* [PATCH] media: mediatek: mdp: avoid double free on video register failure
@ 2026-05-18 12:55 Guangshuo Li
2026-05-18 20:30 ` kernel test robot
2026-05-19 0:21 ` kernel test robot
0 siblings, 2 replies; 4+ messages in thread
From: Guangshuo Li @ 2026-05-18 12:55 UTC (permalink / raw)
To: Minghsiu Tsai, Houlong Wei, Andrew-CT Chen, Mauro Carvalho Chehab,
Matthias Brugger, AngeloGioacchino Del Regno, Hans Verkuil,
linux-media, linux-kernel, linux-arm-kernel, linux-mediatek
Cc: Guangshuo Li
mtk_mdp_register_m2m_device() allocates a video_device with
video_device_alloc() and releases it from the err_m2m_init error path if
video_register_device() fails.
This can double free the video_device when __video_register_device()
reaches device_register() and that call fails:
video_register_device()
-> __video_register_device()
-> device_register() fails
-> put_device(&vdev->dev)
-> v4l2_device_release()
-> vdev->release(vdev)
-> video_device_release(vdev)
mtk_mdp_register_m2m_device()
-> err_m2m_init
-> video_device_release(mdp->vdev)
Use video_device_release_empty() while registering the device so that
registration failure paths do not free mdp->vdev through vdev->release().
mtk_mdp_register_m2m_device() then releases mdp->vdev exactly once from
err_m2m_init. Restore video_device_release() after successful registration
so the registered device keeps its normal lifetime handling.
Clear mdp->vdev after releasing it on failure to avoid leaving a stale
pointer behind.
This issue was found by a static analysis tool I am developing.
Fixes: 7febb418a32a ("[media] mtk-mdp: allocate video_device dynamically")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
index d2813890cceb..5cc80a542eda 100644
--- a/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
+++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
@@ -1185,7 +1185,7 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
mdp->vdev->device_caps = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_STREAMING;
mdp->vdev->fops = &mtk_mdp_m2m_fops;
mdp->vdev->ioctl_ops = &mtk_mdp_m2m_ioctl_ops;
- mdp->vdev->release = video_device_release;
+ mdp->vdev->release = video_device_release_empty;
mdp->vdev->lock = &mdp->lock;
mdp->vdev->vfl_dir = VFL_DIR_M2M;
mdp->vdev->v4l2_dev = &mdp->v4l2_dev;
@@ -1205,6 +1205,7 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
dev_err(dev, "failed to register video device\n");
goto err_vdev_register;
}
+ mdp->vdev->release = video_device_release;
v4l2_info(&mdp->v4l2_dev, "driver registered as /dev/video%d",
mdp->vdev->num);
@@ -1213,7 +1214,8 @@ int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
err_vdev_register:
v4l2_m2m_release(mdp->m2m_dev);
err_m2m_init:
- video_device_release(mdp->vdev);
+ video_device_release(mdp->vdev)
+ mdp->vdev = NULL;
err_video_alloc:
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] media: mediatek: mdp: avoid double free on video register failure
2026-05-18 12:55 [PATCH] media: mediatek: mdp: avoid double free on video register failure Guangshuo Li
@ 2026-05-18 20:30 ` kernel test robot
2026-05-19 0:21 ` kernel test robot
1 sibling, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-05-18 20:30 UTC (permalink / raw)
To: Guangshuo Li, Minghsiu Tsai, Houlong Wei, Andrew-CT Chen,
Mauro Carvalho Chehab, Matthias Brugger,
AngeloGioacchino Del Regno, Hans Verkuil, linux-kernel,
linux-arm-kernel, linux-mediatek
Cc: oe-kbuild-all, linux-media, Guangshuo Li
Hi Guangshuo,
kernel test robot noticed the following build errors:
[auto build test ERROR on linuxtv-media-pending/master]
[also build test ERROR on media-tree/master linus/master v7.1-rc4 next-20260518]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-mediatek-mdp-avoid-double-free-on-video-register-failure/20260518-211648
base: https://git.linuxtv.org/media-ci/media-pending.git master
patch link: https://lore.kernel.org/r/20260518125500.1000083-1-lgs201920130244%40gmail.com
