From nobody Mon Jun 15 19:04:49 2026
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com
 [209.85.208.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9243346E56
	for <linux-kernel@vger.kernel.org>; Mon, 13 Apr 2026 10:17:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776075424; cv=none;
 b=djxrlEWZAfGSvtNv5F+cgYdQpryUSZ6J76pcQG2RvWHsJBTIkOQZc1v3Bukqkdwe1BelEcEml+Sb1+avpZ7jRD8Gv2iGkfs9lOlFLIyKF0uCTKFdUb3iO/He2NQbMVSAQjtVomx1JW9EosxfP+A1nP/wXoQjfRQ3RG31TwexoEE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776075424; c=relaxed/simple;
	bh=akcy74XyU5d3K3sQ81gj9lOIwvVjGvvwp94SwFPj7Cc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=klMnbBMDjMfGF8gPsATIN/KdVnOpb90dQ2gpXYdjNJwAbyWIpdukxv4Y6hB8vtsnt7scjM22xfQgOJIdJKt8T+JT8iIbp3SbML2NshNoEWWtNS9KbQRYes619otCmR/LFYiNppWaHG7RCw9L/49Z+6S3GmRlU9FyBpN9MByloM0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dq+l0fPn; arc=none smtp.client-ip=209.85.208.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dq+l0fPn"
Received: by mail-ed1-f43.google.com with SMTP id
 4fb4d7f45d1cf-671a901584eso301791a12.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 13 Apr 2026 03:17:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776075421; x=1776680221;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=P2tbEuLkkgaSm8hCLkYwPYv74ch+wx0NWHk6i91CF3s=;
        b=dq+l0fPnNL9SwEKQ/8uTHNSrZ1eQt6zJ8hrZFZ/RZew8+emPJe3i80BXPQUGQFGwXZ
         8FKOOEAA1S8r5KeRhMBbpfCEnEPbb8Jsv7t/Kt80278PSV89JrrLl1gqzg6CyKD++OAB
         nLXR6kSYaLJ15E4S9mhPsYQjuM/27Jk8FDrq6wur6U5tFVeITjGE/Pj8bQZI7X41jASQ
         w0ViKmCTfvBW2kl47D+ZQ+IB0ov1DfQY2uEz8c2Sp9stJtKbuxl9T0/dqDlQwTAKHI49
         eDi1UdvpbL7v8O1AgmAbuMduj6VxaPnKq1SFUtY96ZjLxasN4u7ZC9zv3jE11YnftfXv
         CSGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776075421; x=1776680221;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=P2tbEuLkkgaSm8hCLkYwPYv74ch+wx0NWHk6i91CF3s=;
        b=YNa5QjNYnwhm9xgDgRz2fZOmmx0sU5f2aq6Hpt0wZhp5fcbSI7H44QXZyuK2j1m9Ok
         3qTI/f/JessACCTQd4VpJ3BEFNvAwW07aKvICyL+NnyFqr7fMkDlosaNk6teS9jzzKI4
         Dkx7DybhCPA+eseDP6LBPr8qyWGK3cmxWqcLsRr6RRuETI4kPScATmodY8WQk2J4kR0u
         dlL3e8X9zPIj8+UNOfMjDRzgKuuM5ZU5kIj6iGlBKMGOG0BLoWOOl9ZqPgpG/+E/K0CT
         ejvFS5FincCpC05c/2mvT7rq7X4MgEChQqcO+ERk8ZdflhNCXKZRL+6ROTk3lf6hYW+C
         b/RA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/Wuu16V6BizsjD/EAOjWYXQkV4p1a/OKFL1orn4c2dDibLe+HGNnJYuoCIp2SmPQAIlMsp4mlSiTeVU5c=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywa+Livh8sdEgy68l6PR1x0abLM94/j/af5qCtUf6xZ3CF4sdNh
	YSP6eJ/FS3b2y/oMn0OtG3ykwX/Gf8YR3dkeqoBLD5e5rhb1ald2bfZ7
X-Gm-Gg: AeBDiesp73mfRipfcE1vr6Iz0fWv7wFakUXid0uI7I8jtnGQ3lj6PddcaezJuUrFQ02
	Qh1rJZk82OShqL2Cr8bZUjfsRPsMyTrYSIGnYOj/SWOT4IfTT2VlDir+nPN4tozdrDbewdOlrV4
	aMWTgiIkqeGMuKIOgw9z+ULHW79w+kfPxrXsvf89V94mR3+Y2qF71jNO2uKdg0D6xpP6/IEUY25
	Q1IvZjUs/sCbDb+NZA0U8+xWSa6oefdarpqtfhx0Touk1sQSOMXGxdnlRxSgnr/rIcB0a+aToRo
	KDLsda3OyJ2G6/zBSThrQo7OU+rOph3KEqTGx/6+GiibnLN+5yKltISBxdOfKSk0Cv2dh72VLCY
	XtI7TRRuAcHVAYCOFSgO8zSUn9SfZ7KdpEJF7g+9+2DD3y4ZMwwWEczdU32XLbJGX6eMJW+BC3+
	ygJLTpUm3qcBH7MRIWBa9DLI5nxnv2OCy8gC9PSHXc8hjJhlY+E3SbWDnxzb1V9ZrnnLe2kP2VF
	gpY15zxm8Nx8n2SiHI7UPsF1l2cOWOSo2HLJ1oDC5bt6UTOmq/taRP4ZnZz/yVyV//+pwh6ts73
	HDZoBA==
X-Received: by 2002:a17:907:e10d:b0:b97:eae9:d45e with SMTP id
 a640c23a62f3a-b9d7279f3d4mr388494066b.50.1776075420885;
        Mon, 13 Apr 2026 03:17:00 -0700 (PDT)
Received: from ahossu.residents.sin.openfiber.nl ([88.202.160.248])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b9d6dfd88c9sm307755666b.23.2026.04.13.03.17.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Apr 2026 03:17:00 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: linux-media@vger.kernel.org
Cc: error27@gmail.com,
	sakari.ailus@linux.intel.com,
	bingbu.cao@intel.com,
	mchehab@kernel.org,
	gregkh@linuxfoundation.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	hossu.alexandru@gmail.com
Subject: [PATCH v2] staging: media: ipu7: fix double-free and use-after-free
 in error paths
Date: Mon, 13 Apr 2026 12:15:33 +0200
Message-ID: <20260413101533.496090-1-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260412205057.386856-5-hossu.alexandru@gmail.com>
References: <20260412205057.386856-5-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In both ipu7_isys_init() and ipu7_psys_init(), pdata is allocated and
then passed to ipu7_bus_initialize_device(), which stores it in
adev->pdata. The ipu7_bus_release() function frees adev->pdata when the
device's reference count drops to zero.

