[media] s5p-jpeg: Eliminate double kfree()

This change “[media] s5p-jpeg: Eliminate double kfree()” in Linux kernel is authored by Andrzej Pietrasiewicz <andrzej.p [at] samsung.com> on Fri Jul 3 07:04:38 2015 -0300.

[media] s5p-jpeg: Eliminate double kfree()

video_unregister_device() calls device_unregister(), which calls
put_device(), which calls kobject_put(), and if this is the last reference
then kobject_release() is called, which calls kobject_cleanup(), which
calls ktype's release method which happens to be device_release() in this
case, which calls dev->release(), which happens to be
v4l2_device_release() in this case, which calls vdev->release(), which
happens to be video_device_release(). But video_device_release() is
called explicitly both in error recovery path of s5p_jpeg_probe() and
in s5p_jpeg_remove(). The pointers in question are not nullified between
the two calls, so this is harmful.

This patch fixes the driver so that video_device_release() is not called
twice for the same object.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

This Linux change may have been applied to various maintained Linux releases and you can find Linux releases including commit 7a1d4e7.

There are 14 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/media/platform/s5p-jpeg/jpeg-core.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
index bfbf157..9690f9d 100644
--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -2544,7 +2544,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev)
 	ret = video_register_device(jpeg->vfd_encoder, VFL_TYPE_GRABBER, -1);
 	if (ret) {
 		v4l2_err(&jpeg->v4l2_dev, "Failed to register video devicen");
-		goto enc_vdev_alloc_rollback;
+		video_device_release(jpeg->vfd_encoder);
+		goto vb2_allocator_rollback;
 	video_set_drvdata(jpeg->vfd_encoder, jpeg);
@@ -2572,7 +2573,8 @@ static int s5p_jpeg_probe(struct platform_device *pdev)
 	ret = video_register_device(jpeg->vfd_decoder, VFL_TYPE_GRABBER, -1);
 	if (ret) {
 		v4l2_err(&jpeg->v4l2_dev, "Failed to register video devicen");
-		goto dec_vdev_alloc_rollback;
+		video_device_release(jpeg->vfd_decoder);
+		goto enc_vdev_register_rollback;
 	video_set_drvdata(jpeg->vfd_decoder, jpeg);
@@ -2589,15 +2591,9 @@ static int s5p_jpeg_probe(struct platform_device *pdev)
 	return 0;
-	video_device_release(jpeg->vfd_decoder);
-	video_device_release(jpeg->vfd_encoder);
@@ -2622,9 +2618,7 @@ static int s5p_jpeg_remove(struct platform_device *pdev)
-	video_device_release(jpeg->vfd_decoder);
-	video_device_release(jpeg->vfd_encoder);

The commit for this change in Linux stable tree is 7a1d4e7 (patch).

Leave a Reply

Your email address will not be published. Required fields are marked *