[PATCH 5.4 084/408] media: rcar-csi2: Allocate v4l2_async_subdev dynamically

From: Greg Kroah-Hartman
Date: Tue Oct 27 2020 - 10:34:55 EST

Next message: Hui Su: "Re: [PATCH] mm,oom_kill: fix the comment of is_dump_unreclaim_slabs()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 103/408] ath10k: provide survey info as accumulated data"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 103/408] ath10k: provide survey info as accumulated data"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 089/408] media: tc358743: initialize variable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>

[ Upstream commit 2cac7cbfb4099980e78244359ab9c6f056d6a7ec ]

v4l2_async_notifier_add_subdev() requires the asd to be allocated
dynamically, but the rcar-csi2 driver embeds it in the rcar_csi2
structure. This causes memory corruption when the notifier is destroyed
at remove time with v4l2_async_notifier_cleanup().

Fix this issue by registering the asd with
v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
internally.

Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver")
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@xxxxxxxxxxxxxxxx>
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/media/platform/rcar-vin/rcar-csi2.c | 24 +++++++++------------
1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
index c14af1b929dff..d27eccfa57cae 100644
--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
+++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
@@ -361,7 +361,6 @@ struct rcar_csi2 {
struct media_pad pads[NR_OF_RCAR_CSI2_PAD];

struct v4l2_async_notifier notifier;
- struct v4l2_async_subdev asd;
struct v4l2_subdev *remote;

struct v4l2_mbus_framefmt mf;
@@ -810,6 +809,8 @@ static int rcsi2_parse_v4l2(struct rcar_csi2 *priv,

static int rcsi2_parse_dt(struct rcar_csi2 *priv)
{
+ struct v4l2_async_subdev *asd;
+ struct fwnode_handle *fwnode;
struct device_node *ep;
struct v4l2_fwnode_endpoint v4l2_ep = { .bus_type = 0 };
int ret;
@@ -833,24 +834,19 @@ static int rcsi2_parse_dt(struct rcar_csi2 *priv)
return ret;
}

- priv->asd.match.fwnode =
- fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep));
- priv->asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
-
+ fwnode = fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep));
of_node_put(ep);

- v4l2_async_notifier_init(&priv->notifier);
-
- ret = v4l2_async_notifier_add_subdev(&priv->notifier, &priv->asd);
- if (ret) {
- fwnode_handle_put(priv->asd.match.fwnode);
- return ret;
- }
+ dev_dbg(priv->dev, "Found '%pOF'\n", to_of_node(fwnode));

+ v4l2_async_notifier_init(&priv->notifier);
priv->notifier.ops = &rcar_csi2_notify_ops;

- dev_dbg(priv->dev, "Found '%pOF'\n",
- to_of_node(priv->asd.match.fwnode));
+ asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, fwnode,
+ sizeof(*asd));
+ fwnode_handle_put(fwnode);
+ if (IS_ERR(asd))
+ return PTR_ERR(asd);

ret = v4l2_async_subdev_notifier_register(&priv->subdev,
&priv->notifier);
--
2.25.1

Next message: Hui Su: "Re: [PATCH] mm,oom_kill: fix the comment of is_dump_unreclaim_slabs()"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 103/408] ath10k: provide survey info as accumulated data"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 103/408] ath10k: provide survey info as accumulated data"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 089/408] media: tc358743: initialize variable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]