patch subject: [PATCH] media: mediatek: mdp: avoid double free on video register failure
config: m68k-allmodconfig (https://download.01.org/0day-ci/archive/20260519/202605190406.bMshG7YY-lkp@intel.com/config)
compiler: m68k-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260519/202605190406.bMshG7YY-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605190406.bMshG7YY-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c: In function 'mtk_mdp_register_m2m_device':
>> drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c:1217:40: error: expected ';' before 'mdp'
1217 | video_device_release(mdp->vdev)
| ^
| ;
1218 | mdp->vdev = NULL;
| ~~~
vim +1217 drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
1172
1173 int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
1174 {
1175 struct device *dev = &mdp->pdev->dev;
1176 int ret;
1177
1178 mdp->variant = &mtk_mdp_default_variant;
1179 mdp->vdev = video_device_alloc();
1180 if (!mdp->vdev) {
1181 dev_err(dev, "failed to allocate video device\n");
1182 ret = -ENOMEM;
1183 goto err_video_alloc;
1184 }
1185 mdp->vdev->device_caps = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_STREAMING;
1186 mdp->vdev->fops = &mtk_mdp_m2m_fops;
1187 mdp->vdev->ioctl_ops = &mtk_mdp_m2m_ioctl_ops;
1188 mdp->vdev->release = video_device_release_empty;
1189 mdp->vdev->lock = &mdp->lock;
1190 mdp->vdev->vfl_dir = VFL_DIR_M2M;
1191 mdp->vdev->v4l2_dev = &mdp->v4l2_dev;
1192 snprintf(mdp->vdev->name, sizeof(mdp->vdev->name), "%s:m2m",
1193 MTK_MDP_MODULE_NAME);
1194 video_set_drvdata(mdp->vdev, mdp);
1195
1196 mdp->m2m_dev = v4l2_m2m_init(&mtk_mdp_m2m_ops);
1197 if (IS_ERR(mdp->m2m_dev)) {
1198 dev_err(dev, "failed to initialize v4l2-m2m device\n");
1199 ret = PTR_ERR(mdp->m2m_dev);
1200 goto err_m2m_init;
1201 }
1202
1203 ret = video_register_device(mdp->vdev, VFL_TYPE_VIDEO, 2);
1204 if (ret) {
1205 dev_err(dev, "failed to register video device\n");
1206 goto err_vdev_register;
1207 }
1208 mdp->vdev->release = video_device_release;
1209
1210 v4l2_info(&mdp->v4l2_dev, "driver registered as /dev/video%d",
1211 mdp->vdev->num);
1212 return 0;
1213
1214 err_vdev_register:
1215 v4l2_m2m_release(mdp->m2m_dev);
1216 err_m2m_init:
> 1217 video_device_release(mdp->vdev)
1218 mdp->vdev = NULL;
1219 err_video_alloc:
1220
1221 return ret;
1222 }
1223
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: mediatek: mdp: avoid double free on video register failure
2026-05-18 12:55 [PATCH] media: mediatek: mdp: avoid double free on video register failure Guangshuo Li
2026-05-18 20:30 ` kernel test robot
@ 2026-05-19 0:21 ` kernel test robot
2026-05-19 4:14 ` Guangshuo Li
1 sibling, 1 reply; 4+ messages in thread
From: kernel test robot @ 2026-05-19 0:21 UTC (permalink / raw)
To: Guangshuo Li, Minghsiu Tsai, Houlong Wei, Andrew-CT Chen,
Mauro Carvalho Chehab, Matthias Brugger,
AngeloGioacchino Del Regno, Hans Verkuil, linux-kernel,
linux-arm-kernel, linux-mediatek
Cc: llvm, oe-kbuild-all, linux-media, Guangshuo Li
Hi Guangshuo,
kernel test robot noticed the following build errors:
[auto build test ERROR on linuxtv-media-pending/master]
[also build test ERROR on media-tree/master linus/master v7.1-rc4 next-20260518]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-mediatek-mdp-avoid-double-free-on-video-register-failure/20260518-211648
base: https://git.linuxtv.org/media-ci/media-pending.git master
patch link: https://lore.kernel.org/r/20260518125500.1000083-1-lgs201920130244%40gmail.com
patch subject: [PATCH] media: mediatek: mdp: avoid double free on video register failure
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260519/202605190845.KlMSPp80-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260519/202605190845.KlMSPp80-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605190845.KlMSPp80-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c:1217:33: error: expected ';' after expression
1217 | video_device_release(mdp->vdev)
| ^
| ;
1 error generated.
