From nobody Tue Jun 16 18:30:17 2026 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7DAD36C9C2 for ; Thu, 30 Apr 2026 05:54:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777528481; cv=none; b=igt2ya6ZB/3LJRH51XuWgA7hFfhsHZwiPSLS1xipQv4vsW8+eBFemdgHWnhAS4wgfEI4NDIJ0qziD1WM5nMZkw1qavN2NciLv84hSDfZn9UAwf6MjV2+mJQjtIkjThIg80xRyEEz2y+dC52PPmGmSHrTYqiBR0DnIIW6y5jdKA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777528481; c=relaxed/simple; bh=Q7R86ThebD20EoDOnSlfVUdeU/ySa31tJjx/p+OQE/Y=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=eliG0xb5i0yAgAmSzT2sBQe8WcXdnEYtICRl3JNoVoXLswNFCuGkF1nH8+eDmaqi0bm4v0O7P4/0U4Osf+YvxKOg3dUjRQYfhmm3BcueUi+J0NXZ/JSdcU9jh+5AHRskemZtw272t+r53BnhGgJEUSkbmPsFcpubnY4dEc71maw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oyHQ0avA; arc=none smtp.client-ip=209.85.210.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oyHQ0avA" Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-8318293f02bso306708b3a.0 for ; Wed, 29 Apr 2026 22:54:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777528479; x=1778133279; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=o2kxYsOO6pq5/nEFGxNKpCk5FTnWbDP6rB+zhW93ugg=; b=oyHQ0avAU+/rL/2bQvYEETUrxkBGFOJWYFJz38M34g8biw8miM4OKlnH60qKjDGbKe ZlFq53k30z4pl6hn0fzrW4mqEWgJSzOYYvstSZKMaZ2lVhcEOL2AIixmzdw4I3lZ9ZMO ZOYbLQk2Ijo68fwiSS8sqXnW8B+W/QhcXYTuwszRsHTcoZccpPng74GQuc/vrS02kPbL iuOqSM8bC958qaVWhms+vxptWv4olIdfUDd/AOVpxaU1cB7uLM3Zyfd8kcfF19qu/I2h tokGu1PpEW9iBpHztGeKXkD4Pqcw3YyYu6Z61Ctn15rHtqBPvzOq7QcLgOj4aDnuSF36 ObBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777528479; x=1778133279; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=o2kxYsOO6pq5/nEFGxNKpCk5FTnWbDP6rB+zhW93ugg=; b=Oe0kvLCgpTRDR4mzaFyn+Sb987Em1LFRfqLlc8Mvqji7/pa0qtBLEWtxovh/t9shHx w2pzQISZCN1cj6PhHDuFTPCxqJ5RhS2tqyDA4xTwEbOtbQm/p6n7wkGjT/qFS+8Q6Suc +6VX2EMIUKbCJzgrgKfbUFNgzKBc/Nw197vDzEe7efLQcNK/dSHsVV776MopL3oXXmFA /IbGZwoAtztKLrU6Xsr83YGk+vxYIooDvM3MLTVbCqXp2ET1IvQKyKYrcRmS5u1zJgJm Up5V8cXKpztRA61dSgbK3hPTF78JR9aOTRaPGoMIbX7vfdkmO04pOVKkgseN2SO4FK6W drQg== X-Forwarded-Encrypted: i=1; AFNElJ8My6wT5JPJpvJafgALz++JdFI/gNCNy0KW5bEdKdwE5lccTTVcxNAuBsdRhfFAiAxOCxF8/Grwc8JddfM=@vger.kernel.org X-Gm-Message-State: AOJu0YyC1lJYxKmzWPOA3pmGHF1zyFoDCpwnMuUiCamoBOpKWR3h4Io/ RVgy+hDDs0PI087XBmSqSOCINLtq3szaxcgvLsoLscN4gdhpV45BYD3A X-Gm-Gg: AeBDiet/1ogUPZyGxepnsqZQnKGvos2ftG1Mz2nRsjrrNVZqk5XGCj2N1SOsBB8soT/ d74VOW69y7QrVme2oIOLGb67RK5Bp/Jc3MLZ19rAHRsRNlnlgm7OEk13yLS3lfm5GWcnyy4gfra svqI9wgu2VSVsOhMrWjHsZABC++ASFFrehpR0tfpj7hEcN+PNTtbqvP6bNCx13tHB0mNLPuhy6P q2/bTvee7Nzb4fb+BdUx7+kI/uzXtQ2oB6G8nj6A7NcpWsCrINkaVH2C+oNitoG6EPFZp7LEBWF Cza/GlBIMQzj/LpijHyomNYxzTCH8qfYD6AA/FWCAcpe/b4k+po//91NQXml4EP6lvP2BJaueNL kn4ktjJL4GliVEwTNSa5YlXtP1Id2wgLi/1LiVCaTaKZoFONgTd5biBS8eqTCUVRmax/X0WPr8r 0fdMli4EGrvevWfzKFQbGsLpI= X-Received: by 2002:a05:6a00:8990:b0:82f:7888:e2fa with SMTP id d2e1a72fcca58-8350015fc9amr715848b3a.17.1777528479291; Wed, 29 Apr 2026 22:54:39 -0700 (PDT) Received: from lgs.. ([101.36.106.88]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-834ed2fd07csm4062251b3a.0.2026.04.29.22.54.