Hi Arvind,
Yes, I know, this is an extremely reply. I'm cleaning up some old patches
that fell through the cracks, and this is one of them. My apologies.
On 3/20/18 12:16 PM, Arvind Yadav wrote:
> Here, double-free is happening on error path of hdpvr_probe.
>
> error_v4l2_unregister:
> v4l2_device_unregister(&dev->v4l2_dev);
> =>
> v4l2_device_disconnect
> =>
> put_device
> =>
> kobject_put
> =>
> kref_put
> =>
> v4l2_device_release
> =>
> hdpvr_device_release (CALLBACK)
This isn't right: the release callback of struct v4l2_device isn't used
by this driver. The hdpvr_device_release function you refer to is that
of struct video_device.
> =>
> kfree(dev)
>
> error_free_dev:
> kfree(dev)
>
> Signed-off-by: Arvind Yadav <arvind.yadav...@gmail.com>
> ---
> reported by:
> Dan Carpenter<dan.carpen...@oracle.com>
Do you have a pointer to the original report by Dan Carpenter?
Regards,
Hans
>
> drivers/media/usb/hdpvr/hdpvr-core.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/media/usb/hdpvr/hdpvr-core.c
> b/drivers/media/usb/hdpvr/hdpvr-core.c
> index 29ac7fc..cab100a0 100644
> --- a/drivers/media/usb/hdpvr/hdpvr-core.c
> +++ b/drivers/media/usb/hdpvr/hdpvr-core.c
> @@ -395,6 +395,7 @@ static int hdpvr_probe(struct usb_interface *interface,
> kfree(dev->usbc_buf);
> error_v4l2_unregister:
> v4l2_device_unregister(&dev->v4l2_dev);
> + dev = NULL;
> error_free_dev:
> kfree(dev);
> error:
>
