From nobody Wed Apr 1 20:46:26 2026 Received: from mail-qk1-f173.google.com (mail-qk1-f173.google.com [209.85.222.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DAC7375F8B for ; Wed, 1 Apr 2026 16:30:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775061060; cv=none; b=Lz64KzvRrBMxcOpmZHTPj/O+p40mQPm6FCMeemEuHnnbfX0jC/vSdqQTFMyK36lqJWA60ZR82zlfgEZ3BHWjvFC57kxW6n4RDgbXz2oQ9OOe5fed0A+VKkoIBLooF8NBM+b7i3TFZ2VY3jN+14u8W5qxj4/x3JCrXGuEc0rDhpk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775061060; c=relaxed/simple; bh=WFxD1dCi0gdEf1RrCRcbG6DJ80ofO47eH0nGB+1UHro=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sNfpJ3VHvxOTDhwaJ0o60favYGuN4ozTDvKYIWXPe5EZ9rEjtgF0dk0FP/Yx4y1I+bzfUV88ASLM+VaXC4GBJGBbJU6GZmRk2qJMfc7xiZmF4a4qwciIp56JZXo2jEKwdwzHkOrRJ0FfaFXmtH6Farfp3UjYeRv4mBduTcf8Cis= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aBSz5c+D; arc=none smtp.client-ip=209.85.222.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aBSz5c+D" Received: by mail-qk1-f173.google.com with SMTP id af79cd13be357-8cb40149037so782020285a.2 for ; Wed, 01 Apr 2026 09:30:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775061055; x=1775665855; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=KUNe/dYEv7kv40YpEMImc7XF/Oi4b6WN91XD+axok70=; b=aBSz5c+DRah0g/95OlvhOme+mGvRH2u3zTlhGqP8hVmXR6X/m9iTZA3m82RqBH2mBh 17E2faQABz7AM2RZ4IzttqdB7G/RHCdtn7xlq61UEA7pVD2dbkfNbM66JkLTO3tB2SbU TNdYpg4VI8+cdlLD7xdJmISd67igz7008xP8zhuJQ6qgFRLGEkCP68KJvCFbcLHz2xaf 1AKqs3C0gONcJX2nSzywXkjE32eHBdKSUstJq/Tq9zLS3EufbDwL2n9Q8t85MKCLo/2B mwyGDJeX7IWZ/tpgnm+eNf7Pje/pGrp62e/FjdriaJNicak8qgMgPw5t9ypUhViadrCc 4VdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775061055; x=1775665855; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=KUNe/dYEv7kv40YpEMImc7XF/Oi4b6WN91XD+axok70=; b=pDEEJEuJGHQ0AOSki/GpczkPVdwytjwkSP7vnVEJq6XHQGtxwEGhxI12gAMd7ZmvSx UDrSUqsjnrpvqgptLEslHcP8whP3to6vOlL7w4Ycu9EZaJY2nKHiNIDxeAueOI89sw7C Evzaa/qyqV/HKaLp9EmwDjyhRmqlYsWyjjHieBEjwKwTxDku9mNe2RcfIBKEFhgrZQKe QGjALnYNppXdC8JP7G30JX52ws9KeQEA+Onldzj0TxfvItH39UjvgeqrdDi4tJLCk+46 7eOFj+gPA82NNBQbU+IByBy4kbTfOLGXH2Sg1JxNJVSxPmeUuy2qgB2sCafE7ob2oXf9 6yqg== X-Forwarded-Encrypted: i=1; AJvYcCV+PVw+8XZqTpwsmzglrQ140wzLopjZXOhyzqgA1ZQSProgOhgBHsXt+U4xbiQiF3hYTE7T1630dYVutow=@vger.kernel.org X-Gm-Message-State: AOJu0YwxZuYjbtces1sxTuiYME8DJJzwBmli0aPDteE/a4nvzS3BPxIg 1aIqyVT4Ydm4KTbCzh2TieTpiZQTKSdcCM1Q4aPjtLBPOdGFy1NPB+ED X-Gm-Gg: ATEYQzyNR9SLYGRD7Z8IcdnEWI02rS3WbtMDfFaopGx2zdShxqbswfvk+1hdxD2n6fb BH2ngy5oCUoatXvxhxjF7xfgGipAlZ6VVQ3MCd0S0dij3FVepMKDYZsZC3737uce6Fmoz+2A9dg RoEEJA1vlbskHnqDdfl1oTHNE8bWsQ7rldbEh+8DX+ZXPvWCvdv8uiJssfH207J9X4wzKTWy/He qW9o+FJr63FnBQ92Rv0A+Lw4A6OiX3EydSIrdNhPWrY7i7Euny4W/6pGapEZI6AQOseH+CjCMiA hWUxf0YsCKvz1Rp2HqwVQ3ogqnudtdHyrY/W8n/9F3JM2vDkkwgkazU3/8tu5rTTcEA749gM0P3 x5FEOaNJugjyHqCl6NmuTB1+4S0KGGaDs/jGHDcaxdMj7xiKDmpa67hIJRJ8r6MBt9/qTwSrnh2 5oiP8ayX42FIESFta4jGWw4QM7mFXq X-Received: by 2002:a05:620a:1981:b0:8cf:d5f3:9a1a with SMTP id af79cd13be357-8d1b5c2a262mr623888785a.51.1775061054536; Wed, 01 Apr 2026 09:30:54 -0700 (PDT) Received: from localhost ([104.39.66.164]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8d2a874459asm12496985a.39.2026.04.01.09.30.