From nobody Mon May 25 05:12:56 2026 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1972B330B01 for ; Mon, 18 May 2026 10:40:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779100816; cv=none; b=u/0nPjdxcxEBVhk8V9S0YlNk2XB1XYk93pd4fj6aVIjq5onLjA/8IzuS2plZgQk83ScGMm5EmRwBvUG0F8KknpbFWw9YRefiP9Ijnq+0FNy3XbaZtpm/qa96pS9LSBHkoGwJHpQw46YqVjRbA20BXpjmY5q+PiGG9MNEJIrl10E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779100816; c=relaxed/simple; bh=AzZYAm4KSrCK19dR2eFGIHzeT1vCYE27NiC2mnilmvM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=GxrB0tPace5qi7lP6nQyr3ZGZKwnHOr5ai9CokYu8f6/kHyTbCNzrzeuxgae2VoV5fg+2PD5EnWMkouk5LVqaNzozoN4ZzFEKtEc9A3yichbp4NTrdxO+GOM9AMKPkBRN/cXFoXEAlR5pQOz9bGVk1W9gD1uabQeZVPIiP5osIk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lOt9r91t; arc=none smtp.client-ip=209.85.216.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lOt9r91t" Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-36974220e45so714647a91.0 for ; Mon, 18 May 2026 03:40:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779100804; x=1779705604; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yVAUdDDbfPPQoElmwOeWDH4WW4jPC2mM4cIyuovCdkU=; b=lOt9r91tJWLscgUI4ItN7MzyT/uBGmnyeY6CheW16GDXbCbRbPL6lcD0FUusd+XJZ8 jodJw2hYpxtqlthf9vUrPSlJdaLyEWBP8y3FOekd4qxjUW2vY1VNwOZWQ0Os84asKna0 dZMcsrhX6+1S3y+ZCbTB+8Y/RC1bSIFHA90RtkWVmo/dgsT3/5vfCJuVw2Tee0brYGRp lY8qskfykdn6Ghly5agTP7cMQSlOpK0s0elweoOed2MZH9kBlNEK+Bpu0goOtnkSJwk3 Z5to2RxfBU3WAWx3ZCr4O3C7l5IpZ0EcRB3vKsduatN6c5BLD0o4CXFl89ZNpLCiW7Ln y3Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779100804; x=1779705604; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yVAUdDDbfPPQoElmwOeWDH4WW4jPC2mM4cIyuovCdkU=; b=nWwi/pax8TGjgaj5pIMWGKVm/eDbVWxSu/8EW7SZ1qsDTNXkljBNllUNss3HOJYCY5 bMiHHYJzhjrR80t1IBaDGoe8TAfDlvp5z8NkMgBea8bNFv20A5XoYP6m5kOtmoeqRI0P xK5LZV6SjTS7CGOb4cI2IIFKF28Likcyu9/vNBdgOkVBgEu5nDUYgW9UFn3BExj1ZUR6 u/VoztuL+CioLe5vCBxv5XWGJs6SmBoFHNspSwf81cmnS8XdgTYGjvtVMiCl6TFGV5r0 9fOKiIj1ZjgwjJJcc5BnUz4Z1HsOrgcOPEh5kj6lvuYuw4+KpxkXp7KEaQYMlubrU5pw Gb0A== X-Forwarded-Encrypted: i=1; AFNElJ/1ekjGck6ONgSHZGjEht4xVFAK7FDntRTlFHl46HOKUR0wiK3jZQO5Lqc3p3QOAqpDTRGIw0pPa1MuFZ4=@vger.kernel.org X-Gm-Message-State: AOJu0YwTZDkYBC0GrfiqOhejTeXv2NvtxAkiewAKMyt8R9jqa9hOKlJL g7/SFRPrXnc1rVGjN1m6lap80jVvQzGEHhUrcG93uZSlN+v1ii/zrcMbZdBgX9spa8Y= X-Gm-Gg: Acq92OHS3PQ6ZjbCRijDRI4ROkEYfelDZLjnldFBqqmt4x4AhZ+PtjKGONZQK8mbbgx 94ZNUdJOpgShejQaiF4F1rAwhCpf77VvJ5UfsXDMXak7As9rOAe3hUPVxZgRLMkGxY1HyHM+9/T utmpmNswY0SfYSYKRDzGblWOiYC2cpUqdFqx+wcifzYnRuha6YtHymk41WPeNA3+6YrK4I09SAh JeBzainPSRrjVII0jixq/oX03Bfw9mGQ6IONtk7TUPDCwSHwvtZdNPP4TwF8bbiU7qsujApzzmq WtAkzXCGcoUw0QJGWtNCuNoSHFDVzkstw5qxqRzd9+40n+i/iH03zU6OxJbVHPhsTuULC+CgJxn 5D9T4A+xLlfLBt78tHEFt6P1BwxHgLpKb/DtuzQaVhXiG4mg97+2c32TKghttMIRbTuExBtE21q hmc2nToQ== X-Received: by 2002:a17:90b:3c83:b0:35a:10b6:1208 with SMTP id 98e67ed59e1d1-3692362524bmr16701397a91.14.1779100804381; Mon, 18 May 2026 03:40:04 -0700 (PDT) Received: from lgs.. ([2001:250:5800:1000::f280]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36951584654sm10786470a91.7.2026.05.18.03.40.