RE: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
From: Nas Chung
Date: Fri Feb 13 2026 - 00:39:00 EST
Hi, Alper.
>-----Original Message-----
>From: Alper Ak <alperyasinak1@xxxxxxxxx>
>Sent: Wednesday, February 11, 2026 6:42 PM
>To: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>
>Cc: jackson.lee <jackson.lee@xxxxxxxxxxxxxxx>; Mauro Carvalho Chehab
><mchehab@xxxxxxxxxx>; Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx>;
>Hans Verkuil <hverkuil+cisco@xxxxxxxxxx>; linux-media@xxxxxxxxxxxxxxx;
>linux-kernel@xxxxxxxxxxxxxxx
>Subject: Re: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR
>deference
>
>Hi,
>
>I usually run smatch with the kernel cross function database enabled. It
>collects return value propagation, function call relationships, assignments,
>etc. The database is incremental and grows over multiple rebuilds.
>
>The steps I used were:
>• Build the database:
>~/smatch/smatch_scripts/build_kernel_data.sh
>• Run smatch on the whole kernel:
>~/smatch/smatch_scripts/test_kernel.sh
Thanks for the test command.
>After applying the fix, I verified that the warning was gone with:
>
>~/smatch/smatch_scripts/kchecker drivers/whatever/file.c
I reproduced the issue with the same command, and this patch fixes it.
Tested-by: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>
Thanks.
Nas.
>
>If smatch is run directly on a single file without building the database
>first, the warning might not be reproduced.
>Best regards,
>Alper Ak
>
>
>Nas Chung <nas.chung@xxxxxxxxxxxxxxx>, 11 Şub 2026 Çar, 12:12 tarihinde
>şunu yazdı:
>Hi, Alper.
>
>Thanks for the patch.
>
>>-----Original Message-----
>>From: Alper Ak <alperyasinak1@xxxxxxxxx>
>>Sent: Saturday, February 7, 2026 7:32 PM
>>To: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>; jackson.lee
>><jackson.lee@xxxxxxxxxxxxxxx>
>>Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>; Nicolas Dufresne
>><nicolas.dufresne@xxxxxxxxxxxxx>; Hans Verkuil <hverkuil+cisco@xxxxxxxxxx>;
>>linux-media@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; Alper Ak
>><alperyasinak1@xxxxxxxxx>
>>Subject: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
>>
>>The kthread_run() function returns either a valid task_struct pointer
>>or ERR_PTR() on failure. The return value was not checked and in the
>>error cleanup path, the code verifies if dev->irq_thread is non NULL
>>before calling kthread_stop(). Since ERR_PTR() values are non NULL,
>>this would result in passing an error pointer to kthread_stop(),
>>causing a kernel panic.
>>
>>Add proper IS_ERR() check after kthread_run(), log the error, set
>>dev->irq_thread to NULL and fail the probe to prevent the driver
>>from operating in a broken state.
>>
>>Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while
>>testing fluster")
>>Signed-off-by: Alper Ak <alperyasinak1@xxxxxxxxx>
>>---
>> drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>>diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>index 76d57c6b636a..bebe2bd6893b 100644
>>--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device
>>*pdev)
>> dev_err(&pdev->dev, "failed to get irq resource, falling back
>>to polling\n");
>> sema_init(&dev->irq_sem, 1);
>> dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
>>+ if (IS_ERR(dev->irq_thread)) {
>>+ dev_err(&pdev->dev, "failed to create vpu irq
>>thread\n");
>>+ ret = PTR_ERR(dev->irq_thread);
>>+ dev->irq_thread = NULL;
>>+ goto err_vdi_release;
>>+ }
>
>I also ran smatch locally but couldn't reproduce the warning.
>Could you share the exact test command you used ?
>
>That said, The fix looks correct to me.
>
>Acked-by: Nas Chung <nas.chung@xxxxxxxxxxxxxxx>
>
>Thanks.
>Nas.
>
>> hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback,
>>CLOCK_MONOTONIC,
>> HRTIMER_MODE_REL_PINNED);
>> dev->worker = kthread_run_worker(0, "vpu_irq_thread");
>>--
>>2.43.0