[PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Alper Ak]

The kthread_run() function returns either a valid task_struct pointer
or ERR_PTR() on failure. The return value was not checked and in the
error cleanup path, the code verifies if dev->irq_thread is non NULL
before calling kthread_stop(). Since ERR_PTR() values are non NULL,
this would result in passing an error pointer to kthread_stop(),
causing a kernel panic.

Add proper IS_ERR() check after kthread_run(), log the error, set
dev->irq_thread to NULL and fail the probe to prevent the driver
from operating in a broken state.

Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while testing fluster")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
---
 drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
index 76d57c6b636a..bebe2bd6893b 100644
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device *pdev)
 		dev_err(&pdev->dev, "failed to get irq resource, falling back to polling\n");
 		sema_init(&dev->irq_sem, 1);
 		dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
+		if (IS_ERR(dev->irq_thread)) {
+			dev_err(&pdev->dev, "failed to create vpu irq thread\n");
+			ret = PTR_ERR(dev->irq_thread);
+			dev->irq_thread = NULL;
+			goto err_vdi_release;
+		}
 		hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback, CLOCK_MONOTONIC,
 			      HRTIMER_MODE_REL_PINNED);
 		dev->worker = kthread_run_worker(0, "vpu_irq_thread");
-- 
2.43.0

RE: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Nas Chung]

Hi, Alper.

Thanks for the patch.

>-----Original Message-----
>From: Alper Ak <alperyasinak1@gmail.com>
>Sent: Saturday, February 7, 2026 7:32 PM
>To: Nas Chung <nas.chung@chipsnmedia.com>; jackson.lee
><jackson.lee@chipsnmedia.com>
>Cc: Mauro Carvalho Chehab <mchehab@kernel.org>; Nicolas Dufresne
><nicolas.dufresne@collabora.com>; Hans Verkuil <hverkuil+cisco@kernel.org>;
>linux-media@vger.kernel.org; linux-kernel@vger.kernel.org; Alper Ak
><alperyasinak1@gmail.com>
>Subject: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
>
>The kthread_run() function returns either a valid task_struct pointer
>or ERR_PTR() on failure. The return value was not checked and in the
>error cleanup path, the code verifies if dev->irq_thread is non NULL
>before calling kthread_stop(). Since ERR_PTR() values are non NULL,
>this would result in passing an error pointer to kthread_stop(),
>causing a kernel panic.
>
>Add proper IS_ERR() check after kthread_run(), log the error, set
>dev->irq_thread to NULL and fail the probe to prevent the driver
>from operating in a broken state.
>
>Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while
>testing fluster")
>Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
>---
> drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>index 76d57c6b636a..bebe2bd6893b 100644
>--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device
>*pdev)
> 		dev_err(&pdev->dev, "failed to get irq resource, falling back
>to polling\n");
> 		sema_init(&dev->irq_sem, 1);
> 		dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
>+		if (IS_ERR(dev->irq_thread)) {
>+			dev_err(&pdev->dev, "failed to create vpu irq
>thread\n");
>+			ret = PTR_ERR(dev->irq_thread);
>+			dev->irq_thread = NULL;
>+			goto err_vdi_release;
>+		}

I also ran smatch locally but couldn't reproduce the warning.
Could you share the exact test command you used ?

That said, The fix looks correct to me.

Acked-by: Nas Chung <nas.chung@chipsnmedia.com>

Thanks.
Nas.

> 		hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback,
>CLOCK_MONOTONIC,
> 			      HRTIMER_MODE_REL_PINNED);
> 		dev->worker = kthread_run_worker(0, "vpu_irq_thread");
>--
>2.43.0

RE: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Nas Chung]

Hi, Alper.

>-----Original Message-----
>From: Alper Ak <alperyasinak1@gmail.com> 
>Sent: Wednesday, February 11, 2026 6:42 PM
>To: Nas Chung <nas.chung@chipsnmedia.com>
>Cc: jackson.lee <jackson.lee@chipsnmedia.com>; Mauro Carvalho Chehab 
><mchehab@kernel.org>; Nicolas Dufresne <nicolas.dufresne@collabora.com>; 
>Hans Verkuil <hverkuil+cisco@kernel.org>; linux-media@vger.kernel.org; 
>linux-kernel@vger.kernel.org
>Subject: Re: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR 
>deference
>
>Hi,
>
>I usually run smatch with the kernel cross function database enabled. It 
>collects return value propagation, function call relationships, assignments,
>etc. The database is incremental and grows over multiple rebuilds.
>
>The steps I used were:
>• Build the database:
>~/smatch/smatch_scripts/build_kernel_data.sh
>• Run smatch on the whole kernel:
>~/smatch/smatch_scripts/test_kernel.sh

Thanks for the test command.

>After applying the fix, I verified that the warning was gone with:
>
>~/smatch/smatch_scripts/kchecker drivers/whatever/file.c

I reproduced the issue with the same command, and this patch fixes it.

Tested-by: Nas Chung <nas.chung@chipsnmedia.com>

Thanks.
Nas.

