[PATCH] media: rp1-cfe: Fix double-free on video device re-registration

Wed Feb 11 17:51:11 PST 2026

On 2/11/26 16:15, Laurent Pinchart wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi Xiaolei,
>
> On Wed, Feb 11, 2026 at 11:45:01AM +0800, Xiaolei Wang wrote:
>> When a sensor driver is unloaded and reloaded (e.g., rmmod/insmod ov5647),
>> the cfe_async_complete callback is invoked again, attempting to re-register
>> video nodes that are still registered. This causes multiple issues:
>>
>> 1. KASAN double-free in kfree_const when dev_set_name tries to free the
>>     kobject name that was already freed during video_unregister_device
>> 2. "tried to init an initialized object" warnings because the video_device
>>     kobject is re-initialized before being fully released
>>
>> Fix this by:
>> - Adding a check in cfe_probe_complete() to skip nodes already in
>>    NODE_REGISTERED state, preventing duplicate registration attempts
>> - Implementing cfe_async_unbind() callback to properly clear the
>>    source_sd pointer when the subdevice is unbound
> I think a better fix would be to register video nodes at probe time, not
> when sensors are bound.
Hi Laurent,

Thank you for the feedback and suggestion. You're right that registering
video nodes at probe time would be a cleaner approach. I'll explore this
method and implement it in the next version.

Best regards,
Xiaolei
>
>> Signed-off-by: Xiaolei Wang <xiaolei.wang at windriver.com>
>> ---
>>   drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 14 ++++++++++++++
>>   1 file changed, 14 insertions(+)
>>
>> diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> index 62dca76b468d..d3813c79316d 100644
>> --- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> +++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c
>> @@ -2152,6 +2152,9 @@ static int cfe_probe_complete(struct cfe_device *cfe)
>>        cfe->v4l2_dev.notify = cfe_notify;
>>
>>        for (unsigned int i = 0; i < NUM_NODES; i++) {
>> +             if (check_state(cfe, NODE_REGISTERED, i))
>> +                     continue;
>> +
>>                ret = cfe_register_node(cfe, i);
>>                if (ret) {
>>                        cfe_err(cfe, "Unable to register video node %u.\n", i);
>> @@ -2204,8 +2207,19 @@ static int cfe_async_complete(struct v4l2_async_notifier *notifier)
>>        return cfe_probe_complete(cfe);
>>   }
>>
>> +static void cfe_async_unbind(struct v4l2_async_notifier *notifier,
>> +                          struct v4l2_subdev *subdev,
>> +                          struct v4l2_async_connection *asd)
>> +{
>> +     struct cfe_device *cfe = to_cfe_device(notifier->v4l2_dev);
>> +
>> +     cfe->source_sd = NULL;
>> +     cfe_info(cfe, "Unbinding subdev %s\n", subdev->name);
>> +}
>> +
>>   static const struct v4l2_async_notifier_operations cfe_async_ops = {
>>        .bound = cfe_async_bound,
>> +     .unbind = cfe_async_unbind,
>>        .complete = cfe_async_complete,
>>   };
>>
> --
> Regards,
>
> Laurent Pinchart