From nobody Fri Apr 3 19:25:00 2026 Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C9E61FC7C5 for ; Fri, 3 Apr 2026 00:23:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775175807; cv=none; b=WT5SO69CEgE3JDkS9OnRSzHW268TZJNzACm9F31UzF481JIev6ooGcmDHoFaaNJZh6B5PbiyrBkcLiiLefGXpooyBOvaGmR4/XtGusHYruJjSvvg5EU4uTzvpldaG+KlXF+OS2KDO4I479m/EW2gYE4pXYZOSJE0DgicFUyUPxk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775175807; c=relaxed/simple; bh=MHysRRh3hIUZ58zqF7zneS9FyZKt7+ftsdeVzCtr4Us=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CP1sVKsS6i5HVKeVprHEGG5o3PBegD+8HLpsLXZE7kYa9OUR28rDNFpK0PP/y+bbIA09M0imhTOyM3vtp+PBjqmwXUFBgvKo3HP1USwMHMJefFqaDLnnqJgCOpNy8b/ldSicYz0od98AlOuw+RU3S/JEJxvhS5GpttX//QFylYM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=bGPwJe9r; arc=none smtp.client-ip=209.85.160.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="bGPwJe9r" Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-50bbc41677dso20315511cf.0 for ; Thu, 02 Apr 2026 17:23:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775175805; x=1775780605; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0gcgUlRJBBlinNi9TlCHjloLPOB6uLf9+TDA/1HPzAQ=; b=bGPwJe9rHVD8cXDrfzHewMJk/6czAVa/L6yxISxCWeZMO8MfCmUyQbGu48FbrHdPa4 H1UTlga6Vme4M7UKb4DIu/rgFhUIGeCKUu0NVvrOUFKY0JAAvUJyqgcgIEV4JjSynSgW yQ2mr+3tOA3381n19IAwMW5GvcAceS1MkQoR5wGR538b8LTVc8DclX49470Gu56Qw9s4 kfPd4HxKkUrG6YJJSuFnEaOco2+Gr2DcJ4FWjEh+4zm39LymZOl2+fZ6bj544/rqO4yF p/YkoouKIUCvUgngtcrEfbbOjI58Ov87uKKgYquem6epe1170SToUY5VpdK1xR1BBtZH qDtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775175805; x=1775780605; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0gcgUlRJBBlinNi9TlCHjloLPOB6uLf9+TDA/1HPzAQ=; b=rZ7ULilMpDpL5rKO3flOa8oaEf7OMjmYcESqD8CC9vAl/CsehrDz4F1PM42cJATe9B X7rmGtsSvqMgTqGRBKILKEbnmtEg/Jv0YV9zhtOk5XOHSFwvbWahO0P6lLU6b3YZSibr whc1ksJ7q77trf8TnhRTuE9frlAAl9iO1Mi1DWZ1ozeuODu0M+1zqLgApK3OaX+PSh0h cTFjkJUAJJxCf/hUHpEivTipu/AbTMR5I+jO0TwVES0U691VPwraYUNfKKf432gxQyGz MK1XHI8HwYHVWfMC/hJM4UdlV1fJM+RVMyYP4nZ9R58ZIvEbML8EakxBqB3E7zy4fqiT dcpQ== X-Forwarded-Encrypted: i=1; AJvYcCVVZ9Wxp6ryO8IkfMGUmdgRACGG28pAk8JzWNNrtERNXXSEexXHQ3Sss97t6Z0FEBnRNfYJFXeDQhXuHGc=@vger.kernel.org X-Gm-Message-State: AOJu0YwrbKCaEMEUfyI1GDoZ3MAMUq/8Dt3woV4JGmI/2dsbk7U1uKUB 9KmmJ6lhxmaSriOWCH+otIZp3KRVim9OHYQwAQ37UJV2tZUFaGe7ZunD X-Gm-Gg: ATEYQzymGFWsaC6Otw8U9thb+8oO4Ilb3DsROFbFeqTd1bThbwtBodCa1FITNQLKhWL fYPiRaoWDytu1Ey6HBtkt0qCDv2iYgoPbWcXv+l3wwquaFl31sZVkhpF99n6mRjIt8rdebKoSi4 btmfG8sOIUFhx8s8+M3H0S5JMz+5U94+aZhxVCWoh5SvnN+e4KmeAIhkoDgu27zP/peQANjKYhR mJh6SYHC6CH2yPjcRGno7E/GPkJugBX41vKWQyX27EmEhmVD1qCfBuky/5OpzPFCzzo10Dixx6r 1Ubwl5mOpbUZxROeAA6hJWcHcwNAC+CwlAZbnVDVkC93CZR8cKwbvngIuZbqlbNu+oX81qC3Xw/ rgvlL4CpJGuw9Xc6QQKtuc8HDPTvUk8H1nHj5GdKXSLyyq+cy8oQMwYE9Roh16/MeG8hTkwP5jC BODxkcglOg+hxJahdX3dThYU4SdgQ= X-Received: by 2002:a05:622a:684f:20b0:509:238f:ad92 with SMTP id d75a77b69052e-50d62894aa8mr17321391cf.24.1775175804180; Thu, 02 Apr 2026 17:23:24 -0700 (PDT) Received: from localhost ([165.85.38.17]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-50d4b88914csm35692941cf.23.2026.04.02.17.23.