Commit 468e986d authored by Laurent Pinchart's avatar Laurent Pinchart Committed by Mauro Carvalho Chehab
Browse files

media: rcar_drif: Allocate v4l2_async_subdev dynamically 



v4l2_async_notifier_add_subdev() requires the asd to be allocated
dynamically, but the rcar-drif driver embeds it in the
rcar_drif_graph_ep structure. This causes memory corruption when the
notifier is destroyed at remove time with v4l2_async_notifier_cleanup().

Fix this issue by registering the asd with
v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
internally.

Fixes: d079f94c ("media: platform: Switch to v4l2_async_notifier_add_subdev")
Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent cdd4f782

drivers/media/platform/rcar_drif.c

+6 −12
Original line number Diff line number Diff line
@@ -185,7 +185,6 @@ struct rcar_drif_frame_buf { 
/* OF graph endpoint's V4L2 async data */

struct rcar_drif_graph_ep {

	struct v4l2_subdev *subdev;	/* Async matched subdev */

	struct v4l2_async_subdev asd;	/* Async sub-device descriptor */

};



/* DMA buffer */
@@ -1109,12 +1108,6 @@ static int rcar_drif_notify_bound(struct v4l2_async_notifier *notifier, 
	struct rcar_drif_sdr *sdr =

		container_of(notifier, struct rcar_drif_sdr, notifier);



	if (sdr->ep.asd.match.fwnode !=

	    of_fwnode_handle(subdev->dev->of_node)) {

		rdrif_err(sdr, "subdev %s cannot bind\n", subdev->name);

		return -EINVAL;

	}



	v4l2_set_subdev_hostdata(subdev, sdr);

	sdr->ep.subdev = subdev;

	rdrif_dbg(sdr, "bound asd %s\n", subdev->name);
@@ -1218,7 +1211,7 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) 
{

	struct v4l2_async_notifier *notifier = &sdr->notifier;

	struct fwnode_handle *fwnode, *ep;

	int ret;

	struct v4l2_async_subdev *asd;



	v4l2_async_notifier_init(notifier);
@@ -1237,12 +1230,13 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr) 
		return -EINVAL;

	}



	sdr->ep.asd.match.fwnode = fwnode;

	sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE;

	ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd);

	asd = v4l2_async_notifier_add_fwnode_subdev(notifier, fwnode,

						    sizeof(*asd));

	fwnode_handle_put(fwnode);

	if (IS_ERR(asd))

		return PTR_ERR(asd);



	return ret;

	return 0;

}



/* Check if the given device is the primary bond */

CRA Git | Maintained and supported by SUSTech CRA and CCSE