From nobody Mon May 25 05:12:54 2026 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8169D450903 for ; Mon, 18 May 2026 12:55:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779108924; cv=none; b=iXqD5UsHg+a07HHlKw0bNKM8q3VUNsNDtIi1X6fgWmEsCTI6uMZfOCkSqCbu/L439owqyWu/ZL0wjtZzfkqcz6NNadMoV07ZPRiLWFwsyoe5xkxPjn1MnxHlBCa8dmvJ7qkg3ptsUH4Q8iw1ZiTueWWlJrXLWlDIo8RpxM2XJxk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779108924; c=relaxed/simple; bh=gFASDxJ4/WjR7l318RrP5WCrBl8iTVJR0z4COTYE0w8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ceAtIbQDQ9x6GQdroMNvKHzIV5CahtBdq8ENmu7NfbAdw9vNXot0UDh4Xs4rKCT8H/4jNkdfKZbTK5uBj2OOg+AZllxNfhuP3rkFD79nJZrEr8KjiWaYaU8b7OQSQ/n4GEEDkVUwlWak3kuGQObfFfYVfOSKNJdqCuVGK3GGtEw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=tFJ/7HbY; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="tFJ/7HbY" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-3698e34a567so1716725a91.2 for ; Mon, 18 May 2026 05:55:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779108923; x=1779713723; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1eFHqTiE371KCrLlYGgbVFRxRtaxnf3rFpulm5ChXcQ=; b=tFJ/7HbYdHkXL2EmUDL96qbo+wBykYiODpxFRZOryinGJMUuvDWtzatIXCaGH4iiVO 3RO8SMvqEUVstT1BvPceqK11faw5iuN+/J9Ewpz38N1+U9MhZYIxtLOnwfqrk0ErPkRn lTVj+kPri5pQrshgncCP+363opjrWrBFfvyvow9dCjCYZ6Kvjpxn8qnGC1apHGNo0/0P lTAPX8UQfU5XuIX8yAXwXco5PEv/ak63PghRhoBc/pm+CzHkP4SHlD8AuNeH3MRgR4gp 3N15LISvmpwniY/HaVXZFvz+qgt0TcqYL8sGQkauSaQHpPXxKPaQ/F4GlmAGk2F4ttUO g+lQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779108923; x=1779713723; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1eFHqTiE371KCrLlYGgbVFRxRtaxnf3rFpulm5ChXcQ=; b=CGK2c1T0pOqJ5XyPLJaEUAMRk+I2v6sYc626AEFYFcXoVTEXZv5YIILoFkNo6pfauV keZ0WgV/NpSjB+nI7AmbJfi6wnheWLcMc9rCWROFAM+tyHxWxJTpaoNE1T3EjTKeGnGc xOHmdouEYMl7JTYk1Ko0ERy1EexRUmQCE4pA70uHptHe16vpcirXxKnkrjm2BvKPsAYc AbrWrHVTuOkyPClbA1LXtW/CAkwttlk3B8rMpNovc6+GU8UyhlH/YdEcjuBkmAaYTSj9 L0F0se/JTe5dSVww9BCV2CxmHcsprYex/VWLCcbkzJpxkbpMvJp6b6Hex84RQc9l9tb5 NYgw== X-Forwarded-Encrypted: i=1; AFNElJ8a7DHw/igcsNwdq8kzIIwhmQEljEaS1ICj0uK7A+LD1encKCo1eRdaGqgeJuMpL85ASifT9MfS3HGIJJY=@vger.kernel.org X-Gm-Message-State: AOJu0YzjREL1SdMotRCPxDZbzTBbIdlF1VxzwDLoV9j69fuEyBNd6UrJ uSn6zziDeR/DqvF/MFKqVeq/pE3+7DOXW6nmwTA7DePk++xFZmUGmLPh5WGz02J18xc= X-Gm-Gg: Acq92OGpuTIAsI50a/xOVasVHCtUNQQWEAXa4FIyHoqmJay7StCFdCug6j/lSxrK8gL 7hX6dVk2bIQizKd3qcEZlJPBTOsAY+ybcmnDAZ3jhPnY63mh9RQqzubkBBbslAz0ZuA58DR5Qcl U2cIBHfmdj5oeqrud0P6ApV6uIjUuRYciMgaBa+kzAzf2TQ7GpkFXQ8KOmNEreJ/seFzzwJ1N3p rK8jbk1PSw0duUFOgLYim8wZ9usjlPFlAk2UNlFur0ZYGaWvWSdRkkDmpbV/rjpcBOuWHbtRnG1 2JluYSt2IJjsSVUkKpB/g4u5h+92t0EMFipzVcYde2hBMgUETIygWUXlRQp2szPsVQv9leKmWXq PFGN8FzbkUhcd78jAxUiVoP8DyhqVCfyEsCP6dm7Pifx8W0A+a0SZfXO7LYwrLNFjQvf6sUN9iy hNIFZ/d2JbFemp X-Received: by 2002:a17:90b:5290:b0:368:a297:bd38 with SMTP id 98e67ed59e1d1-36951a044b5mr14533669a91.7.1779108922965; Mon, 18 May 2026 05:55:22 -0700 (PDT) Received: from lgs.. ([101.36.111.22]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5d11cbdesm150135295ad.71.2026.05.18.05.55.