[PATCH 5.4 083/408] media: rcar_drif: Allocate v4l2_async_subdev dynamically

Tue, 27 Oct 2020 10:42:23 -0700 

From: Laurent Pinchart <laurent.pinchart+rene...@ideasonboard.com>

[ Upstream commit 468e986dac0e94194334ca6d0abf3af8c250792e ]

v4l2_async_notifier_add_subdev() requires the asd to be allocated
dynamically, but the rcar-drif driver embeds it in the
rcar_drif_graph_ep structure. This causes memory corruption when the
notifier is destroyed at remove time with v4l2_async_notifier_cleanup().

Fix this issue by registering the asd with
v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
internally.

Fixes: d079f94c9046 ("media: platform: Switch to 
v4l2_async_notifier_add_subdev")
Signed-off-by: Laurent Pinchart <laurent.pinchart+rene...@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ai...@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+hua...@kernel.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 drivers/media/platform/rcar_drif.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/drivers/media/platform/rcar_drif.c 
b/drivers/media/platform/rcar_drif.c
index 208ff260b0c10..af3c8d405509e 100644
--- a/drivers/media/platform/rcar_drif.c
+++ b/drivers/media/platform/rcar_drif.c
@@ -185,7 +185,6 @@ struct rcar_drif_frame_buf {
 /* OF graph endpoint's V4L2 async data */
 struct rcar_drif_graph_ep {
        struct v4l2_subdev *subdev;     /* Async matched subdev */
-       struct v4l2_async_subdev asd;   /* Async sub-device descriptor */
 };
 
 /* DMA buffer */
@@ -1105,12 +1104,6 @@ static int rcar_drif_notify_bound(struct 
v4l2_async_notifier *notifier,
        struct rcar_drif_sdr *sdr =
                container_of(notifier, struct rcar_drif_sdr, notifier);
 
-       if (sdr->ep.asd.match.fwnode !=
-           of_fwnode_handle(subdev->dev->of_node)) {
-               rdrif_err(sdr, "subdev %s cannot bind\n", subdev->name);
-               return -EINVAL;
-       }
-
        v4l2_set_subdev_hostdata(subdev, sdr);
        sdr->ep.subdev = subdev;
        rdrif_dbg(sdr, "bound asd %s\n", subdev->name);
@@ -1214,7 +1207,7 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr 
*sdr)
 {
        struct v4l2_async_notifier *notifier = &sdr->notifier;
        struct fwnode_handle *fwnode, *ep;
-       int ret;
+       struct v4l2_async_subdev *asd;
 
        v4l2_async_notifier_init(notifier);
 
@@ -1233,12 +1226,13 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr 
*sdr)
                return -EINVAL;
        }
 
-       sdr->ep.asd.match.fwnode = fwnode;
-       sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
-       ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd);
+       asd = v4l2_async_notifier_add_fwnode_subdev(notifier, fwnode,
+                                                   sizeof(*asd));
        fwnode_handle_put(fwnode);
+       if (IS_ERR(asd))
+               return PTR_ERR(asd);
 
-       return ret;
+       return 0;
 }
 
 /* Check if the given device is the primary bond */
-- 
2.25.1

Reply via email to