Re: [PATCH] media: atomisp: fix UAF and memory leak in gc2335

[Choi, Yuho]

Thank you for  the detailed feedback and I apologize of the mangled patch. It appears my mail client configuration interfered with the formatting. 
Also, I will review submitting patches document and resend the patch.

Best regard,
Yuho Choi

> On Mar 20, 2026, at 4:18 AM, Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:
> 
> [andriy.shevchenko@xxxxxxxxx ?? ??? ?? ?? ??? ????. https://aka.ms/LearnAboutSenderIdentification ]?? ??? ?? ????
> 
> On Thu, Mar 19, 2026 at 07:30:10PM +0000, Choi, Yuho wrote:
>> From: Yuho Choi <yqc5929@xxxxxxx>
>> Date: Wed, 18 Mar 2026 17:08:57 -0400
>> Subject: [PATCH] media: atomisp: gc2335: fix UAF and memory leak
> 
> Make sure you understand the tools and how properly to send patches
> 
> Also note, your patch is mangled and may not be applied.
> 
>> This commit addresses two potential resource management vulnerabilities
> 
> Please, take your time to study Submitting Patches documentation,
> in particular on how to use imperative mode.
> 
>> within the gc2235_probe function's error handling paths.
> 
> As below refer to the function as func():
> 
> gc2235_probe()
> 
>> 1.  UAF: If media_entity_pads_init fails, the driver
>>    invokes gc2235_remove(), which frees the 'dev' object.
>>    The execution flow then inadvertently fails through to
>>    atomis_register_i2c_module(), dereferencing the freed 'dev' pointer.
>> 2.  Memory Leak: If atomisp_register_i2c_module() fails, the function
>>    returns the error code immediately without executing any teardown
>>    routines. This leavs the 'dev' structure, v4l2 control handler,
>>    and media entity permanently orphaned.
>> 
>> This fix follows a standard goto-based teadown routines to ensure all
>> allocated resources are freed in reverse order.
> 
> --
> With Best Regards,
> Andy Shevchenko
> 
>