vim +1217 drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
1172
1173 int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
1174 {
1175 struct device *dev = &mdp->pdev->dev;
1176 int ret;
1177
1178 mdp->variant = &mtk_mdp_default_variant;
1179 mdp->vdev = video_device_alloc();
1180 if (!mdp->vdev) {
1181 dev_err(dev, "failed to allocate video device\n");
1182 ret = -ENOMEM;
1183 goto err_video_alloc;
1184 }
1185 mdp->vdev->device_caps = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_STREAMING;
1186 mdp->vdev->fops = &mtk_mdp_m2m_fops;
1187 mdp->vdev->ioctl_ops = &mtk_mdp_m2m_ioctl_ops;
1188 mdp->vdev->release = video_device_release_empty;
1189 mdp->vdev->lock = &mdp->lock;
1190 mdp->vdev->vfl_dir = VFL_DIR_M2M;
1191 mdp->vdev->v4l2_dev = &mdp->v4l2_dev;
1192 snprintf(mdp->vdev->name, sizeof(mdp->vdev->name), "%s:m2m",
1193 MTK_MDP_MODULE_NAME);
1194 video_set_drvdata(mdp->vdev, mdp);
1195
1196 mdp->m2m_dev = v4l2_m2m_init(&mtk_mdp_m2m_ops);
1197 if (IS_ERR(mdp->m2m_dev)) {
1198 dev_err(dev, "failed to initialize v4l2-m2m device\n");
1199 ret = PTR_ERR(mdp->m2m_dev);
1200 goto err_m2m_init;
1201 }
1202
1203 ret = video_register_device(mdp->vdev, VFL_TYPE_VIDEO, 2);
1204 if (ret) {
1205 dev_err(dev, "failed to register video device\n");
1206 goto err_vdev_register;
1207 }
1208 mdp->vdev->release = video_device_release;
1209
1210 v4l2_info(&mdp->v4l2_dev, "driver registered as /dev/video%d",
1211 mdp->vdev->num);
1212 return 0;
1213
1214 err_vdev_register:
1215 v4l2_m2m_release(mdp->m2m_dev);
1216 err_m2m_init:
> 1217 video_device_release(mdp->vdev)
1218 mdp->vdev = NULL;
1219 err_video_alloc:
1220
1221 return ret;
1222 }
1223
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: mediatek: mdp: avoid double free on video register failure
2026-05-19 0:21 ` kernel test robot
@ 2026-05-19 4:14 ` Guangshuo Li
0 siblings, 0 replies; 4+ messages in thread
From: Guangshuo Li @ 2026-05-19 4:14 UTC (permalink / raw)
To: kernel test robot
Cc: Minghsiu Tsai, Houlong Wei, Andrew-CT Chen, Mauro Carvalho Chehab,
Matthias Brugger, AngeloGioacchino Del Regno, Hans Verkuil,
linux-kernel, linux-arm-kernel, linux-mediatek, llvm,
oe-kbuild-all, linux-media
Thanks for the report.
On Tue, 19 May 2026 at 10:13, kernel test robot <lkp@intel.com> wrote:
>
> Hi Guangshuo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on linuxtv-media-pending/master]
> [also build test ERROR on media-tree/master linus/master v7.1-rc4 next-20260518]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-mediatek-mdp-avoid-double-free-on-video-register-failure/20260518-211648
> base: https://git.linuxtv.org/media-ci/media-pending.git master
> patch link: https://lore.kernel.org/r/20260518125500.1000083-1-lgs201920130244%40gmail.com
> patch subject: [PATCH] media: mediatek: mdp: avoid double free on video register failure
> config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260519/202605190845.KlMSPp80-lkp@intel.com/config)
> compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260519/202605190845.KlMSPp80-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202605190845.KlMSPp80-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> >> drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c:1217:33: error: expected ';' after expression
> 1217 | video_device_release(mdp->vdev)
> | ^
> | ;
> 1 error generated.
>
>
> vim +1217 drivers/media/platform/mediatek/mdp/mtk_mdp_m2m.c
>
> 1172
> 1173 int mtk_mdp_register_m2m_device(struct mtk_mdp_dev *mdp)
> 1174 {
> 1175 struct device *dev = &mdp->pdev->dev;
> 1176 int ret;
> 1177
> 1178 mdp->variant = &mtk_mdp_default_variant;
> 1179 mdp->vdev = video_device_alloc();
> 1180 if (!mdp->vdev) {
> 1181 dev_err(dev, "failed to allocate video device\n");
> 1182 ret = -ENOMEM;
> 1183 goto err_video_alloc;
> 1184 }
> 1185 mdp->vdev->device_caps = V4L2_CAP_VIDEO_M2M_MPLANE | V4L2_CAP_STREAMING;
> 1186 mdp->vdev->fops = &mtk_mdp_m2m_fops;
> 1187 mdp->vdev->ioctl_ops = &mtk_mdp_m2m_ioctl_ops;
> 1188 mdp->vdev->release = video_device_release_empty;
> 1189 mdp->vdev->lock = &mdp->lock;
> 1190 mdp->vdev->vfl_dir = VFL_DIR_M2M;
> 1191 mdp->vdev->v4l2_dev = &mdp->v4l2_dev;
> 1192 snprintf(mdp->vdev->name, sizeof(mdp->vdev->name), "%s:m2m",
> 1193 MTK_MDP_MODULE_NAME);
> 1194 video_set_drvdata(mdp->vdev, mdp);
> 1195
> 1196 mdp->m2m_dev = v4l2_m2m_init(&mtk_mdp_m2m_ops);
> 1197 if (IS_ERR(mdp->m2m_dev)) {
> 1198 dev_err(dev, "failed to initialize v4l2-m2m device\n");
> 1199 ret = PTR_ERR(mdp->m2m_dev);
> 1200 goto err_m2m_init;
> 1201 }
> 1202
> 1203 ret = video_register_device(mdp->vdev, VFL_TYPE_VIDEO, 2);
> 1204 if (ret) {
> 1205 dev_err(dev, "failed to register video device\n");
> 1206 goto err_vdev_register;
> 1207 }
> 1208 mdp->vdev->release = video_device_release;
> 1209
> 1210 v4l2_info(&mdp->v4l2_dev, "driver registered as /dev/video%d",
> 1211 mdp->vdev->num);
> 1212 return 0;
> 1213
> 1214 err_vdev_register:
> 1215 v4l2_m2m_release(mdp->m2m_dev);
> 1216 err_m2m_init:
> > 1217 video_device_release(mdp->vdev)
> 1218 mdp->vdev = NULL;
> 1219 err_video_alloc:
> 1220
> 1221 return ret;
> 1222 }
> 1223
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
This build failure was caused by my oversight. I missed the semicolon after
video_device_release(mdp->vdev).
I will send a v2 to fix this issue.
Sorry for the noise.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-19 4:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-18 12:55 [PATCH] media: mediatek: mdp: avoid double free on video register failure Guangshuo Li
2026-05-18 20:30 ` kernel test robot
2026-05-19 0:21 ` kernel test robot
2026-05-19 4:14 ` Guangshuo Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox