target/linux/bcm27xx/patches-6.1/950-0997-media-rp1-cfe-Fix-use-of-freed-memory-on-errors.patch

   1 From 3922bebc11fcc8459c798cfcb582828f9bbaa9e9 Mon Sep 17 00:00:00 2001
   2 From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
   3 Date: Thu, 28 Sep 2023 11:33:53 +0300
   4 Subject: [PATCH] media: rp1: cfe: Fix use of freed memory on errors
   5
   6 cfe_probe_complete() calls cfe_put() on both success and fail code paths.
   7 This works for the success path, but causes the cfe_device struct to be
   8 freed, even if it will be used later in the teardown code.
   9
  10 Fix this by making the ref handling a bit saner: Let the video nodes
  11 have the refs as they do now, but also keep a ref in the "main" driver,
  12 released only at cfe_remove() time. This way the driver does not depend
  13 on the video nodes keeping the refs.
  14
  15 Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
  16 ---
  17  drivers/media/platform/raspberrypi/rp1_cfe/cfe.c | 9 ++-------
  18  1 file changed, 2 insertions(+), 7 deletions(-)
  19
  20 --- a/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
  21 +++ b/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
  22 @@ -1837,17 +1837,10 @@ static int cfe_probe_complete(struct cfe
  23                 goto unregister;
  24         }
  25
  26 -       /*
  27 -        * Release the initial reference, all references are now owned by the
  28 -        * video devices.
  29 -        */
  30 -       cfe_put(cfe);
  31         return 0;
  32
  33  unregister:
  34         cfe_unregister_nodes(cfe);
  35 -       cfe_put(cfe);
  36 -
  37         return ret;
  38  }
  39
  40 @@ -2129,6 +2122,8 @@ static int cfe_remove(struct platform_de
  41
  42         v4l2_device_unregister(&cfe->v4l2_dev);
  43
  44 +       cfe_put(cfe);
  45 +
  46         return 0;
  47  }
  48