From nobody Wed Apr 1 09:52:41 2026 Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BBA6391E7F for ; Tue, 31 Mar 2026 19:47:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774986453; cv=none; b=LoDVqLJOm2cnjM6+W/XQCabDBvTWbeFKpGfwLCudq125ki6DUWvTOPT2+JvuUt560uLo7JYk2/zzXz0f+fJeuhkFJwchvVZ6aY+ne5Rpthw2YOacJpzNo58Tei5uMgG72MWrzxMhRNFGoesbR+/HTOgodwu2BsGQn9Frhb3e7lM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774986453; c=relaxed/simple; bh=4MLhWAsRPS/GMJ77cnAfXcOUDdxvrMlvNQbTdfGDqn0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=blrwCSt0D7N+0vqlREu8XiBd6uNV+UJRkXRHdl5O/8kk0/5r62skebjY1cvhHCu1EA+Zchu7bCUUFnicSWHdKFMJXbu6P9nj+6Xgh/BE1jnfrMImq3tTVMcdj0+9DVkBlLCFxP0NlAR3kmHb2Smz3kYnUHfPGTPhx5DjRl2dK6s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VVj1rBoE; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VVj1rBoE" Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-50b3488fb31so3282451cf.1 for ; Tue, 31 Mar 2026 12:47:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774986451; x=1775591251; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=aahcRlRALmhb180/BpxyHuCk6pNr8BEHNKaLvrFYGcI=; b=VVj1rBoEr2sTKidZMwxBJdOHuY8+6bQyPGnrcak5ZvZlWlLBXgED/J9ExxuIWSnyPv b/MhD/prjDsgvUGGy5n5Cmvqp6j70vq8HzE0+dn53YRSR9RvZYS/1iJk8dPHxzeBsKla UBgLbgCaisDKh3p09ZPDpZFN3gxraDfkf+iB8IqRJCsglfcZeg2bhkpH+J9JroalZozl 7Awst1QstzKRTwYMKtd+DzguLE9eyo/1zgEkMY1UpgUBEF3G4Skx2E9KiBKKLXhcJYvs Y7zBaLZ44rtiJHMdgJhOKa9JwYJf2lTAQnXkCdFroS9saT0sf/FJ8RepXYaymbxgCBW3 HJLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774986451; x=1775591251; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=aahcRlRALmhb180/BpxyHuCk6pNr8BEHNKaLvrFYGcI=; b=SbgAS2kiAUQsCajv7IAtICpPDoSVQo+qi70Ev/akh2eMLjML8Lin24C9ta77mpq9vn BNl/PoqkNHQ1Ta90Oxz9Ed2nGHl4qylmqnrxTf0z4jY/FgUGwWwP5mpQ2xDXPOjlkB7g Vr92M0J/dullG9lm3t3BOhiUmogY9OVPtSKvLek4kkPtyCKqopkiImGxoGcMnCHXWMar silRwcdVrI1hmzt9BtH6aGDTHJsJV0zULCgRXSkD0S9Tcjg/4CnC/pnOh7aSJd/O8pwq 8uFoi2R5ggHZ+NcSS+vzRH13aj+N1lYrNGMXIva/lNR2cSfhBQSpE7loppXX2QzJnQ7d gnAw== X-Forwarded-Encrypted: i=1; AJvYcCWfk9aeVCjp0rEekfE8ZqaZOP6J6Z5s2qIBdTcYr0fSJJ/dYU5UfDn155W1E+4puAHe1hYYTaQMZCkDncQ=@vger.kernel.org X-Gm-Message-State: AOJu0YydpoXKxBAtMe5pJlc6a2KO8yVeI2BYVeLDpeiwy+8XELK3kIVS o2wMjvDVwEBl8FD5KTAmXv8bgAa6Ih2kbGO2hl+I+cIIK0bLmHHsaG6RmzPVoNJikjx9LA== X-Gm-Gg: ATEYQzzanbIpWAingA/dZAybT4dkBP23b4Qvmj2CiGHsczX8brgwUWhWCIgMEa9ck86 JiTEpRZLR3DsOpDwdQBqaELGL2q3UGGq6JXkYoMOb8Ss3WW6I6lx5U/CPW/dWOILZkTKimVxq5r mSBKPv6KHIOoTcN0juu7TSOh6zD/ubmmH6ASoul00WNtQgcOIH8oLAvXARM4xd20oiVC1zbrWjw x5HI/M7ygRjFMnRdM1Cg6A5EOdT62Hxp5g9XEP7BlN3P1g+EkPGt+rInu84lpb6ZunIe3N966Aj BWE0muh/YsTjzu/QxRJh4v+LfYkDe1mWCtJ7k6JAqyYxOLVUNrKWvX0qLlzCPxMgQ7GpOdZt+07 