From nobody Mon May 25 05:13:48 2026 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FB9A3EC2F7 for ; Mon, 18 May 2026 10:51:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779101464; cv=none; b=YTmstrxgHjjenhd6n+eBmCrTkbKFX75l0zBWdfsGj+w/T/HmqZlr2VBZ2C9+7u68DzTKiJI+qYcD3SZQKTwxD4uw54j9FsQcpwVnpSwtl5LGcypCBEnZuuZZRmdMJeN7+0TQaGjFAOxmfZ04M1YZwVvDSAmB7ZCF4NRhITaI+Ww= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779101464; c=relaxed/simple; bh=uPXnstoQIYOFla6f9jhOieLybnCGhI4o89svjf2rQvM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Or2vwstytAwyIlpJR4jeDag9LhGy/rukXUOkxSHIvWj+duZOYV13/e0wtsxX2U1F3saXbbwFvkeFj/4Vv7ROS49rPT57SjUULqbT3+BMXPL5+JKSWaFkm+xE61EOdAkUEabGFWs/X6r20IXm8/dkPDRnv4cN7BqUWRc5OQedsQM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l0+MkBkt; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l0+MkBkt" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-83f674f978fso371187b3a.3 for ; Mon, 18 May 2026 03:51:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779101456; x=1779706256; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RIMY2Bq2jV6px0A0JMLvS5BCI2aRnJA8nAgU6QBmpK8=; b=l0+MkBktYOgowCqXVWtDc+JijVMvVrqKNAFApCCnKJIrJIChdBveCFYnDhwHux2xcf ek3+omnQRrp09hhEpV1dJ0HyATTvYwBu0nes0ml1vo5S0qdP58dApKc9bDjA/8WTn7sm BqC7YIoSQ3A7CyYkwM39YiXY+CX80TsV2sVI9c9GDfICUIIFFXbYRmBA7SzCRXZssH7k cWpXIaiqhfqVb0S3kIoUKgmxBl0+7HZl7dPXMa0HUEWpt/5tgSxLvT0xLJwMK4XNYAda 2vTTSzT+dIkJUXJ7+dQR51mAzWAdiJo/3mhfVGuTEXuGeRc3meaN1b5UX5S5/6RBAd9F e2wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779101456; x=1779706256; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RIMY2Bq2jV6px0A0JMLvS5BCI2aRnJA8nAgU6QBmpK8=; b=oeT6WQBh02hE7T3aRV6iRYrexVvHC94/Zb5KQuVh8ou097POvxU0a0MgtHSD2KtgnO rsCDfAfSvvRti8vrrnhF8VqCO1dbmicFbpx3m1432pE1HUqsgHcx8pOYcA7a7Hr9+1KI zKi7GzjO1lAWfmtNoN8EuOO4Gy6sS79FPm+JSX657XrpUzvAvnjOux7RVhwU4Tycni2E EvAu5+DmAUNZZRVKVHGiWc5upAJnOtx/eNg5aNmQHTKzL2pdTGZnNcGsDsQC1ldc9eg5 IXMj5oPrivQq9AMlcLE5i8f8zGLG6/lTxSn7mFEKHMYvMeS7DHS8WqXs++GPDu9exvar v5Pg== X-Forwarded-Encrypted: i=1; AFNElJ+PuT0hklRpEOjyytUuLWTXMtcjqlMPNxRPFl7kG0eaf6HQ7Y5ycsoZpL7Qv5GxC2J5OqpuBu6cKCdkwe0=@vger.kernel.org X-Gm-Message-State: AOJu0Yw94hY+cBLPY3eUhE3DRwhek/0pFFlmM6TSCsnAdrO/B4wN2NL0 Gd+tPaw9w6shKfSP413GKV6muAV8ehfG1dUgJiHt7ckses0FsFrHd+1l X-Gm-Gg: Acq92OHoap+6Ye2ziMTDj6TEOLbaY1D9uloLBgD2HjMs9IwqSwYfqKSZ2vnd6r0l48t z66nEBE7vmMym21yCFpn7Uywopp2YhLr+8pABUPLLIZl/NUwhE3+uzjF0wYVOKsfJukWaOnGRJP Cm6pDlYLm6P4D02/CWU0SgRh9Q4rrxVkQXCbFk/TC4GkC7O746HfBcsPoE8OBKYZTb67tSITHN0 ulcaw2iga6ILTF5Jc03QwfxSBgl3lX6Py4pqDgFosZgOzgYLLTf57SVCiSCEpKhWuxdy1EVsBQn EoP1XT3x3ciouvESUKSq4GLMFrobRMW6oxgYvZk/ITuY75XK31s/vTLMQmh7q4MIKk10imhxeYj Yli8CeZy/TjkG+pLgmojPq6/rfv7zY1/mjq6y6mTXRYy4I9BZedI0efUlf99z7wPz+0dS7+yk8+ /qik5oIkWpbyEmZA== X-Received: by 2002:a05:6a00:10c6:b0:83f:2568:d45f with SMTP id d2e1a72fcca58-83f33c60b28mr15900647b3a.23.1779101456029; Mon, 18 May 2026 03:50:56 -0700 (PDT) Received: from lgs.. ([101.36.109.157]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83f1979a0b2sm14013855b3a.26.2026.05.18.03.50.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 03:50:55 -0700 (PDT) From: Guangshuo Li To: Michael Krufky , Mauro Carvalho Chehab , "Maciej S. Szmigiero" , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li Subject: [PATCH] media: cxusb: avoid double free on radio register failure Date: Mon, 18 May 2026 18:50:33 +0800 Message-ID: <20260518105033.987729-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cxusb_medion_register_analog_radio() allocates a video_device with video_device_alloc() and releases it if video_register_device() fails. This can double free the video_device when __video_register_device() reaches device_register() and that call fails: video_register_device() -> __video_register_device() -> device_register() fails -> put_device(&vdev->dev) -> v4l2_device_release() -> vdev->release(vdev) -> video_device_release(vdev) cxusb_medion_register_analog_radio() -> video_device_release(cxdev->radiodev) Use video_device_release_empty() while registering the device so that registration failure paths do not free cxdev->radiodev through vdev->release(). cxusb_medion_register_analog_radio() then releases cxdev->radiodev exactly once on failure. Restore video_device_release() after successful registration so the registered device keeps its normal lifetime handling. This issue was found by a static analysis tool I am developing. Fixes: e478d4054054 ("media: cxusb: add analog mode support for Medion MD95= 700") Signed-off-by: Guangshuo Li --- drivers/media/usb/dvb-usb/cxusb-analog.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/dvb-usb/cxusb-analog.c b/drivers/media/usb/d= vb-usb/cxusb-analog.c index 2d899af0d5c3..c31a46e59495 100644 --- a/drivers/media/usb/dvb-usb/cxusb-analog.c +++ b/drivers/media/usb/dvb-usb/cxusb-analog.c @@ -1690,7 +1690,7 @@ static int cxusb_medion_register_analog_radio(struct = dvb_usb_device *dvbdev) strscpy(cxdev->radiodev->name, "cxusb", sizeof(cxdev->radiodev->name)); cxdev->radiodev->vfl_dir =3D VFL_DIR_RX; cxdev->radiodev->ioctl_ops =3D &cxusb_radio_ioctl; - cxdev->radiodev->release =3D video_device_release; + cxdev->radiodev->release =3D video_device_release_empty; cxdev->radiodev->lock =3D &cxdev->dev_lock; video_set_drvdata(cxdev->radiodev, dvbdev); =20 @@ -1702,6 +1702,7 @@ static int cxusb_medion_register_analog_radio(struct = dvb_usb_device *dvbdev) return ret; } =20 + cxdev->radiodev->release =3D video_device_release; return 0; } =20 --=20 2.43.0