>
>If smatch is run directly on a single file without building the database 
>first, the warning might not be reproduced.
>Best regards,
>Alper Ak
>
>
>Nas Chung <nas.chung@chipsnmedia.com>, 11 Şub 2026 Çar, 12:12 tarihinde 
>şunu yazdı:
>Hi, Alper.
>
>Thanks for the patch.
>
>>-----Original Message-----
>>From: Alper Ak <alperyasinak1@gmail.com>
>>Sent: Saturday, February 7, 2026 7:32 PM
>>To: Nas Chung <nas.chung@chipsnmedia.com>; jackson.lee
>><jackson.lee@chipsnmedia.com>
>>Cc: Mauro Carvalho Chehab <mchehab@kernel.org>; Nicolas Dufresne
>><nicolas.dufresne@collabora.com>; Hans Verkuil <hverkuil+cisco@kernel.org>;
>>linux-media@vger.kernel.org; linux-kernel@vger.kernel.org; Alper Ak
>><alperyasinak1@gmail.com>
>>Subject: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference
>>
>>The kthread_run() function returns either a valid task_struct pointer
>>or ERR_PTR() on failure. The return value was not checked and in the
>>error cleanup path, the code verifies if dev->irq_thread is non NULL
>>before calling kthread_stop(). Since ERR_PTR() values are non NULL,
>>this would result in passing an error pointer to kthread_stop(),
>>causing a kernel panic.
>>
>>Add proper IS_ERR() check after kthread_run(), log the error, set
>>dev->irq_thread to NULL and fail the probe to prevent the driver
>>from operating in a broken state.
>>
>>Fixes: e66ff2b08e4e ("media: chips-media: wave5: Fix Null reference while
>>testing fluster")
>>Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
>>---
>> drivers/media/platform/chips-media/wave5/wave5-vpu.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>>diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>index 76d57c6b636a..bebe2bd6893b 100644
>>--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
>>@@ -340,6 +340,12 @@ static int wave5_vpu_probe(struct platform_device
>>*pdev)
>>               dev_err(&pdev->dev, "failed to get irq resource, falling back
>>to polling\n");
>>               sema_init(&dev->irq_sem, 1);
>>               dev->irq_thread = kthread_run(irq_thread, dev, "irq thread");
>>+              if (IS_ERR(dev->irq_thread)) {
>>+                      dev_err(&pdev->dev, "failed to create vpu irq
>>thread\n");
>>+                      ret = PTR_ERR(dev->irq_thread);
>>+                      dev->irq_thread = NULL;
>>+                      goto err_vdi_release;
>>+              }
>
>I also ran smatch locally but couldn't reproduce the warning.
>Could you share the exact test command you used ?
>
>That said, The fix looks correct to me.
>
>Acked-by: Nas Chung <nas.chung@chipsnmedia.com>
>
>Thanks.
>Nas.
>
>>               hrtimer_setup(&dev->hrtimer, &wave5_vpu_timer_callback,
>>CLOCK_MONOTONIC,
>>                             HRTIMER_MODE_REL_PINNED);
>>               dev->worker = kthread_run_worker(0, "vpu_irq_thread");
>>--
>>2.43.0

Re: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Markus Elfring]

…
> or ERR_PTR() on failure. The return value was not checked and in the

     error pointer

…
> Add proper IS_ERR() check after kthread_run(), log the error, set
> dev->irq_thread to NULL and fail the probe to prevent the driver
> from operating in a broken state.
…

See also once more:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.19#n34


Would a summary phrase like “Prevent error pointer dereference in wave5_vpu_probe()”
be more appropriate?

Regards,
Markus

Re: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Alper Ak]

Hello everyone, look like this patch hasn't been applied. Did I miss
something I needed to do to get it applied? If there is anything I
need to do, please let me know.

Markus Elfring <Markus.Elfring@web.de>, 13 Şub 2026 Cum, 14:38
tarihinde şunu yazdı:
>
> …
> > or ERR_PTR() on failure. The return value was not checked and in the
>
>      error pointer
>
> …
> > Add proper IS_ERR() check after kthread_run(), log the error, set
> > dev->irq_thread to NULL and fail the probe to prevent the driver
> > from operating in a broken state.
> …
>
> See also once more:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.19#n34
>
>
> Would a summary phrase like “Prevent error pointer dereference in wave5_vpu_probe()”
> be more appropriate?
>
> Regards,
> Markus

Re: media: chips-media: wave5: Fix possible ERR_PTR deference

[Markus Elfring]

> Hello everyone, look like this patch hasn't been applied. Did I miss
> something I needed to do to get it applied? If there is anything I
> need to do, please let me know.

* Would you like to avoid a typo in the summary phrase?

* Will any patch review concerns get more attention?


Regards,
Markus

Re: [PATCH] media: chips-media: wave5: Fix possible ERR_PTR deference

[Nicolas Dufresne]

[-- Attachment #1: Type: text/plain, Size: 1382 bytes --]

Hi,

Le vendredi 06 mars 2026 à 09:32 +0300, Alper Ak a écrit :
> Hello everyone, look like this patch hasn't been applied. Did I miss
> something I needed to do to get it applied? If there is anything I
> need to do, please let me know.

You received an Ack from the maintainer, and got a tested buy. But the patch has
been submitted while the merge window was closed, which is fine, but means there
is a small delay. It should be processed within the next two weeks. Your subject
suggest a theoretical bug, so it has not be been prioritized over other patches
in the queue.

regards,
Nicolas

> 
> Markus Elfring <Markus.Elfring@web.de>, 13 Şub 2026 Cum, 14:38
> tarihinde şunu yazdı:
> > 
> > …
> > > or ERR_PTR() on failure. The return value was not checked and in the
> > 
> >      error pointer
> > 
> > …
> > > Add proper IS_ERR() check after kthread_run(), log the error, set
> > > dev->irq_thread to NULL and fail the probe to prevent the driver
> > > from operating in a broken state.
> > …
> > 
> > See also once more:
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.19#n34
> > 
> > 
> > Would a summary phrase like “Prevent error pointer dereference in
> > wave5_vpu_probe()”
> > be more appropriate?
> > 
> > Regards,
> > Markus

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]