OclQ+99ZS/c4bUiyVWoJYeFKuE4qKgC8QTStYxYQjLg3G7LD6cptIm4C67Djs/GwAJaOI3kMJ1Q 2IHjXVFS9UMKpn5Dj1MzwoveHriQ5eoGMe9hWs4sJuHIkj X-Received: by 2002:a05:622a:8f13:b0:50b:485f:a06d with SMTP id d75a77b69052e-50d2c8aff39mr38438811cf.22.1774986451299; Tue, 31 Mar 2026 12:47:31 -0700 (PDT) Received: from localhost.localdomain ([104.39.66.164]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-89ed02364edsm96119246d6.46.2026.03.31.12.47.30 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 31 Mar 2026 12:47:30 -0700 (PDT) From: Yuho Choi X-Google-Original-From: Yuho Choi To: Andy Shevchenko , Hans de Goede , Mauro Carvalho Chehab , Sakari Ailus , Greg Kroah-Hartman Cc: Peter Zijlstra , Kees Cook , Josh Poimboeuf , Thomas Andreatta , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v2] media: atomisp: gc2235: fix UAF and memory leak Date: Tue, 31 Mar 2026 15:47:27 -0400 Message-ID: <20260331194727.52054-1-yqc5929@psu.edu> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" gc2235_probe() handles its error paths incorrectly. If media_entity_pads_init() fails, gc2235_remove() is called, which tears down the subdev and frees dev, but then still falls through to atomisp_register_i2c_module(). This results in use-after-free. If atomisp_register_i2c_module() fails, the media entity and control handler are left initialized and dev is leaked. Handle each failure path locally and unwind only the initialized resources. Return success only after the full probe sequence completes. Signed-off-by: Yuho Choi --- Changes since v1: - Edited the commit message to be imperative mood - Corrected the previous mangled patch .../media/atomisp/i2c/atomisp-gc2235.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c b/drivers/s= taging/media/atomisp/i2c/atomisp-gc2235.c index d3414312e1de2..f4eb15d307fae 100644 --- a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c +++ b/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c @@ -837,13 +837,24 @@ static int gc2235_probe(struct i2c_client *client) dev->sd.ctrl_handler =3D &dev->ctrl_handler; =20 ret =3D media_entity_pads_init(&dev->sd.entity, 1, &dev->pad); - if (ret) - gc2235_remove(client); + if (ret) { + dev_err(&client->dev, "media_entity_pads_init failed\n"); + goto err_free_ctrl; + } + + ret =3D atomisp_register_i2c_module(&dev->sd, gcpdev); + if (ret) { + dev_err(&client->dev, "atomisp_register_i2c_module failed\n"); + goto err_entity_cleanup; + } =20 - return atomisp_register_i2c_module(&dev->sd, gcpdev); + return 0; =20 +err_entity_cleanup: + media_entity_cleanup(&dev->sd.entity); +err_free_ctrl: + v4l2_ctrl_handler_free(&dev->ctrl_handler); out_free: - v4l2_device_unregister_subdev(&dev->sd); kfree(dev); =20 return ret; --=20 2.50.1 (Apple Git-155)