On 05/15/18 15:07, Oliver Neukum wrote:
> The premature free in the error path is blocked by V4L
> refcounting, not USB refcounting. Thanks to
> Ben Hutchings for review.
>
> [v2] corrected attributions
>
> Signed-off-by: Oliver Neukum <oneu...@suse.com>
> Fixes: 50e704453553 ("media: usbtv: prevent double free in error case")
> CC: sta...@vger.kernel.org
> Reported-by: Ben Hutchings <ben.hutchi...@codethink.co.uk>
> ---
> drivers/media/usb/usbtv/usbtv-core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/usb/usbtv/usbtv-core.c
> b/drivers/media/usb/usbtv/usbtv-core.c
> index 5095c380b2c1..4a03c4d66314 100644
> --- a/drivers/media/usb/usbtv/usbtv-core.c
> +++ b/drivers/media/usb/usbtv/usbtv-core.c
> @@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interface *intf,
>
> usbtv_audio_fail:
> /* we must not free at this point */
> - usb_get_dev(usbtv->udev);
> + v4l2_device_get(&usbtv->v4l2_dev);
This is very confusing. I think it is much better to move the
v4l2_device_register() call from usbtv_video_init to this probe function.
The extra v4l2_device_get in the probe() can just be dropped and
usbtv_video_free() no longer needs to call v4l2_device_put().
The only place you need a v4l2_device_put() is in the disconnect()
function at the end.
Regards,
Hans
> + /* this will undo the v4l2_device_get() */
> usbtv_video_free(usbtv);
>
> usbtv_video_fail:
>
