RE: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

From: Nas Chung

Date: Wed Feb 11 2026 - 04:12:57 EST

Hi, Alper.

Thanks for the patch.

>-----Original Message-----
>From: Alper Ak <alperyasinak1@xxxxxxxxx>
>Sent: Saturday, February 7, 2026 7:32 PM
>To: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>; jackson.lee
><jackson.lee@xxxxxxxxxxxxxxx>
>Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>; Nicolas Dufresne
><nicolas.dufresne@xxxxxxxxxxxxx>; Hans Verkuil <hverkuil+cisco@xxxxxxxxxx>;
>linux-media@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Alper Ak
><alperyasinak1@xxxxxxxxx>
>Subject: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
>
>The kthread_run() function returns either a valid task_struct pointer
>or ERR_PTR() on failure. The return value was not checked and in the
>error cleanup path, the code verifies if dev->irq_thread is non NULL
>before calling kthread_stop(). Since ERR_PTR() values are non NULL,
>this would result in passing an error pointer to kthread_stop(),
>causing a kernel panic.
>
>Add proper IS_ERR() check after kthread_run(), log the error, set
>dev->irq_thread to NULL and fail the probe to prevent the driver
>from operating in a broken state.
>
>Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while
>testing fluster")
>Signed-off-by: Alper Ak <alperyasinak1@xxxxxxxxx>
>---
> drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>index 76d57c6b636a..bebe2bd6893b 100644
>--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device
>*pdev)
> dev_err(&pdev->dev, "failed to get irq resource, falling back
>to polling\n");
> sema_init(&dev->irq_sem, 1);
> dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
>+ if (IS_ERR(dev->irq_thread)) {
>+ dev_err(&pdev->dev, "failed to create vpu irq
>thread\n");
>+ ret = PTR_ERR(dev->irq_thread);
>+ dev->irq_thread = NULL;
>+ goto err_vdi_release;
>+ }

I also ran smatch locally but couldn't reproduce the warning.
Could you share the exact test command you used ?

That said, The fix looks correct to me.

Acked-by: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>

Thanks.
Nas.

> hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback,
>CLOCK_MONOTONIC,
> HRTIMER_MODE_REL_PINNED);
> dev->worker = kthread_run_worker(0, "vpu_irq_thread");
>--
>2.43.0