Re: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak

Next message: Joel Fernandes: "[PATCH v11 04/20] gpu: nova-core: mm: Add support to use PRAMIN windows to write to VRAM"
Previous message: Joel Fernandes: "[PATCH v11 12/20] gpu: nova-core: mm: Add unified page table entry wrapper enums"
In reply to: Dan Carpenter: "Re: [PATCH v4] media: atomisp: gc2235: fix UAF and memory leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: 최유호

Date: Wed Apr 15 2026 - 17:10:16 EST

Dear Dan,

Thanks for the review. I do appreciate the LGTM.

Best regards,
Yuho Choi

On Wed, 15 Apr 2026 at 12:23, Dan Carpenter <error27@xxxxxxxxx> wrote:
>
> On Thu, Apr 02, 2026 at 08:23:19PM -0400, Yuho Choi wrote:
> > gc2235_probe() handles its error paths incorrectly.
> >
> > If media_entity_pads_init() fails, gc2235_remove() is called, which
> > tears down the subdev and frees dev, but then still falls through to
> > atomisp_register_i2c_module(). This results in use-after-free.
> >
> > If atomisp_register_i2c_module() fails, the media entity and control
> > handler are left initialized and dev is leaked.
> >
> > gc2235_remove() unconditionally calls media_entity_cleanup() and
> > v4l2_ctrl_handler_free(), but these are not initialized at every
> > error path in gc2235_probe().
> >
> > Replace gc2235_remove() calls in the probe error paths with explicit
> > unwind labels that free only the resources initialized at each point
> > of failure, in reverse order of initialization.
> >
> > Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> > Signed-off-by: Yuho Choi <dbgh9129@xxxxxxxxx>
> > ---
>
> Thanks. LGTM!
>
> Reviewed-by: Dan Carpenter <error27@xxxxxxxxx>
>
> regards,
> dan carpenter
>