| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260207103224.609938-1-alperyasinak1@gmail.com>
Date: Sat, 7 Feb 2026 13:32:24 +0300
From: Alper Ak <alperyasinak1@...il.com>
To: Nas Chung <nas.chung@...psnmedia.com>,
Jackson Lee <jackson.lee@...psnmedia.com>
Cc: Mauro Carvalho Chehab <mchehab@...nel.org>,
Nicolas Dufresne <nicolas.dufresne@...labora.com>,
Hans Verkuil <hverkuil+cisco@...nel.org>,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org,
Alper Ak <alperyasinak1@...il.com>
Subject: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
The kthread_run() function returns either a valid task_struct pointer
or ERR_PTR() on failure. The return value was not checked and in the
error cleanup path, the code verifies if dev->irq_thread is non NULL
before calling kthread_stop(). Since ERR_PTR() values are non NULL,
this would result in passing an error pointer to kthread_stop(),
causing a kernel panic.
Add proper IS_ERR() check after kthread_run(), log the error, set
dev->irq_thread to NULL and fail the probe to prevent the driver
from operating in a broken state.
Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while testing fluster")
Signed-off-by: Alper Ak <alperyasinak1@...il.com>
---
drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
index 76d57c6b636a..bebe2bd6893b 100644
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "failed to get irq resource, falling back to polling\n");
sema_init(&dev->irq_sem, 1);
dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
+ if (IS_ERR(dev->irq_thread)) {
+ dev_err(&pdev->dev, "failed to create vpu irq thread\n");
+ ret = PTR_ERR(dev->irq_thread);
+ dev->irq_thread = NULL;
+ goto err_vdi_release;
+ }
hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, CLOCK_MONOTONIC,
HRTIMER_MODE_REL_PINNED);
dev->worker = kthread_run_worker(0, "vpu_irq_thread");
--
2.43.0
Powered by blists - more mailing lists