1. Patchew
  2. linux
  3. View series

[PATCH] media: intel/ipu6: fix error pointer dereference

Ethan Tidmore posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
drivers/media/pci/intel/ipu6/ipu6.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] media: intel/ipu6: fix error pointer dereference
Posted by Ethan Tidmore 1 month, 2 weeks ago 
After confirming that isp->psys is an error pointer goto is called and
imminently goes to this code snippet below:

out_ipu6_bus_del_devices:
	if (isp->psys) {
		ipu6_cpd_free_pkg_dir(isp->psys);
		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
	}

Since isp->psys is confirmed to be an error pointer not NULL, the
condition is true and the error pointer is dereferenced. So isp->psys
should be set to NULL before going to out_ipu6_bus_del_devices.

Fixes: 25fedc021985a ("media: intel/ipu6: add Intel IPU6 PCI device driver")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/media/pci/intel/ipu6/ipu6.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 24238f8311a6..6e6b7d2a68ff 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -619,6 +619,7 @@ static int ipu6_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 				   psys_base, &psys_ipdata);
 	if (IS_ERR(isp->psys)) {
 		ret = PTR_ERR(isp->psys);
+		isp->psys = NULL;
 		goto out_ipu6_bus_del_devices;
 	}
 
-- 
2.53.0
Re: [PATCH] media: intel/ipu6: fix error pointer dereference
Posted by Sakari Ailus 1 month ago 
Hi Ethan,

Thanks for the patch.

On Mon, Feb 16, 2026 at 06:34:20PM -0600, Ethan Tidmore wrote:
> After confirming that isp->psys is an error pointer goto is called and
> imminently goes to this code snippet below:
> 
> out_ipu6_bus_del_devices:
> 	if (isp->psys) {
> 		ipu6_cpd_free_pkg_dir(isp->psys);
> 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
> 	}
> 
> Since isp->psys is confirmed to be an error pointer not NULL, the
> condition is true and the error pointer is dereferenced. So isp->psys
> should be set to NULL before going to out_ipu6_bus_del_devices.
> 
> Fixes: 25fedc021985a ("media: intel/ipu6: add Intel IPU6 PCI device driver")

Add:

Cc: stable@vger.kernel.org

> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> ---
>  drivers/media/pci/intel/ipu6/ipu6.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
> index 24238f8311a6..6e6b7d2a68ff 100644
> --- a/drivers/media/pci/intel/ipu6/ipu6.c
> +++ b/drivers/media/pci/intel/ipu6/ipu6.c
> @@ -619,6 +619,7 @@ static int ipu6_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
>  				   psys_base, &psys_ipdata);
>  	if (IS_ERR(isp->psys)) {
>  		ret = PTR_ERR(isp->psys);
> +		isp->psys = NULL;

There are a number of checks for IS_ERR_OR_NULL() in error handling;
instead of setting psys to NULL here I'd add the same test to the condition
after out_ipu6_bus_del_devices:.

>  		goto out_ipu6_bus_del_devices;
>  	}
>  

-- 
Kind regards,

Sakari Ailus

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.