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Apr 2026 09:30:54 -0700 (PDT) From: Yuho Choi X-Google-Original-From: Yuho Choi To: Andy Shevchenko , Hans de Goede , Mauro Carvalho Chehab , Sakari Ailus , Greg Kroah-Hartman Cc: Peter Zijlstra , Kees Cook , Josh Poimboeuf , Thomas Andreatta , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v3] media: atomisp: gc2235: fix UAF and memory leak Date: Wed, 1 Apr 2026 12:30:50 -0400 Message-ID: <20260401163050.34830-1-yqc5929@psu.edu> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" gc2235_probe() handles its error paths incorrectly. If media_entity_pads_init() fails, gc2235_remove() is called, which tears down the subdev and frees dev, but then still falls through to atomisp_register_i2c_module(). This results in use-after-free. If atomisp_register_i2c_module() fails, the media entity and control handler are left initialized and dev is leaked. gc2235_remove() is the full teardown path for a successfully probed device; it unconditionally assumes a fully-initialized device. gc2235_probe() must unwind only the resources that were actually initialized at the point of failure. Handle each failure path with explicit unwind labels that free only what has been initialized. Return success only after the full probe sequence completes. Fixes: ad85094b293e ("media: atomisp: gc2235: Remove driver") Fixes: e838b8c69e45 ("media: atomisp: Drop intel_v4l2_subdev_type") Signed-off-by: Yuho Choi --- Changes since v2: - Replaced gc2235_remove() calls in remaining two error paths with goto labels to unwind only initialized resources - Added Fixes tag Changes since v1: - Edited the commit message to be imperative mood - Corrected the previous mangled patch .../media/atomisp/i2c/atomisp-gc2235.c | 29 ++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c b/drivers/s= taging/media/atomisp/i2c/atomisp-gc2235.c index d3414312e1de2..eedaedc84284b 100644 --- a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c +++ b/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c @@ -818,18 +818,16 @@ static int gc2235_probe(struct i2c_client *client) ret =3D v4l2_ctrl_handler_init(&dev->ctrl_handler, ARRAY_SIZE(gc2235_controls)); - if (ret) { - gc2235_remove(client); - return ret; - } + if (ret)=20 + goto out_free; =20 for (i =3D 0; i < ARRAY_SIZE(gc2235_controls); i++) v4l2_ctrl_new_custom(&dev->ctrl_handler, &gc2235_controls[i], NULL); =20 if (dev->ctrl_handler.error) { - gc2235_remove(client); - return dev->ctrl_handler.error; + ret =3D dev->ctrl_handler.error; + goto err_free_ctrl; } =20 /* Use same lock for controls as for everything else. */ @@ -837,13 +835,24 @@ static int gc2235_probe(struct i2c_client *client) dev->sd.ctrl_handler =3D &dev->ctrl_handler; =20 ret =3D media_entity_pads_init(&dev->sd.entity, 1, &dev->pad); - if (ret) - gc2235_remove(client); + if (ret) { + dev_err(&client->dev, "media_entity_pads_init failed\n"); + goto err_free_ctrl; + } =20 - return atomisp_register_i2c_module(&dev->sd, gcpdev); + ret =3D atomisp_register_i2c_module(&dev->sd, gcpdev); + if (ret) { + dev_err(&client->dev, "atomisp_register_i2c_module failed\n"); + goto err_entity_cleanup; + } + + return 0; =20 +err_entity_cleanup: + media_entity_cleanup(&dev->sd.entity); +err_free_ctrl: + v4l2_ctrl_handler_free(&dev->ctrl_handler); out_free: - v4l2_device_unregister_subdev(&dev->sd); kfree(dev); =20 return ret; --=20 2.50.1 (Apple Git-155)