Re: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak

Next message: Guangshuo Li: "[PATCH] mfd: sm501: fix reference leak on failed device registration"
Previous message: syzbot ci: "[syzbot ci] Re: veth: add Byte Queue Limits (BQL) support"
In reply to: &#xCD5C;&#xC720;&#xD638;: "Re: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak"
Next in thread: &#xCD5C;&#xC720;&#xD638;: "Re: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Wed Apr 15 2026 - 12:25:19 EST

On Thu, Apr 02, 2026 at 08:23:19PM -0400, Yuho Choi wrote:
> gc2235_probe() handles its error paths incorrectly.
>
> If media_entity_pads_init() fails, gc2235_remove() is called, which
> tears down the subdev and frees dev, but then still falls through to
> atomisp_register_i2c_module(). This results in use-after-free.
>
> If atomisp_register_i2c_module() fails, the media entity and control
> handler are left initialized and dev is leaked.
>
> gc2235_remove() unconditionally calls media_entity_cleanup() and
> v4l2_ctrl_handler_free(), but these are not initialized at every
> error path in gc2235_probe().
>
> Replace gc2235_remove() calls in the probe error paths with explicit
> unwind labels that free only the resources initialized at each point
> of failure, in reverse order of initialization.
>
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Signed-off-by: Yuho Choi <dbgh9129@xxxxxxxxx>
> ---

Thanks. LGTM!

Reviewed-by: Dan Carpenter <error27@xxxxxxxxx>

regards,
dan carpenter