Two error paths incorrectly call kfree(pdata) after the device teardown
has already freed it:

1. When ipu7_mmu_init() fails: put_device() is called, which drops the
   reference count to zero and triggers ipu7_bus_release() ->
   kfree(pdata). The subsequent kfree(pdata) is a double-free.

2. When ipu7_bus_add_device() fails: it calls auxiliary_device_uninit()
   internally, which calls put_device() -> ipu7_bus_release() ->
   kfree(pdata). The subsequent kfree(pdata) is again a double-free.

Note that the kfree(pdata) when ipu7_bus_initialize_device() itself
fails is correct, because in that case auxiliary_device_init() failed
and the release function was never set up, so pdata must be freed
manually.

Additionally, the error code was not saved before calling put_device(),
causing ERR_CAST() to dereference the already-freed adev pointer when
constructing the return value. Fix this by saving the error from
dev_err_probe() before put_device() and returning ERR_PTR() instead.

Remove the redundant kfree(pdata) calls and fix the use-after-free in
the return values of the two affected error paths.

Fixes: b7fe4c0019b1 ("media: staging/ipu7: add Intel IPU7 PCI device driver=
")
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
---
v2:
 - Add Fixes tag (Dan Carpenter)
 - Save error before put_device() to avoid use-after-free in ERR_CAST()
   return value; use ERR_PTR(ret) instead (Dan Carpenter)
 - Apply same fix to ipu7_psys_init() (Dan Carpenter)

 drivers/staging/media/ipu7/ipu7.c | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/drivers/staging/media/ipu7/ipu7.c b/drivers/staging/media/ipu7=
/ipu7.c
index c771e763f8c5..310e3f24e571 100644
--- a/drivers/staging/media/ipu7/ipu7.c
+++ b/drivers/staging/media/ipu7/ipu7.c
@@ -2169,21 +2169,18 @@ ipu7_isys_init(struct pci_dev *pdev, struct device =
*parent,
 	isys_adev->mmu =3D ipu7_mmu_init(dev, base, ISYS_MMID,
 				       &ipdata->hw_variant);
 	if (IS_ERR(isys_adev->mmu)) {
-		dev_err_probe(dev, PTR_ERR(isys_adev->mmu),
-			      "ipu7_mmu_init(isys_adev->mmu) failed\n");
+		ret =3D dev_err_probe(dev, PTR_ERR(isys_adev->mmu),
+				    "ipu7_mmu_init(isys_adev->mmu) failed\n");
 		put_device(&isys_adev->auxdev.dev);
-		kfree(pdata);
-		return ERR_CAST(isys_adev->mmu);
+		return ERR_PTR(ret);
 	}
=20
 	isys_adev->mmu->dev =3D &isys_adev->auxdev.dev;
 	isys_adev->subsys =3D IPU_IS;
=20
 	ret =3D ipu7_bus_add_device(isys_adev);
-	if (ret) {
-		kfree(pdata);
+	if (ret)
 		return ERR_PTR(ret);
-	}
=20
 	return isys_adev;
 }
@@ -2216,21 +2213,18 @@ ipu7_psys_init(struct pci_dev *pdev, struct device =
*parent,
 	psys_adev->mmu =3D ipu7_mmu_init(&pdev->dev, base, PSYS_MMID,
 				       &ipdata->hw_variant);
 	if (IS_ERR(psys_adev->mmu)) {
-		dev_err_probe(&pdev->dev, PTR_ERR(psys_adev->mmu),
-			      "ipu7_mmu_init(psys_adev->mmu) failed\n");
+		ret =3D dev_err_probe(&pdev->dev, PTR_ERR(psys_adev->mmu),
+				    "ipu7_mmu_init(psys_adev->mmu) failed\n");
 		put_device(&psys_adev->auxdev.dev);
-		kfree(pdata);
-		return ERR_CAST(psys_adev->mmu);
+		return ERR_PTR(ret);
 	}
=20
 	psys_adev->mmu->dev =3D &psys_adev->auxdev.dev;
 	psys_adev->subsys =3D IPU_PS;
=20
 	ret =3D ipu7_bus_add_device(psys_adev);
-	if (ret) {
-		kfree(pdata);
+	if (ret)
 		return ERR_PTR(ret);
-	}
=20
 	return psys_adev;
 }
--=20
2.53.0