From nobody Mon May 25 05:13:58 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14BF140C5A6 for ; Mon, 18 May 2026 12:52:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779108740; cv=none; b=kwuO8ly/MPq5dux2qIJk5SeQt8WPhgFKb4r2zFGl4rHtpt+Ml9+ABbw+dg8t/V8imbxw5rKNW0th6+GoFdbllEySnPB5K3RyAQtyZhJHbDiMnJ+fPA0vnQCBMbHOtrg3xD+SE+VsWE1Og7AqP956yoyAhItmN74+shJ8W02xBKY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779108740; c=relaxed/simple; bh=/k5HGROMAkHXH0aWD6D+yLoygWZydZTfR30dK+Rb+00=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iOzJg21QRmEvivuO/eXbPT/gKWI8nmJnR+szwn2V2rr7qb0bO6b3zcRsgUrY/VXGkZ5rNB9i+PFRmaobO8vVYs4ebccH91mUOvlodLbp2MOUbblI+NbxKmRwnnNNUz1SjUoGYEwKqf/5Q8WEMEHNW5DEpGdT+EWptYgRb48hL0Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TnDEhtDm; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TnDEhtDm" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-36974220e45so785121a91.0 for ; Mon, 18 May 2026 05:52:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779108738; x=1779713538; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=8459ka1i7cq2n7IBawpfs6eiuW3MTLtx44g6qMux+Ps=; b=TnDEhtDmHonqc8WEPH6DR8yitDB+WRUODIU7+xC6H4LaDO7FMLhGhLioxmdF7pD65Y mb1O8ahVxxMIr0HPJCq/nGCfFK2ciwM+aVZI9nIHyPDTJigqv9TC0uhUG0PZoaXXudPs Jl+WRtdxUNN3XHiZwI4YkNDX+fm+hvsT9UvrlBhKqCZ35TKDrIUpK5jz2ZlCvLbCQOdA vurfDBiwW5VfOwdRo+8q/Jw2Mjip4YfG6Fxe3SSOVWEpTaJvS0tlEUIma9qg8AttBOaA dpiDNfMxVsQmFGJGuX//pHkSH9RlUqqS0vaWw8z20GHJrfBAID+BFZzkXviMX5EO0Hmp CyzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779108738; x=1779713538; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8459ka1i7cq2n7IBawpfs6eiuW3MTLtx44g6qMux+Ps=; b=FcyCV0dSQTOx5z96/TA1TTuAqHoeSSwHZ9D8EU6AqilQAT2HstOEEE6i1gDxPt7N3y +y+/pbqvRujhvMi6b7GNthi0F6G/nwYgm+qtJqkTTEO7j0MoY7ftk4u2/sbufFeGRetn WGQvNoGw3Yh9E+pOq5skuq6VCJsB7NS25GvM3Aef4XkQtLfFdPNOBgsTQVrrzGx9pLwI 2sVqYySHkx2jmjZMvDyC+xBDt721GuXQd0e2seBCE5URt529kJnORh+U9EyZ8XrTx+i+ uD5VkZ7TI4pwEQThIwdiolgZE34VKqOv4rVzp/VqlS9Mdj2237LQx0BhHpbvNn8l0HMP P9yw== X-Forwarded-Encrypted: i=1; AFNElJ/VeMuyA2IfRXy0cQ0Lrfrj2D1wq6EGDfCupWx8KuBUOcebG7HZub69lAoQTXKBFro5O/4K0WF5Rje3qfo=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+NjNfLM9QndWOVt/DBdBesKFqgzUWwkBN91QC40u8s1VQ0wQn 2oFlHn1de8dH/UGuTnDqxF9MCxvOER7gUkzX+rjcQiq1Lsg60+jWS6Am X-Gm-Gg: Acq92OFnpRDdDr9ZApd2+wLeKq19W2kK+vOCe2qD3SMtca5/3oWANTcksMcm6FQ6bgs exZZE2crRaq/hv4wINDiTr88bgDWuaU6jeix2xnHhICb/CEW1k+KZmPAghJRDyeVSyCl3i28iPF y7BirB6WWtv8w2vzPjEoDACgB7uEED3w/hNDeU9p7Eketgh29G00xQ933zYRpgdetf68Tmyr6jo 6dk2vWChbAYGra+mmAlc5hE1GCgoq0MTlKqFSTKd2aJkURnotxIw6A/R+9mPBEtK8cc2j+jBItr pEpchIlfo+ntB7O15bBui+IS6eJV6rPZyEc4AbMCNOiJPKsT5MNdhDuwsbRIRO+NVCWvlAnneho zVh1RPGHLsmMmxOLhkUw3O9XvX/zOcFlKENH4zgzFJKv90XQzHJQd44omWeOhaJoPFC+4axCu4T WRSiIeu3Ho+ZANal14zOPAHVk= X-Received: by 2002:a17:90b:1d8e:b0:35b:d795:cf5d with SMTP id 98e67ed59e1d1-3695137f713mr10939480a91.5.1779108738463; Mon, 18 May 2026 05:52:18 -0700 (PDT) Received: from lgs.. ([101.36.111.22]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-369517ed182sm11265900a91.15.2026.05.18.05.52.