5ece7..aae6cb3abe8d 100644
--- a/drivers/media/platform/ti/vpe/vip.c
+++ b/drivers/media/platform/ti/vpe/vip.c
@@ -3094,6 +3094,7 @@ static int alloc_stream(struct vip_port *port, int st=
ream_id, int vfl_type)
 		goto do_free_dropq;
 	}
 	*vfd =3D vip_videodev;
+	vfd->release =3D video_device_release_empty;
 	vfd->v4l2_dev =3D &dev->v4l2_dev;
 	vfd->queue =3D q;
=20
@@ -3107,6 +3108,8 @@ static int alloc_stream(struct vip_port *port, int st=
ream_id, int vfl_type)
 		goto do_free_vfd;
 	}
=20
+	vfd->release =3D video_device_release;
+
 	v4l2_info(&dev->v4l2_dev, "device registered as %s\n",
 		  video_device_node_name(vfd));
 	return 0;
--=20
2.43.0