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 17:23:23 -0700 (PDT) From: Yuho Choi To: Andy Shevchenko , Hans de Goede , Mauro Carvalho Chehab , Sakari Ailus , Greg Kroah-Hartman Cc: Peter Zijlstra , Kees Cook , Josh Poimboeuf , Thomas Andreatta , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Yuho Choi Subject: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak Date: Thu, 2 Apr 2026 20:23:19 -0400 Message-ID: <20260403002319.12771-1-dbgh9129@gmail.com> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" gc2235_probe() handles its error paths incorrectly. If media_entity_pads_init() fails, gc2235_remove() is called, which tears down the subdev and frees dev, but then still falls through to atomisp_register_i2c_module(). This results in use-after-free. If atomisp_register_i2c_module() fails, the media entity and control handler are left initialized and dev is leaked. gc2235_remove() unconditionally calls media_entity_cleanup() and v4l2_ctrl_handler_free(), but these are not initialized at every error path in gc2235_probe(). Replace gc2235_remove() calls in the probe error paths with explicit unwind labels that free only the resources initialized at each point of failure, in reverse order of initialization. Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Signed-off-by: Yuho Choi --- Changes since v3: - Replaced goto out_free/gc2235_remove() with explicit unwind labels to release only initialized resources at each failure point - Replaced the "Fixes" tag with the original commit for the driver Changes since v2: - Replaced gc2235_remove() calls in remaining two error paths with goto labels to unwind only initialized resources - Added Fixes tag Changes since v1: - Edited the commit message to be imperative mood - Corrected the previous mangled patch .../media/atomisp/i2c/atomisp-gc2235.c | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c b/drivers/s= taging/media/atomisp/i2c/atomisp-gc2235.c index d3414312e1de2..998c9f46bd068 100644 --- a/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c +++ b/drivers/staging/media/atomisp/i2c/atomisp-gc2235.c @@ -809,7 +809,7 @@ static int gc2235_probe(struct i2c_client *client) =20 ret =3D gc2235_s_config(&dev->sd, client->irq, gcpdev); if (ret) - goto out_free; + goto err_unregister_subdev; =20 dev->sd.flags |=3D V4L2_SUBDEV_FL_HAS_DEVNODE; dev->pad.flags =3D MEDIA_PAD_FL_SOURCE; @@ -818,18 +818,16 @@ static int gc2235_probe(struct i2c_client *client) ret =3D v4l2_ctrl_handler_init(&dev->ctrl_handler, ARRAY_SIZE(gc2235_controls)); - if (ret) { - gc2235_remove(client); - return ret; - } + if (ret) + goto err_csi_cfg; =20 for (i =3D 0; i < ARRAY_SIZE(gc2235_controls); i++) v4l2_ctrl_new_custom(&dev->ctrl_handler, &gc2235_controls[i], NULL); =20 if (dev->ctrl_handler.error) { - gc2235_remove(client); - return dev->ctrl_handler.error; + ret =3D dev->ctrl_handler.error; + goto err_ctrl_handler; } =20 /* Use same lock for controls as for everything else. */ @@ -838,14 +836,23 @@ static int gc2235_probe(struct i2c_client *client) =20 ret =3D media_entity_pads_init(&dev->sd.entity, 1, &dev->pad); if (ret) - gc2235_remove(client); + goto err_ctrl_handler; + + ret =3D atomisp_register_i2c_module(&dev->sd, gcpdev); + if (ret) + goto err_media_cleanup; =20 - return atomisp_register_i2c_module(&dev->sd, gcpdev); + return 0; =20 -out_free: +err_media_cleanup: + media_entity_cleanup(&dev->sd.entity); +err_ctrl_handler: + v4l2_ctrl_handler_free(&dev->ctrl_handler); +err_csi_cfg: + dev->platform_data->csi_cfg(&dev->sd, 0); +err_unregister_subdev: v4l2_device_unregister_subdev(&dev->sd); kfree(dev); - return ret; } =20 --=20 2.50.1 (Apple Git-155)