Re: [PATCH 3/3] drivers/media/media-device: fix double free bug in _unregister()

[Shuah Khan <shuahkh@osg.samsung.com>]

On 06/15/2016 02:37 PM, Max Kellermann wrote:
> On 2016/06/15 22:32, Shuah Khan <shuahkh@osg.samsung.com> wrote:
>> This change introduces memory leaks, since drivers are relying on
>> media_device_unregister() to free interfaces.
> 
> This is what I thought, too, until I checked the code paths.  Who adds
> entries to that list?  Only media_gobj_create() does, and only when
> type==MEDIA_GRAPH_INTF_DEVNODE.  That is called via
> media_interface_init(), via media_devnode_create().
> 
> In the whole kernel, there are two calls to media_devnode_create():
> one in dvbdev.c and another one in v4l2-dev.c.  Both callers take care
> for freeing their interface.  Both would crash if somebody else would
> free it for them before they get a chance to do it.  Which is the very
> thing my patch addresses.
> 
> Did I miss something?
> 

Yes media_devnode_create() creates the interfaces links and these links
are deleted by media_devnode_remove(). media_device_unregister() still
needs to delete the interfaces links. The reason for that is the API
dynalic use-case.

Drivers (other than dvb-core and v4l2-core) can create and delete media
devnode interfaces during run-time, hence media_devnode_remove() has to
call media_remove_intf_links(). However, driver isn't required to call
media_devnode_remove() and media-core can't enforce that. So it is safe
for media_device_unregister() to remove interface links if the list isn't
empty. If driver does delete them,  media_device_unregister() has nothing
to do since the list is going to be empty.

So removing kfree() from media_device_unregister() isn't the correct
fix.

I don't see the stack trace for the double free error you are seeing? Could
it be that there is a driver problem in the order in which it is calling
media_device_unregister()?

thanks,
-- Shuah