From nobody Mon May 25 06:42:10 2026
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com
 [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE81035E1CF
	for <linux-kernel@vger.kernel.org>; Sun, 17 May 2026 11:53:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779018839; cv=none;
 b=dXsEOLE3kbXCrKg0cSx10NYldlLKNn+vX2eMIYLuo0Moo9I6WCzvpVPTKgL/bgVR8wZtq35DQ0hzsOOlZYPlbF8SQh0lEdDe8waHcxx5PVzZt0OEVJ4IGguDbFU8KyL30Xog09pYpWaN4G5A7BxmbPazXviXkPAEkITm5A1dLXw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779018839; c=relaxed/simple;
	bh=ncZtNx1Y7OuHHYSK44RquXi/bDCszx2wvAKmVP+oFhE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=ZYTraMZ7tRJFv8zP4B0QYPtPjM1fTnw4VVIrl9jlmYVjyj1CpFl5HnCzI49ABmUdjkGbFVghJ3rMuMgUsaeFucJxazgwczZJmEKc5WmSnMJVdvy0N/gz5hUJoM0EGsGbHyhuGcrMsRSloQ8kCPYfBVt0H5CVAlDErksiJwZ1AW0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=MKxLECEO; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="MKxLECEO"
Received: by mail-pl1-f181.google.com with SMTP id
 d9443c01a7336-2ba0714574fso6881435ad.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 17 May 2026 04:53:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779018838; x=1779623638;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=eVgsGf4Z/8axsFXoaM/enuI2zsZhhgsgIIwSowsD/SY=;
        b=MKxLECEOt7do0myVK2DDnIZk6b6ktK64x+EU5pEphKYC36vpKdlH0FczD2E1L0460c
         Y6/6FxyjLNNBWVafk/CGPcU/LmLjNIyG3eVqh1maW1p8HgHS2wEfEOWxIUva96Za+Fsy
         y6hqu7tabtEJu+2z+KPJimxFQu46WfyvCICAWCeTQJQ85sHKmdlcv5uIQIfij93haZAE
         8aUTe4jG7ZWLX/xLHp95TUZrMbHmyog/htIe308ASmBzRqSlZGzWVdcfoSduhybnbi3H
         62+UwPNWTJxhCEKtNsIjJEqfX933B/7pOup/SfNjSOE2g8s3MF3B8RfUvibD2xk3jApw
         NvoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779018838; x=1779623638;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=eVgsGf4Z/8axsFXoaM/enuI2zsZhhgsgIIwSowsD/SY=;
        b=l7ku9cisFOdjQQoXzQXK9U3+uWj775G4ZmuYFCRPDOCfocKKRUUG0E2+L8nTvEwd7f
         ZMEWIFwwuYWpVlasRkXn07f8nYLPOnY72QDx1ld9PLDdZLHDVMs6LptiITcRkWNYYs32
         wBjILp1njDOkWW9J20a08mhqZWTlGMcVONxRaS92part4INnqt2bAEHf+D8hCXSnwE7V
         HbDNrWnX+a07suNEWAIDUzTQkZp6X9IPxofsxweq3pnErcYHkDqWT2v+6H9AWIFxnvNi
         DJHAl3+PH+cas/7IJ6sZgQ9RdjjHlWQNhRiqVg3tKsYFgKUWdvzwGoIR3+539ZuVhCpo
         XDOQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ9Eq+yujuSFhXrhLUcK8pbI1o8PkNX9SuOgfP+oMxbpU8GluInyViVacK8ppWSx8Y4K91rCSOZJqDMXaVY=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw/lFpRYcFWjNEu+xY88i2+r4pe0WiqBj7jFXeOmrOlbU1lrDDS
	4g09A9khIOvmSwCm99YOPJzUFya0AxXi/dVUdB5B5t+wI6dKZMdG+PvK
X-Gm-Gg: Acq92OF4VTUP+ktcoSmQdRjZAn+ZJK9CfvjAE+xQT7H6fEIE/bvF8iNpCyJxbJI0Gdw
	66wRwM8Neh9Scf7o/9IUMCOygLJyOHJ5Z7/4iNvht8huaw/1GBusWc2np+EpXnvPuT6ui4glGdl
	hPXR4verUBaXFMJaDY3nF6mkwtq4QL1/3+qZq9ayjEtb9U+PVvbusRdmCes04NCSGaoYLc4UHEr
	5s0DtXeFlxOUxL4q4DLrT2Z74SKmg7YMhTOA27xyxZyznf2j7f7LD5I0fpB5VfCif3sSE2NMkLd
	c4AUVIZYqAYqoNGRbXF9pnyejRdoV9Knjbpw4JDR8CQ4shngwEd+XvNUbeQBH2Ja5sLHn7oVOVu
	ZOOT6VYOC1yFoxRDev9sJttXfe9krxAsYGzaKB6f88q51yOqRUVVOKke+UYoCqI9ptM8/dT8y0C
	aqRPhzTI47z5ri/OuHm/G6
X-Received: by 2002:a17:902:ebc3:b0:2b0:6e6a:8504 with SMTP id
 d9443c01a7336-2bd7e973c40mr125388885ad.27.1779018838177;
        Sun, 17 May 2026 04:53:58 -0700 (PDT)
Received: from lgs.. ([101.76.249.46])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2bd5d0fd856sm118282215ad.66.2026.05.17.04.53.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 17 May 2026 04:53:57 -0700 (PDT)
From: Guangshuo Li <lgs201920130244@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Kevin Hilman <khilman@baylibre.com>,
	Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	linux-media@vger.kernel.org,
	linux-amlogic@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org
Cc: Guangshuo Li <lgs201920130244@gmail.com>
Subject: [PATCH] media: meson: ge2d: avoid double free on video register
 failure
Date: Sun, 17 May 2026 19:53:43 +0800
Message-ID: <20260517115343.955015-1-lgs201920130244@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