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 03:40:04 -0700 (PDT) From: Guangshuo Li To: Michael Krufky , Mauro Carvalho Chehab , "Maciej S. Szmigiero" , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li Subject: [PATCH] media: cxusb: avoid double free on video register failure Date: Mon, 18 May 2026 18:37:29 +0800 Message-ID: <20260518103729.986346-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cxusb_medion_register_analog_video() allocates a video_device with video_device_alloc() and releases it from the ret_vrelease error path if video_register_device() fails. This can double free the video_device when __video_register_device() reaches device_register() and that call fails: video_register_device() -> __video_register_device() -> device_register() fails -> put_device(&vdev->dev) -> v4l2_device_release() -> vdev->release(vdev) -> cxusb_medion_videodev_release(vdev) cxusb_medion_register_analog_video() -> ret_vrelease -> video_device_release(cxdev->videodev) Use video_device_release_empty() while registering the device so that registration failure paths do not free cxdev->videodev through vdev->release(). cxusb_medion_register_analog_video() then releases cxdev->videodev exactly once from ret_vrelease. Restore cxusb_medion_videodev_release() after successful registration so the registered device keeps its normal lifetime handling. This issue was found by a static analysis tool I am developing. Fixes: e478d4054054 ("media: cxusb: add analog mode support for Medion MD95= 700") Signed-off-by: Guangshuo Li --- drivers/media/usb/dvb-usb/cxusb-analog.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb/cxusb-analog.c b/drivers/media/usb/d= vb-usb/cxusb-analog.c index 3bbee1fcbc8d..2d899af0d5c3 100644 --- a/drivers/media/usb/dvb-usb/cxusb-analog.c +++ b/drivers/media/usb/dvb-usb/cxusb-analog.c @@ -1654,7 +1654,7 @@ static int cxusb_medion_register_analog_video(struct = dvb_usb_device *dvbdev) cxdev->videodev->vfl_dir =3D VFL_DIR_RX; cxdev->videodev->ioctl_ops =3D &cxusb_video_ioctl; cxdev->videodev->tvnorms =3D V4L2_STD_ALL; - cxdev->videodev->release =3D cxusb_medion_videodev_release; + cxdev->videodev->release =3D video_device_release_empty; cxdev->videodev->lock =3D &cxdev->dev_lock; video_set_drvdata(cxdev->videodev, dvbdev); =20 @@ -1664,6 +1664,7 @@ static int cxusb_medion_register_analog_video(struct = dvb_usb_device *dvbdev) "video device register failed, ret =3D %d\n", ret); goto ret_vrelease; } + cxdev->videodev->release =3D cxusb_medion_videodev_release; =20 return 0; =20 --=20 2.43.0