Linux Media Controller development
 help / color / mirror / Atom feed
* [PATCH] media: v4l2-dev: fix media controller registration error handling
@ 2026-06-25 19:39 Shih-Sheng Yang
  2026-06-26 19:22 ` Laurent Pinchart
  0 siblings, 1 reply; 4+ messages in thread
From: Shih-Sheng Yang @ 2026-06-25 19:39 UTC (permalink / raw)
  To: mchehab
  Cc: hverkuil+cisco, laurent.pinchart+renesas, kees, linux-media,
	linux-kernel, Shih-Sheng Yang

__video_register_device() registers the media-controller entity and
interface after cdev_add() and device_register().

The return value from video_register_media_controller() is currently
ignored. If media_devnode_create() fails, vdev->intf_devnode remains
NULL, but the video device is still marked as registered and the caller
sees a successful registration. A later video_unregister_device() reaches
v4l2_device_release(), which calls media_devnode_remove() and
dereferences that NULL pointer.

If media_create_intf_link() fails, the helper removes
vdev->intf_devnode but leaves the stale pointer behind. A later release
path may then try to remove it again.

Fix this by propagating video_register_media_controller() failures from
__video_register_device(). Also make the media-controller cleanup path
tolerate partially-created state by clearing vdev->intf_devnode after
removal and checking it before release-time removal.

Signed-off-by: Shih-Sheng Yang <yshihsheng@gmail.com>
---
 drivers/media/v4l2-core/v4l2-dev.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
index 6ce623a1245a..5d2faed002a7 100644
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -203,7 +203,10 @@ static void v4l2_device_release(struct device *cd)
 #if defined(CONFIG_MEDIA_CONTROLLER)
 	if (v4l2_dev->mdev && vdev->vfl_dir != VFL_DIR_M2M) {
 		/* Remove interfaces and interface links */
-		media_devnode_remove(vdev->intf_devnode);
+		if (vdev->intf_devnode) {
+			media_devnode_remove(vdev->intf_devnode);
+			vdev->intf_devnode = NULL;
+		}
 		if (vdev->entity.function != MEDIA_ENT_F_UNKNOWN)
 			media_device_unregister_entity(&vdev->entity);
 	}
@@ -896,6 +899,7 @@ static int video_register_media_controller(struct video_device *vdev)
 					      MEDIA_LNK_FL_IMMUTABLE);
 		if (!link) {
 			media_devnode_remove(vdev->intf_devnode);
+			vdev->intf_devnode = NULL;
 			media_device_unregister_entity(&vdev->entity);
 			return -ENOMEM;
 		}
@@ -1087,6 +1091,11 @@ int __video_register_device(struct video_device *vdev,
 
 	/* Part 5: Register the entity. */
 	ret = video_register_media_controller(vdev);
+	if (ret < 0) {
+		mutex_unlock(&videodev_lock);
+		put_device(&vdev->dev);
+		return ret;
+	}
 
 	/* Part 6: Activate this minor. The char device can now be used. */
 	set_bit(V4L2_FL_REGISTERED, &vdev->flags);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: v4l2-dev: fix media controller registration error handling
  2026-06-25 19:39 [PATCH] media: v4l2-dev: fix media controller registration error handling Shih-Sheng Yang
@ 2026-06-26 19:22 ` Laurent Pinchart
  2026-06-30  9:54   ` Shih-Sheng Yang
  0 siblings, 1 reply; 4+ messages in thread
From: Laurent Pinchart @ 2026-06-26 19:22 UTC (permalink / raw)
  To: Shih-Sheng Yang; +Cc: mchehab, hverkuil+cisco, kees, linux-media, linux-kernel

On Fri, Jun 26, 2026 at 03:39:16AM +0800, Shih-Sheng Yang wrote:
> __video_register_device() registers the media-controller entity and
> interface after cdev_add() and device_register().
> 
> The return value from video_register_media_controller() is currently
> ignored. If media_devnode_create() fails, vdev->intf_devnode remains
> NULL, but the video device is still marked as registered and the caller
> sees a successful registration. A later video_unregister_device() reaches
> v4l2_device_release(), which calls media_devnode_remove() and
> dereferences that NULL pointer.
> 
> If media_create_intf_link() fails, the helper removes
> vdev->intf_devnode but leaves the stale pointer behind. A later release
> path may then try to remove it again.
> 
> Fix this by propagating video_register_media_controller() failures from
> __video_register_device(). Also make the media-controller cleanup path
> tolerate partially-created state by clearing vdev->intf_devnode after
> removal and checking it before release-time removal.
> 
> Signed-off-by: Shih-Sheng Yang <yshihsheng@gmail.com>
> ---
>  drivers/media/v4l2-core/v4l2-dev.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
> index 6ce623a1245a..5d2faed002a7 100644
> --- a/drivers/media/v4l2-core/v4l2-dev.c
> +++ b/drivers/media/v4l2-core/v4l2-dev.c
> @@ -203,7 +203,10 @@ static void v4l2_device_release(struct device *cd)
>  #if defined(CONFIG_MEDIA_CONTROLLER)
>  	if (v4l2_dev->mdev && vdev->vfl_dir != VFL_DIR_M2M) {
>  		/* Remove interfaces and interface links */
> -		media_devnode_remove(vdev->intf_devnode);
> +		if (vdev->intf_devnode) {
> +			media_devnode_remove(vdev->intf_devnode);

I'd move the NULL check to media_devnode_remove() and make this call
unconditionally.