ge2d_probe() allocates a video_device with video_device_alloc() and
releases it from the rel_vdev error path if video_register_device()
fails.

This can double free the video_device when __video_register_device()
reaches device_register() and that call fails:

  video_register_device()
    -> __video_register_device()
       -> device_register() fails
          -> put_device(&vdev->dev)
             -> v4l2_device_release()
                -> vdev->release(vdev)
                   -> video_device_release(vdev)

  ge2d_probe()
    -> rel_vdev
       -> video_device_release(ge2d->vfd)

Use video_device_release_empty() while registering the device so that
registration failure paths do not free ge2d->vfd through vdev->release().
ge2d_probe() then releases ge2d->vfd exactly once from rel_vdev. Restore
video_device_release() after successful registration so the registered
device keeps its normal lifetime handling.

This issue was found by a static analysis tool I am developing.

Fixes: 59a635327ca7 ("media: meson: Add M2M driver for the Amlogic GE2D Acc=
elerator Unit")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/media/platform/amlogic/meson-ge2d/ge2d.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c b/drivers/med=
ia/platform/amlogic/meson-ge2d/ge2d.c
index c5dc03905ce0..b367169e6ad8 100644
--- a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c
+++ b/drivers/media/platform/amlogic/meson-ge2d/ge2d.c
@@ -983,6 +983,7 @@ static int ge2d_probe(struct platform_device *pdev)
 	}
=20
 	*vfd =3D ge2d_videodev;
+	vfd->release =3D video_device_release_empty;
 	vfd->lock =3D &ge2d->mutex;
 	vfd->v4l2_dev =3D &ge2d->v4l2_dev;
=20
@@ -1005,6 +1006,7 @@ static int ge2d_probe(struct platform_device *pdev)
=20
 	v4l2_info(&ge2d->v4l2_dev, "Registered %s as /dev/%s\n",
 		  vfd->name, video_device_node_name(vfd));
+	vfd->release =3D video_device_release;
=20
 	return 0;
=20
--=20
2.43.0