media: i2c: max9286: Allocate v4l2_async_subdev dynamically

v4l2_async_notifier_add_subdev() requires the asd to be allocated
dynamically, but the max9286 driver embeds it in the max9286_source
structure. This causes memory corruption when the notifier is destroyed
at remove time with v4l2_async_notifier_cleanup().

Fix this issue by registering the asd with
v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
internally. A new max9286_asd structure is introduced, to store a
pointer to the corresonding max9286_source that needs to be accessed
from bound and unbind callbacks. There's no need to take an extra
explicit reference to the fwnode anymore as
v4l2_async_notifier_add_fwnode_subdev() does so internally.

While at it, use %u instead of %d to print the unsigned index in the
error message from the v4l2_async_notifier_add_fwnode_subdev() error
path.

Fixes: 66d8c9d2422d ("media: i2c: Add MAX9286 driver")
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c
index b364a3f..c82c149 100644 (file)
--- a/drivers/media/i2c/max9286.c
+++ b/drivers/media/i2c/max9286.c
@@ -135,13 +135,19 @@
 #define MAX9286_SRC_PAD                        4
 
 struct max9286_source {
-       struct v4l2_async_subdev asd;
        struct v4l2_subdev *sd;
        struct fwnode_handle *fwnode;
 };
 
-#define asd_to_max9286_source(_asd) \
-       container_of(_asd, struct max9286_source, asd)
+struct max9286_asd {
+       struct v4l2_async_subdev base;
+       struct max9286_source *source;
+};
+
+static inline struct max9286_asd *to_max9286_asd(struct v4l2_async_subdev *asd)
+{
+       return container_of(asd, struct max9286_asd, base);
+}
 
 struct max9286_priv {
        struct i2c_client *client;
@@ -481,7 +487,7 @@ static int max9286_notify_bound(struct v4l2_async_notifier *notifier,
                                struct v4l2_async_subdev *asd)
 {
        struct max9286_priv *priv = sd_to_max9286(notifier->sd);
-       struct max9286_source *source = asd_to_max9286_source(asd);
+       struct max9286_source *source = to_max9286_asd(asd)->source;
        unsigned int index = to_index(priv, source);
        unsigned int src_pad;
        int ret;
@@ -545,7 +551,7 @@ static void max9286_notify_unbind(struct v4l2_async_notifier *notifier,
                                  struct v4l2_async_subdev *asd)
 {
        struct max9286_priv *priv = sd_to_max9286(notifier->sd);
-       struct max9286_source *source = asd_to_max9286_source(asd);
+       struct max9286_source *source = to_max9286_asd(asd)->source;
        unsigned int index = to_index(priv, source);
 
        source->sd = NULL;
@@ -570,23 +576,19 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv)
 
        for_each_source(priv, source) {
                unsigned int i = to_index(priv, source);
-
-               source->asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
-               source->asd.match.fwnode = source->fwnode;
-
-               ret = v4l2_async_notifier_add_subdev(&priv->notifier,
-                                                    &source->asd);
-               if (ret) {
-                       dev_err(dev, "Failed to add subdev for source %d", i);
+               struct v4l2_async_subdev *asd;
+
+               asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier,
+                                                           source->fwnode,
+                                                           sizeof(*asd));
+               if (IS_ERR(asd)) {
+                       dev_err(dev, "Failed to add subdev for source %u: %ld",
+                               i, PTR_ERR(asd));
                        v4l2_async_notifier_cleanup(&priv->notifier);
-                       return ret;
+                       return PTR_ERR(asd);
                }
 
-               /*
-                * Balance the reference counting handled through
-                * v4l2_async_notifier_cleanup()
-                */
-               fwnode_handle_get(source->fwnode);
+               to_max9286_asd(asd)->source = source;
        }
 
        priv->notifier.ops = &max9286_notify_ops;