When the v4l-subdev device node is released it calls the v4l2_device_release_subdev_node() function which sets sd->devnode to NULL.
However, the v4l2_subdev struct may already be released causing this to write in freed memory. Instead just use the regular video_device_release release function (just calls kfree) and set sd->devnode to NULL right after the video_unregister_device() call. Signed-off-by: Hans Verkuil <[email protected]> --- drivers/media/v4l2-core/v4l2-device.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c index e0ddb9a52bd1..57a7b220fa4d 100644 --- a/drivers/media/v4l2-core/v4l2-device.c +++ b/drivers/media/v4l2-core/v4l2-device.c @@ -216,13 +216,6 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, } EXPORT_SYMBOL_GPL(v4l2_device_register_subdev); -static void v4l2_device_release_subdev_node(struct video_device *vdev) -{ - struct v4l2_subdev *sd = video_get_drvdata(vdev); - sd->devnode = NULL; - kfree(vdev); -} - int v4l2_device_register_subdev_nodes(struct v4l2_device *v4l2_dev) { struct video_device *vdev; @@ -250,7 +243,7 @@ int v4l2_device_register_subdev_nodes(struct v4l2_device *v4l2_dev) vdev->dev_parent = sd->dev; vdev->v4l2_dev = v4l2_dev; vdev->fops = &v4l2_subdev_fops; - vdev->release = v4l2_device_release_subdev_node; + vdev->release = video_device_release; vdev->ctrl_handler = sd->ctrl_handler; err = __video_register_device(vdev, VFL_TYPE_SUBDEV, -1, 1, sd->owner); @@ -319,6 +312,7 @@ void v4l2_device_unregister_subdev(struct v4l2_subdev *sd) } #endif video_unregister_device(sd->devnode); + sd->devnode = NULL; if (!sd->owner_v4l2_dev) module_put(sd->owner); } -- 2.20.1
