[PATCH] media: rp1-cfe: Fix double-free on video device re-registration

[PATCH] media: rp1-cfe: Fix double-free on video device re-registration

[Xiaolei Wang]

When a sensor driver is unloaded and reloaded (e.g., rmmod/insmod ov5647),
the cfe_async_complete callback is invoked again, attempting to re-register
video nodes that are still registered. This causes multiple issues:

1. KASAN double-free in kfree_const when dev_set_name tries to free the
   kobject name that was already freed during video_unregister_device
2. "tried to init an initialized object" warnings because the video_device
   kobject is re-initialized before being fully released

Fix this by:
- Adding a check in cfe_probe_complete() to skip nodes already in
  NODE_REGISTERED state, preventing duplicate registration attempts
- Implementing cfe_async_unbind() callback to properly clear the
  source_sd pointer when the subdevice is unbound

Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
---
 drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
index 62dca76b468d..d3813c79316d 100644
--- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
+++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
@@ -2152,6 +2152,9 @@ static int cfe_probe_complete(struct cfe_device *cfe)
 	cfe->v4l2_dev.notify = cfe_notify;
 
 	for (unsigned int i = 0; i < NUM_NODES; i++) {
+		if (check_state(cfe, NODE_REGISTERED, i))
+			continue;
+
 		ret = cfe_register_node(cfe, i);
 		if (ret) {
 			cfe_err(cfe, "Unable to register video node %u.\n", i);
@@ -2204,8 +2207,19 @@ static int cfe_async_complete(struct v4l2_async_notifier *notifier)
 	return cfe_probe_complete(cfe);
 }
 
+static void cfe_async_unbind(struct v4l2_async_notifier *notifier,
+			     struct v4l2_subdev *subdev,
+			     struct v4l2_async_connection *asd)
+{
+	struct cfe_device *cfe = to_cfe_device(notifier->v4l2_dev);
+
+	cfe->source_sd = NULL;
+	cfe_info(cfe, "Unbinding subdev %s\n", subdev->name);
+}
+
 static const struct v4l2_async_notifier_operations cfe_async_ops = {
 	.bound = cfe_async_bound,
+	.unbind = cfe_async_unbind,
 	.complete = cfe_async_complete,
 };
 
-- 
2.43.0

Re: [PATCH] media: rp1-cfe: Fix double-free on video device re-registration

[Laurent Pinchart]

Hi Xiaolei,

On Wed, Feb 11, 2026 at 11:45:01AM +0800, Xiaolei Wang wrote:
> When a sensor driver is unloaded and reloaded (e.g., rmmod/insmod ov5647),
> the cfe_async_complete callback is invoked again, attempting to re-register
> video nodes that are still registered. This causes multiple issues:
> 
> 1. KASAN double-free in kfree_const when dev_set_name tries to free the
>    kobject name that was already freed during video_unregister_device
> 2. "tried to init an initialized object" warnings because the video_device
>    kobject is re-initialized before being fully released
> 
> Fix this by:
> - Adding a check in cfe_probe_complete() to skip nodes already in
>   NODE_REGISTERED state, preventing duplicate registration attempts
> - Implementing cfe_async_unbind() callback to properly clear the
>   source_sd pointer when the subdevice is unbound

I think a better fix would be to register video nodes at probe time, not
when sensors are bound.

> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
> ---
>  drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> index 62dca76b468d..d3813c79316d 100644
> --- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> +++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
> @@ -2152,6 +2152,9 @@ static int cfe_probe_complete(struct cfe_device *cfe)
>  	cfe->v4l2_dev.notify = cfe_notify;
>  
>  	for (unsigned int i = 0; i < NUM_NODES; i++) {
> +		if (check_state(cfe, NODE_REGISTERED, i))
> +			continue;
> +
>  		ret = cfe_register_node(cfe, i);
>  		if (ret) {
>  			cfe_err(cfe, "Unable to register video node %u.\n", i);
> @@ -2204,8 +2207,19 @@ static int cfe_async_complete(struct v4l2_async_notifier *notifier)
>  	return cfe_probe_complete(cfe);
>  }
>  
> +static void cfe_async_unbind(struct v4l2_async_notifier *notifier,
> +			     struct v4l2_subdev *subdev,
> +			     struct v4l2_async_connection *asd)
> +{
> +	struct cfe_device *cfe = to_cfe_device(notifier->v4l2_dev);
> +
> +	cfe->source_sd = NULL;
> +	cfe_info(cfe, "Unbinding subdev %s\n", subdev->name);
> +}
> +
>  static const struct v4l2_async_notifier_operations cfe_async_ops = {
>  	.bound = cfe_async_bound,
> +	.unbind = cfe_async_unbind,
>  	.complete = cfe_async_complete,
>  };
>  

-- 
Regards,

Laurent Pinchart

Re: [PATCH] media: rp1-cfe: Fix double-free on video device re-registration

[xiaolei wang]

On 2/11/26 16:15, Laurent Pinchart wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Xiaolei,
>
> On Wed, Feb 11, 2026 at 11:45:01AM +0800, Xiaolei Wang wrote:
>> When a sensor driver is unloaded and reloaded (e.g., rmmod/insmod ov5647),
>> the cfe_async_complete callback is invoked again, attempting to re-register
>> video nodes that are still registered. This causes multiple issues:
>>
>> 1. KASAN double-free in kfree_const when dev_set_name tries to free the
>>     kobject name that was already freed during video_unregister_device
>> 2. "tried to init an initialized object" warnings because the video_device
>>     kobject is re-initialized before being fully released
>>
>> Fix this by:
>> - Adding a check in cfe_probe_complete() to skip nodes already in
>>    NODE_REGISTERED state, preventing duplicate registration attempts
>> - Implementing cfe_async_unbind() callback to properly clear the
>>    source_sd pointer when the subdevice is unbound
> I think a better fix would be to register video nodes at probe time, not
> when sensors are bound.
Hi Laurent,

Thank you for the feedback and suggestion. You're right that registering
video nodes at probe time would be a cleaner approach. I'll explore this
method and implement it in the next version.

Best regards,
Xiaolei
>
>> Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
>> ---
>>   drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 14 ++++++++++++++
>>   1 file changed, 14 insertions(+)
>>
>> diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> index 62dca76b468d..d3813c79316d 100644
>> --- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> +++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> @@ -2152,6 +2152,9 @@ static int cfe_probe_complete(struct cfe_device *cfe)
>>        cfe->v4l2_dev.notify = cfe_notify;
>>
>>        for (unsigned int i = 0; i < NUM_NODES; i++) {
>> +             if (check_state(cfe, NODE_REGISTERED, i))
>> +                     continue;
>> +
>>                ret = cfe_register_node(cfe, i);
>>                if (ret) {
>>                        cfe_err(cfe, "Unable to register video node %u.\n", i);
>> @@ -2204,8 +2207,19 @@ static int cfe_async_complete(struct v4l2_async_notifier *notifier)
>>        return cfe_probe_complete(cfe);
>>   }
>>
>> +static void cfe_async_unbind(struct v4l2_async_notifier *notifier,
>> +                          struct v4l2_subdev *subdev,
>> +                          struct v4l2_async_connection *asd)
>> +{
>> +     struct cfe_device *cfe = to_cfe_device(notifier->v4l2_dev);
>> +
>> +     cfe->source_sd = NULL;
>> +     cfe_info(cfe, "Unbinding subdev %s\n", subdev->name);
>> +}
>> +
>>   static const struct v4l2_async_notifier_operations cfe_async_ops = {
>>        .bound = cfe_async_bound,
>> +     .unbind = cfe_async_unbind,
>>        .complete = cfe_async_complete,
>>   };
>>
> --
> Regards,
>
> Laurent Pinchart