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 05:52:18 -0700 (PDT) From: Guangshuo Li To: Bin Liu , Mauro Carvalho Chehab , Matthias Brugger , AngeloGioacchino Del Regno , Tomasz Figa , Hans Verkuil , Xia Jiang , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Cc: Guangshuo Li Subject: [PATCH] media: mediatek: jpeg: avoid double free on video register failure Date: Mon, 18 May 2026 20:51:43 +0800 Message-ID: <20260518125143.998572-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mtk_jpeg_probe() allocates a video_device with video_device_alloc() and releases it from the err_vfd_jpeg_register error path if video_register_device() fails. This can double free the video_device when __video_register_device() reaches device_register() and that call fails: video_register_device() -> __video_register_device() -> device_register() fails -> put_device(&vdev->dev) -> v4l2_device_release() -> vdev->release(vdev) -> video_device_release(vdev) mtk_jpeg_probe() -> err_vfd_jpeg_register -> video_device_release(jpeg->vdev) Use video_device_release_empty() while registering the device so that registration failure paths do not free jpeg->vdev through vdev->release(). mtk_jpeg_probe() then releases jpeg->vdev exactly once from err_vfd_jpeg_register. Restore video_device_release() after successful registration so the registered device keeps its normal lifetime handling. This issue was found by a static analysis tool I am developing. Fixes: 2ac8015f156b ("media: platform: Rename existing functions/defines/va= riables") Signed-off-by: Guangshuo Li --- drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers= /media/platform/mediatek/jpeg/mtk_jpeg_core.c index c01124a349f6..9888ac8dd6e4 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1362,7 +1362,7 @@ static int mtk_jpeg_probe(struct platform_device *pde= v) jpeg->vdev->fops =3D &mtk_jpeg_fops; jpeg->vdev->ioctl_ops =3D jpeg->variant->ioctl_ops; jpeg->vdev->minor =3D -1; - jpeg->vdev->release =3D video_device_release; + jpeg->vdev->release =3D video_device_release_empty; jpeg->vdev->lock =3D &jpeg->lock; jpeg->vdev->v4l2_dev =3D &jpeg->v4l2_dev; jpeg->vdev->vfl_dir =3D VFL_DIR_M2M; @@ -1374,6 +1374,7 @@ static int mtk_jpeg_probe(struct platform_device *pde= v) v4l2_err(&jpeg->v4l2_dev, "Failed to register video device\n"); goto err_vfd_jpeg_register; } + jpeg->vdev->release =3D video_device_release; =20 video_set_drvdata(jpeg->vdev, jpeg); v4l2_info(&jpeg->v4l2_dev, --=20 2.43.0