* [PATCH] staging: most: video: fix refcount leak in comp_probe_channel()
@ 2026-06-11 11:43 WenTao Liang
2026-06-11 12:48 ` Dan Carpenter
0 siblings, 1 reply; 2+ messages in thread
From: WenTao Liang @ 2026-06-11 11:43 UTC (permalink / raw)
To: parthiban.veerasooran, christian.gromm, gregkh
Cc: hverkuil+cisco, laurent.pinchart+renesas, s9430939, error27,
vulab, kees, linux-staging, linux-kernel, stable
If v4l2_device_register() fails in comp_probe_channel(), the
function frees the allocated mdev with kfree() without releasing the
reference count held by the embedded v4l2_device. Because
v4l2_device_register() initializes a kref in the v4l2_device, the
reference count is already 1 on failure. Dropping the last reference
must be done with v4l2_device_put() so that the release callback can
unregister the v4l2_device and free mdev.
Replace the kfree(mdev) with v4l2_device_put(&mdev->v4l2_dev). The
error path for comp_register_videodev() failure already does this
correctly.
Cc: stable@vger.kernel.org
Fixes: 3d31c0cb6c12 ("Staging: most: add MOST driver's aim-v4l2 module")
Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
---
drivers/staging/most/video/video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/most/video/video.c b/drivers/staging/most/video/video.c
index 04351f8ccccf..aa846959b217 100644
--- a/drivers/staging/most/video/video.c
+++ b/drivers/staging/most/video/video.c
@@ -491,7 +491,7 @@ static int comp_probe_channel(struct most_interface *iface, int channel_idx,
ret = v4l2_device_register(NULL, &mdev->v4l2_dev);
if (ret) {
pr_err("v4l2_device_register() failed\n");
- kfree(mdev);
+ v4l2_device_put(&mdev->v4l2_dev);
return ret;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] staging: most: video: fix refcount leak in comp_probe_channel()
2026-06-11 11:43 [PATCH] staging: most: video: fix refcount leak in comp_probe_channel() WenTao Liang
@ 2026-06-11 12:48 ` Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2026-06-11 12:48 UTC (permalink / raw)
To: WenTao Liang
Cc: parthiban.veerasooran, christian.gromm, gregkh, hverkuil+cisco,
laurent.pinchart+renesas, s9430939, kees, linux-staging,
linux-kernel, stable
On Thu, Jun 11, 2026 at 07:43:35PM +0800, WenTao Liang wrote:
> If v4l2_device_register() fails in comp_probe_channel(), the
> function frees the allocated mdev with kfree() without releasing the
> reference count held by the embedded v4l2_device. Because
> v4l2_device_register() initializes a kref in the v4l2_device, the
> reference count is already 1 on failure. Dropping the last reference
> must be done with v4l2_device_put() so that the release callback can
> unregister the v4l2_device and free mdev.
What are you talking about here?
kref_init(&v4l2_dev->ref);
This is just a "refcount = 1" assignment. There is no allocation or
need to free anything.
>
> Replace the kfree(mdev) with v4l2_device_put(&mdev->v4l2_dev). The
> error path for comp_register_videodev() failure already does this
> correctly.
This is a weird and confusing to say. In comp_register_videodev()
we call video_device_release() which is a wrapper around kfree() and
here the original code calls kfree() directly... The original code
is more similar to comp_register_videodev() than the new code.
>
> Cc: stable@vger.kernel.org
CCing stable isn't necessary since v4l2_device_register() can't actually
fail here in real life.
drivers/media/v4l2-core/v4l2-device.c
17 int v4l2_device_register(struct device *dev, struct v4l2_device *v4l2_dev)
18 {
19 if (v4l2_dev == NULL)
v4l2_dev is non-NULL.
20 return -EINVAL;
21
22 INIT_LIST_HEAD(&v4l2_dev->subdevs);
23 spin_lock_init(&v4l2_dev->lock);
24 v4l2_prio_init(&v4l2_dev->prio);
25 kref_init(&v4l2_dev->ref);
26 get_device(dev);
27 v4l2_dev->dev = dev;
28 if (dev == NULL) {
dev is NULL
29 /* If dev == NULL, then name must be filled in by the caller */
30 if (WARN_ON(!v4l2_dev->name[0]))
The name is filled in.
31 return -EINVAL;
32 return 0;
^^^^^^^^
We return success.
33 }
> Fixes: 3d31c0cb6c12 ("Staging: most: add MOST driver's aim-v4l2 module")
> Signed-off-by: WenTao Liang <vulab@iscas.ac.cn>
Please put in the commit message if this that this was discovered via AI
and not tested or whatever...
> ---
> drivers/staging/most/video/video.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/most/video/video.c b/drivers/staging/most/video/video.c
> index 04351f8ccccf..aa846959b217 100644
> --- a/drivers/staging/most/video/video.c
> +++ b/drivers/staging/most/video/video.c
> @@ -491,7 +491,7 @@ static int comp_probe_channel(struct most_interface *iface, int channel_idx,
> ret = v4l2_device_register(NULL, &mdev->v4l2_dev);
> if (ret) {
> pr_err("v4l2_device_register() failed\n");
> - kfree(mdev);
> + v4l2_device_put(&mdev->v4l2_dev);
v4l2_device_put() will call comp_v4l2_dev_release() which is calls:
v4l2_device_unregister(v4l2_dev);
kfree(mdev);
The call to v4l2_device_unregister() is a no-op since the register
failed (pretending that were possible) so at runtime this is the exact
same as calling kfree(mdev);
So this is not a bug. The original code is fine. We could argue
about readability, but I feel like the original code is in some ways
more readable. I don't like calling unregister() when the device
is not registered.
regards,
dan carpenter
> return ret;
> }
>
> --
> 2.50.1 (Apple Git-155)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-11 12:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 11:43 [PATCH] staging: most: video: fix refcount leak in comp_probe_channel() WenTao Liang
2026-06-11 12:48 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox