| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYXvWnQTmC-Boos9@stanley.mountain>
Date: Fri, 6 Feb 2026 16:40:42 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Jackson Lee <jackson.lee@...psnmedia.com>
Cc: linux-media@...r.kernel.org,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [bug report] media: chips-media: wave5: Fix Null reference while
testing fluster
[ Smatch checking is paused while we raise funding. #SadFace
https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
Hello Jackson Lee,
Commit e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference
while testing fluster") from Nov 19, 2025 (linux-next), leads to the
following Smatch static checker warning:
drivers/media/platform/chips-media/wave5/wave5-vpu.c:415 wave5_vpu_probe()
error: 'dev->irq_thread' dereferencing possible ERR_PTR()
drivers/media/platform/chips-media/wave5/wave5-vpu.c
261 static int wave5_vpu_probe(struct platform_device *pdev)
262 {
263 int ret;
264 struct vpu_device *dev;
265 const struct wave5_match_data *match_data;
266 u32 fw_revision;
267
268 match_data = device_get_match_data(&pdev->dev);
269 if (!match_data) {
270 dev_err(&pdev->dev, "missing device match data\n");
271 return -EINVAL;
272 }
273
274 /* physical addresses limited to 32 bits */
275 ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32));
276 if (ret) {
277 dev_err(&pdev->dev, "Failed to set DMA mask: %d\n", ret);
278 return ret;
279 }
280
281 dev = devm_kzalloc(&pdev->dev, sizeof(*dev), GFP_KERNEL);
282 if (!dev)
283 return -ENOMEM;
284
285 dev->vdb_register = devm_platform_ioremap_resource(pdev, 0);
286 if (IS_ERR(dev->vdb_register))
287 return PTR_ERR(dev->vdb_register);
288 ida_init(&dev->inst_ida);
289
290 mutex_init(&dev->dev_lock);
291 mutex_init(&dev->hw_lock);
292 mutex_init(&dev->irq_lock);
293 spin_lock_init(&dev->irq_spinlock);
294 dev_set_drvdata(&pdev->dev, dev);
295 dev->dev = &pdev->dev;
296
297 dev->resets = devm_reset_control_array_get_optional_exclusive(&pdev->dev);
298 if (IS_ERR(dev->resets)) {
299 return dev_err_probe(&pdev->dev, PTR_ERR(dev->resets),
300 "Failed to get reset control\n");
301 }
302
303 ret = reset_control_deassert(dev->resets);
304 if (ret)
305 return dev_err_probe(&pdev->dev, ret, "Failed to deassert resets\n");
306
307 ret = devm_clk_bulk_get_all(&pdev->dev, &dev->clks);
308
309 /* continue without clock, assume externally managed */
310 if (ret < 0) {
311 dev_warn(&pdev->dev, "Getting clocks, fail: %d\n", ret);
312 ret = 0;
313 }
314 dev->num_clks = ret;
315
316 ret = clk_bulk_prepare_enable(dev->num_clks, dev->clks);
317 if (ret) {
318 dev_err(&pdev->dev, "Enabling clocks, fail: %d\n", ret);
319 goto err_reset_assert;
320 }
321
322 dev->sram_pool = of_gen_pool_get(pdev->dev.of_node, "sram", 0);
323 if (!dev->sram_pool)
324 dev_warn(&pdev->dev, "sram node not found\n");
325
326 dev->sram_size = match_data->sram_size;
327
328 dev->product_code = wave5_vdi_read_register(dev, VPU_PRODUCT_CODE_REGISTER);
329 ret = wave5_vdi_init(&pdev->dev);
330 if (ret < 0) {
331 dev_err(&pdev->dev, "wave5_vdi_init, fail: %d\n", ret);
332 goto err_clk_dis;
333 }
334 dev->product = wave5_vpu_get_product_id(dev);
335
336 INIT_LIST_HEAD(&dev->instances);
337
338 dev->irq = platform_get_irq(pdev, 0);
339 if (dev->irq < 0) {
340 dev_err(&pdev->dev, "failed to get irq resource, falling back to polling\n");
341 sema_init(&dev->irq_sem, 1);
342 dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
Add error checking for if kthread_run() fails?