If we want to harden this more, media_devnode_remove() could take a
struct media_intf_devnode **devnode parameters, and set

	*devnode = NULL;

after freeing it. This is not a common pattern in the media subsystem
though, but we may benefit from adopting it.

> +			vdev->intf_devnode = NULL;
> +		}
>  		if (vdev->entity.function != MEDIA_ENT_F_UNKNOWN)
>  			media_device_unregister_entity(&vdev->entity);
>  	}
> @@ -896,6 +899,7 @@ static int video_register_media_controller(struct video_device *vdev)
>  					      MEDIA_LNK_FL_IMMUTABLE);
>  		if (!link) {
>  			media_devnode_remove(vdev->intf_devnode);
> +			vdev->intf_devnode = NULL;
>  			media_device_unregister_entity(&vdev->entity);
>  			return -ENOMEM;
>  		}
> @@ -1087,6 +1091,11 @@ int __video_register_device(struct video_device *vdev,
>  
>  	/* Part 5: Register the entity. */
>  	ret = video_register_media_controller(vdev);
> +	if (ret < 0) {
> +		mutex_unlock(&videodev_lock);
> +		put_device(&vdev->dev);

Where's the device unregistration ?

> +		return ret;
> +	}
>  
>  	/* Part 6: Activate this minor. The char device can now be used. */
>  	set_bit(V4L2_FL_REGISTERED, &vdev->flags);

-- 
Regards,

Laurent Pinchart

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: v4l2-dev: fix media controller registration error handling
  2026-06-26 19:22 ` Laurent Pinchart
@ 2026-06-30  9:54   ` Shih-Sheng Yang
  2026-06-30 10:24     ` Laurent Pinchart
  0 siblings, 1 reply; 4+ messages in thread
From: Shih-Sheng Yang @ 2026-06-30  9:54 UTC (permalink / raw)
  To: laurent.pinchart
  Cc: hverkuil+cisco, kees, linux-kernel, linux-media, mchehab,
	yshihsheng

Hi Laurent,

Thank you for the review.

I've addressed this in v2 by moving the NULL check into
media_devnode_remove() and by using device_unregister() in
__video_register_device(), as device_register() has already succeeded
there.

I also checked the other media_devnode_remove() callers. I didn't find
another caller with the same failure pattern or an immediate risk that
requires changing the helper API. Since changing media_devnode_remove()
to take a pointer-to-pointer would affect a wider set of callers, I have
left that out of v2. I can add it if you prefer.

Regards,
Shih-Sheng

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] media: v4l2-dev: fix media controller registration error handling
  2026-06-30  9:54   ` Shih-Sheng Yang
@ 2026-06-30 10:24     ` Laurent Pinchart
  0 siblings, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2026-06-30 10:24 UTC (permalink / raw)
  To: Shih-Sheng Yang
  Cc: hverkuil+cisco, kees, linux-kernel, linux-media, mchehab,
	Sakari Ailus

On Tue, Jun 30, 2026 at 05:54:56PM +0800, Shih-Sheng Yang wrote:
> Hi Laurent,
> 
> Thank you for the review.
> 
> I've addressed this in v2 by moving the NULL check into
> media_devnode_remove() and by using device_unregister() in
> __video_register_device(), as device_register() has already succeeded
> there.
> 
> I also checked the other media_devnode_remove() callers. I didn't find
> another caller with the same failure pattern or an immediate risk that
> requires changing the helper API. Since changing media_devnode_remove()
> to take a pointer-to-pointer would affect a wider set of callers, I have
> left that out of v2. I can add it if you prefer.

Sakari, Hans, to you have an opinion on that pattern ? If you forget the
context, the idea is to turn

void media_devnode_remove(struct media_intf_devnode *devnode)
{
	media_remove_intf_links(&devnode->intf);
	media_gobj_destroy(&devnode->intf.graph_obj);
	kfree(devnode);
}

into

void media_devnode_remove(struct media_intf_devnode **devnode)
{
	struct media_intf_devnode *node = *devnode;

	if (!node)
		return; 

	media_remove_intf_links(&node->intf);
	media_gobj_destroy(&node->intf.graph_obj);
	kfree(node);

	*devnode = NULL;
}

(bikeshedding on whether or not we need a local variable is left for
later)

I think the pattern is safer, but it's not common in V4L2 at the moment.

-- 
Regards,

Laurent Pinchart

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-30 10:24 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25 19:39 [PATCH] media: v4l2-dev: fix media controller registration error handling Shih-Sheng Yang
2026-06-26 19:22 ` Laurent Pinchart
2026-06-30  9:54   ` Shih-Sheng Yang
2026-06-30 10:24     ` Laurent Pinchart

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox