1 files changed, 48 insertions, 0 deletions

diff --git a/target/linux/bcm27xx/patches-6.1/950-0997-media-rp1-cfe-Fix-use-of-freed-memory-on-errors.patch b/target/linux/bcm27xx/patches-6.1/950-0997-media-rp1-cfe-Fix-use-of-freed-memory-on-errors.patch
new file mode 100644
index 0000000000..7f1b505336
--- /dev/null
+++ b/target/linux/bcm27xx/patches-6.1/950-0997-media-rp1-cfe-Fix-use-of-freed-memory-on-errors.patch
@@ -0,0 +1,48 @@
+From 3922bebc11fcc8459c798cfcb582828f9bbaa9e9 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Thu, 28 Sep 2023 11:33:53 +0300
+Subject: [PATCH] media: rp1: cfe: Fix use of freed memory on errors
+
+cfe_probe_complete() calls cfe_put() on both success and fail code paths.
+This works for the success path, but causes the cfe_device struct to be
+freed, even if it will be used later in the teardown code.
+
+Fix this by making the ref handling a bit saner: Let the video nodes
+have the refs as they do now, but also keep a ref in the "main" driver,
+released only at cfe_remove() time. This way the driver does not depend
+on the video nodes keeping the refs.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+---
+ drivers/media/platform/raspberrypi/rp1_cfe/cfe.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
++++ b/drivers/media/platform/raspberrypi/rp1_cfe/cfe.c
+@@ -1837,17 +1837,10 @@ static int cfe_probe_complete(struct cfe
+ 		goto unregister;
+ 	}
+ 
+-	/*
+-	 * Release the initial reference, all references are now owned by the
+-	 * video devices.
+-	 */
+-	cfe_put(cfe);
+ 	return 0;
+ 
+ unregister:
+ 	cfe_unregister_nodes(cfe);
+-	cfe_put(cfe);
+-
+ 	return ret;
+ }
+ 
+@@ -2129,6 +2122,8 @@ static int cfe_remove(struct platform_de
+ 
+ 	v4l2_device_unregister(&cfe->v4l2_dev);
+ 
++	cfe_put(cfe);
++
+ 	return 0;
+ }
+