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 22:54:38 -0700 (PDT) From: Guangshuo Li To: Sakari Ailus , Bingbu Cao , Tianshu Qiu , Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] media: intel/ipu6: Fix pdata double free in init error paths Date: Thu, 30 Apr 2026 13:54:30 +0800 Message-ID: <20260430055430.447536-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ipu6_bus_initialize_device() stores the caller allocated pdata pointer in adev->pdata and installs ipu6_bus_release() as the device release callback. After auxiliary_device_init() succeeds, pdata is released by ipu6_bus_release(). The isys and psys init error paths still call kfree(pdata) after put_device() or after ipu6_bus_add_device() fails. In both cases the auxiliary device release callback has already been invoked, so pdata has already been freed through adev->pdata. Remove the duplicate kfree(pdata) calls. Also cache the MMU init error before calling put_device(), since put_device() may release the auxiliary device container. This issue was found by a static analysis tool I am developing. Fixes: 25fedc021985a ("media: intel/ipu6: add Intel IPU6 PCI device driver") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/media/pci/intel/ipu6/ipu6.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/= ipu6/ipu6.c index 34f67f4f1bb5..96ee33af8f6a 100644 --- a/drivers/media/pci/intel/ipu6/ipu6.c +++ b/drivers/media/pci/intel/ipu6/ipu6.c @@ -399,19 +399,18 @@ ipu6_isys_init(struct pci_dev *pdev, struct device *p= arent, isys_adev->mmu =3D ipu6_mmu_init(dev, base, ISYS_MMID, &ipdata->hw_variant); if (IS_ERR(isys_adev->mmu)) { + ret =3D PTR_ERR(isys_adev->mmu); + dev_err_probe(dev, ret, + "ipu6_mmu_init(isys_adev->mmu) failed\n"); put_device(&isys_adev->auxdev.dev); - kfree(pdata); - return dev_err_cast_probe(dev, isys_adev->mmu, - "ipu6_mmu_init(isys_adev->mmu) failed\n"); + return ERR_PTR(ret); } =20 isys_adev->mmu->dev =3D &isys_adev->auxdev.dev; =20 ret =3D ipu6_bus_add_device(isys_adev); - if (ret) { - kfree(pdata); + if (ret) return ERR_PTR(ret); - } =20 return isys_adev; } @@ -443,19 +442,18 @@ ipu6_psys_init(struct pci_dev *pdev, struct device *p= arent, psys_adev->mmu =3D ipu6_mmu_init(&pdev->dev, base, PSYS_MMID, &ipdata->hw_variant); if (IS_ERR(psys_adev->mmu)) { + ret =3D PTR_ERR(psys_adev->mmu); + dev_err_probe(&pdev->dev, ret, + "ipu6_mmu_init(psys_adev->mmu) failed\n"); put_device(&psys_adev->auxdev.dev); - kfree(pdata); - return dev_err_cast_probe(&pdev->dev, psys_adev->mmu, - "ipu6_mmu_init(psys_adev->mmu) failed\n"); + return ERR_PTR(ret); } =20 psys_adev->mmu->dev =3D &psys_adev->auxdev.dev; =20 ret =3D ipu6_bus_add_device(psys_adev); - if (ret) { - kfree(pdata); + if (ret) return ERR_PTR(ret); - } =20 return psys_adev; } --=20 2.43.0