From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DA1030FF36 for ; Mon, 8 Jun 2026 08:57:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780909032; cv=none; b=Lv5NC9ik8ZZXJ2DQXZWDj9+a6y7s6z2V097SHERYPRM9SNxX/bOWEhn/axDzom43GwEh+pshcJvVVGf/HfSRliqdkXB85Kn+09TxX0Yd/0642gFuIFlh70gpg3YCOoZNjB9uojDulkOW27rcpPTZDqpzopYQJSGg7JrhA8qMhS4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780909032; c=relaxed/simple; bh=uHwx7oWoa4XTCheIbH7hojpCwRp+2b5anJ2JJDHBHqw=; h=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date: Message-Id; b=jY7JLccy4DwEp3jzbE0NJdIhdJgEeaQ35ZlMRz+5loojGN440wrGKzT7nRBTc6NVWvINqOT/GNkoY0MYPbCgT6WYDQS4DI14PLKsx2UE2K332xgpvRJffBtr1Uav5n7ZQwXMWwVV5+rvylFnLhsyf0CVa4jRgvDLTxPSOTcqhn4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nH0F36IE; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nH0F36IE" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04EB81F00893; Mon, 8 Jun 2026 08:57:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780909030; bh=1qlEzQ6jeemq4KP5+jOxeD4JPbn/N6MC38Ewn5nzhoI=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date; b=nH0F36IEJ/egvsfkg2cBACgl9xiWQN8YiQJdtmWTxgSE4Krvgirhuyhfk7qQf79W/ /9teVS9VDaMl5ZUm6ZLZpSbOO5ShW4ZXdOcOAbWWIpmjUuwmp2x/JwK5JzoIFH7Iqa t/taH16/flLm09P7VTJK38jYDTZowIkr4Vn5GX4Hq9WKK9oJylv/zugn3S8L9X7WKO vwhZ/UEtRywSgiW7f/42YpxifgMgkJTBylZ/QViHlitcFHDfNGvvDPkuSpJ2Kn4eHO jEZc8FIdr27VHEEK8NWsTblSIACnieBOcc1NptfxLR8CRcYhiUwQ8/fZYkFvEvXEWn BWuu/R1wNsfnQ== From: sashiko-bot@kernel.org Subject: Re: [PATCH] media: atomisp: Fix resource leak in atomisp_pci_probe() Reply-To: sashiko-reviews@lists.linux.dev To: "Dawei Feng" Cc: linux-media@vger.kernel.org In-Reply-To: <20260608082706.3287831-1-dawei.feng@seu.edu.cn> References: <20260608082706.3287831-1-dawei.feng@seu.edu.cn> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Mon, 08 Jun 2026 08:57:09 +0000 Message-Id: <20260608085710.04EB81F00893@smtp.kernel.org> Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Thank you for your contribution! Sashiko AI review found 1 potential issue(= s) to consider: Pre-existing issues: - [High] The v4l2 async notifier is never unregistered or cleaned up, leadi= ng to a memory leak of async subdevice connection objects and dangling noti= fiers resulting in a Use-After-Free. -- commit b7444e6b542badbafff9a7d15d5037c35782ba7c Author: Dawei Feng media: atomisp: Fix resource leak in atomisp_pci_probe() This commit fixes a resource leak by unregistering subdev entities if atomisp_register_entities() fails during atomisp_pci_probe(). > diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/s= taging/media/atomisp/pci/atomisp_v4l2.c > index 900a67552d6a0..d4e4e845f66e6 100644 > --- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c > +++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c > @@ -1401,6 +1401,7 @@ static int atomisp_pci_probe(struct pci_dev *pdev, = const struct pci_device_id *i > err =3D atomisp_register_entities(isp); > if (err < 0) { > dev_err(&pdev->dev, "atomisp_register_entities failed (%d)\n", err); > + atomisp_subdev_unregister_entities(&isp->asd); > goto error_uninitialize_modules; > } [Severity: High] This is a pre-existing issue, but while looking at the error paths being fixed here, is there also a memory leak and use-after-free risk related to the async notifier? In atomisp_pci_probe(), the notifier is registered via v4l2_async_nf_register(), adding it to the global notifier_list. However, the error paths and the driver teardown function atomisp_pci_remove() appear to entirely omit v4l2_async_nf_unregister() and v4l2_async_nf_cleanup(): drivers/staging/media/atomisp/pci/atomisp_v4l2.c:atomisp_pci_probe() { ... err =3D v4l2_async_nf_register(&isp->notifier); if (err) { dev_err(isp->dev, "failed to register async notifier : %d\n", err); goto error_unload_firmware; } return 0; error_unload_firmware: atomisp_pm_uninit(isp); ia_css_unload_firmware(); ... } Does this code permanently leak the memory allocated for async subdevices v= ia v4l2_async_nf_add_fwnode_remote() because cleanup is never called? Additionally, since the isp struct is allocated via devm_kzalloc(), could omitting the unregister call leave a dangling pointer in the global notifier_list when the driver is unloaded or when the probe fails, potentia= lly causing a use-after-free on subsequent list iterations? --=20 Sashiko AI review =C2=B7 https://sashiko.dev/#/patchset/20260608082706.3287= 831-1-dawei.feng@seu.edu.cn?part=3D1