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 05:55:22 -0700 (PDT) From: Guangshuo Li To: Minghsiu Tsai , Houlong Wei , Andrew-CT Chen , Mauro Carvalho Chehab , Matthias Brugger , AngeloGioacchino Del Regno , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Cc: Guangshuo Li Subject: [PATCH] media: mediatek: mdp: avoid double free on video register failure Date: Mon, 18 May 2026 20:55:00 +0800 Message-ID: <20260518125500.1000083-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mtk_mdp_register_m2m_device() allocates a video_device with video_device_alloc() and releases it from the err_m2m_init error path if video_register_device() fails. This can double free the video_device when __video_register_device() reaches device_register() and that call fails: video_register_device() -> __video_register_device() -> device_register() fails -> put_device(&vdev->dev) -> v4l2_device_release() -> vdev->release(vdev) -> video_device_release(vdev) mtk_mdp_register_m2m_device() -> err_m2m_init -> video_device_release(mdp->vdev) Use video_device_release_empty() while registering the device so that registration failure paths do not free mdp->vdev through vdev->release(). mtk_mdp_register_m2m_device() then releases mdp->vdev exactly once from err_m2m_init. Restore video_device_release() after successful registration so the registered device keeps its normal lifetime handling. Clear mdp->vdev after releasing it on failure to avoid leaving a stale pointer behind. This issue was found by a static analysis tool I am developing. Fixes: 7febb418a32a ("[media] mtk-mdp: allocate video_device dynamically") Signed-off-by: Guangshuo Li --- drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c b/drivers/me= dia/platform/mediatek/mdp/mtk_mdp_m2m.c index d2813890cceb..5cc80a542eda 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c @@ -1185,7 +1185,7 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *m= dp) mdp->vdev->device_caps =3D V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_STREAMING; mdp->vdev->fops =3D &mtk_mdp_m2m_fops; mdp->vdev->ioctl_ops =3D &mtk_mdp_m2m_ioctl_ops; - mdp->vdev->release =3D video_device_release; + mdp->vdev->release =3D video_device_release_empty; mdp->vdev->lock =3D &mdp->lock; mdp->vdev->vfl_dir =3D VFL_DIR_M2M; mdp->vdev->v4l2_dev =3D &mdp->v4l2_dev; @@ -1205,6 +1205,7 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *m= dp) dev_err(dev, "failed to register video device\n"); goto err_vdev_register; } + mdp->vdev->release =3D video_device_release; =20 v4l2_info(&mdp->v4l2_dev, "driver registered as /dev/video%d", mdp->vdev->num); @@ -1213,7 +1214,8 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *m= dp) err_vdev_register: v4l2_m2m_release(mdp->m2m_dev); err_m2m_init: - video_device_release(mdp->vdev); + video_device_release(mdp->vdev) + mdp->vdev =3D NULL; err_video_alloc: =20 return ret; --=20 2.43.0