343 hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, CLOCK_MONOTONIC,
344 HRTIMER_MODE_REL_PINNED);
345 dev->worker = kthread_run_worker(0, "vpu_irq_thread");
346 if (IS_ERR(dev->worker)) {
347 dev_err(&pdev->dev, "failed to create vpu irq worker\n");
348 ret = PTR_ERR(dev->worker);
349 goto err_vdi_release;
350 }
351 dev->vpu_poll_interval = vpu_poll_interval;
352 kthread_init_work(&dev->work, wave5_vpu_irq_work_fn);
353 } else {
354 ret = devm_request_threaded_irq(&pdev->dev, dev->irq, wave5_vpu_irq,
355 wave5_vpu_irq_thread, IRQF_ONESHOT, "vpu_irq", dev);
356 if (ret) {
357 dev_err(&pdev->dev, "Register interrupt handler, fail: %d\n", ret);
358 goto err_enc_unreg;
359 }
360 }
361
362 ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev);
363 if (ret) {
364 dev_err(&pdev->dev, "v4l2_device_register, fail: %d\n", ret);
365 goto err_irq_release;
366 }
367
368 if (match_data->flags & WAVE5_IS_DEC) {
369 ret = wave5_vpu_dec_register_device(dev);
370 if (ret) {
371 dev_err(&pdev->dev, "wave5_vpu_dec_register_device, fail: %d\n", ret);
372 goto err_v4l2_unregister;
373 }
374 }
375 if (match_data->flags & WAVE5_IS_ENC) {
376 ret = wave5_vpu_enc_register_device(dev);
377 if (ret) {
378 dev_err(&pdev->dev, "wave5_vpu_enc_register_device, fail: %d\n", ret);
379 goto err_dec_unreg;
380 }
381 }
382
383 ret = wave5_vpu_load_firmware(&pdev->dev, match_data->fw_name, &fw_revision);
384 if (ret) {
385 dev_err(&pdev->dev, "wave5_vpu_load_firmware, fail: %d\n", ret);
386 goto err_enc_unreg;
387 }
388
389 dev_info(&pdev->dev, "Added wave5 driver with caps: %s %s\n",
390 (match_data->flags & WAVE5_IS_ENC) ? "'ENCODE'" : "",
391 (match_data->flags & WAVE5_IS_DEC) ? "'DECODE'" : "");
392 dev_info(&pdev->dev, "Product Code: 0x%x\n", dev->product_code);
393 dev_info(&pdev->dev, "Firmware Revision: %u\n", fw_revision);
394
395 pm_runtime_set_autosuspend_delay(&pdev->dev, 500);
396 pm_runtime_use_autosuspend(&pdev->dev);
397 pm_runtime_enable(&pdev->dev);
398 wave5_vpu_sleep_wake(&pdev->dev, true, NULL, 0);
399
400 return 0;
401
402 err_enc_unreg:
403 if (match_data->flags & WAVE5_IS_ENC)
404 wave5_vpu_enc_unregister_device(dev);
405 err_dec_unreg:
406 if (match_data->flags & WAVE5_IS_DEC)
407 wave5_vpu_dec_unregister_device(dev);
408 err_v4l2_unregister:
409 v4l2_device_unregister(&dev->v4l2_dev);
410 err_irq_release:
411 if (dev->irq < 0)
412 kthread_destroy_worker(dev->worker);
413 err_vdi_release:
414 if (dev->irq_thread) {
--> 415 kthread_stop(dev->irq_thread);
416 up(&dev->irq_sem);
417 dev->irq_thread = NULL;
418 }
419 wave5_vdi_release(&pdev->dev);
420 err_clk_dis:
421 clk_bulk_disable_unprepare(dev->num_clks, dev->clks);
422 err_reset_assert:
423 reset_control_assert(dev->resets);
424
425 return ret;
426 }
regards,
dan carpenter
Powered by blists - more mailing lists