Re: [PATCH] media: atomisp: fix UAF and memory leak in gc2335

Next message: Vladimir Oltean: "Re: [PATCH v5 phy-next 09/27] scsi: ufs: exynos: stop poking into struct phy guts"
Previous message: yunje shin: "Re: [PATCH v2] nvmet: auth: validate dhchap id list lengths"
Next in thread: Choi, Yuho: "Re: [PATCH] media: atomisp: fix UAF and memory leak in gc2335"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Fri Mar 20 2026 - 04:22:04 EST

On Thu, Mar 19, 2026 at 07:30:10PM +0000, Choi, Yuho wrote:
> From: Yuho Choi <yqc5929@xxxxxxx>
> Date: Wed, 18 Mar 2026 17:08:57 -0400
> Subject: [PATCH] media: atomisp: gc2335: fix UAF and memory leak

Make sure you understand the tools and how properly to send patches

Also note, your patch is mangled and may not be applied.

> This commit addresses two potential resource management vulnerabilities

Please, take your time to study Submitting Patches documentation,
in particular on how to use imperative mode.

> within the gc2235_probe function's error handling paths.

As below refer to the function as func():

gc2235_probe()

> 1. UAF: If media_entity_pads_init fails, the driver
> invokes gc2235_remove(), which frees the 'dev' object.
> The execution flow then inadvertently fails through to
> atomis_register_i2c_module(), dereferencing the freed 'dev' pointer.
> 2. Memory Leak: If atomisp_register_i2c_module() fails, the function
> returns the error code immediately without executing any teardown
> routines. This leavs the 'dev' structure, v4l2 control handler,
> and media entity permanently orphaned.
>
> This fix follows a standard goto-based teadown routines to ensure all
> allocated resources are freed in reverse order.

--
With Best Regards,
Andy Shevchenko