* [PATCH] media: renesas: vsp1: fix CLU/LUT entity leaks upon pool allocation failure
@ 2026-06-04 7:36 Dawei Feng
2026-06-04 7:54 ` sashiko-bot
0 siblings, 1 reply; 2+ messages in thread
From: Dawei Feng @ 2026-06-04 7:36 UTC (permalink / raw)
To: Laurent Pinchart
Cc: Kieran Bingham, Mauro Carvalho Chehab, linux-media,
linux-renesas-soc, linux-kernel, jianhao.xu, Dawei Feng, stable,
Zilin Guan
In vsp1_clu_create() and vsp1_lut_create(), VSP1 entities are initialized
prior to allocating the body pools. If vsp1_dl_body_pool_create() fails,
both functions return -ENOMEM directly. This skips the necessary cleanup
for the already initialized entities, leading to resource leaks.
Fix this by introducing a common error label to consolidate the error
handling. Route the pool allocation failures to this label to ensure
vsp1_entity_destroy() is properly invoked.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that both bugs are still present
in v7.1-rc6.
An x86_64 allyesconfig build of vsp1_clu.o and vsp1_lut.o showed no new
warnings. As we do not have access to a Renesas R-Car system with a
VSP1 instance to test with, and no available emulated platform exposes
one, no runtime testing was able to be performed.
Fixes: 5d7936b8e27d ("media: vsp1: Convert display lists to use new body pool")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
drivers/media/platform/renesas/vsp1/vsp1_clu.c | 13 +++++++++----
drivers/media/platform/renesas/vsp1/vsp1_lut.c | 13 +++++++++----
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/drivers/media/platform/renesas/vsp1/vsp1_clu.c b/drivers/media/platform/renesas/vsp1/vsp1_clu.c
index 04c466c4da81..46b90c7b955a 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_clu.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_clu.c
@@ -236,8 +236,10 @@ struct vsp1_clu *vsp1_clu_create(struct vsp1_device *vsp1)
*/
clu->pool = vsp1_dl_body_pool_create(clu->entity.vsp1, 3, CLU_SIZE + 1,
0);
- if (!clu->pool)
- return ERR_PTR(-ENOMEM);
+ if (!clu->pool) {
+ ret = -ENOMEM;
+ goto error;
+ }
/* Initialize the control handler. */
v4l2_ctrl_handler_init(&clu->ctrls, 2);
@@ -249,11 +251,14 @@ struct vsp1_clu *vsp1_clu_create(struct vsp1_device *vsp1)
if (clu->ctrls.error) {
dev_err(vsp1->dev, "clu: failed to initialize controls\n");
ret = clu->ctrls.error;
- vsp1_entity_destroy(&clu->entity);
- return ERR_PTR(ret);
+ goto error;
}
v4l2_ctrl_handler_setup(&clu->ctrls);
return clu;
+
+error:
+ vsp1_entity_destroy(&clu->entity);
+ return ERR_PTR(ret);
}
diff --git a/drivers/media/platform/renesas/vsp1/vsp1_lut.c b/drivers/media/platform/renesas/vsp1/vsp1_lut.c
index 94bdedcc5c92..d508bcbc7a6e 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_lut.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_lut.c
@@ -195,8 +195,10 @@ struct vsp1_lut *vsp1_lut_create(struct vsp1_device *vsp1)
* both the queued and pending dl entries.
*/
lut->pool = vsp1_dl_body_pool_create(vsp1, 3, LUT_SIZE, 0);
- if (!lut->pool)
- return ERR_PTR(-ENOMEM);
+ if (!lut->pool) {
+ ret = -ENOMEM;
+ goto error;
+ }
/* Initialize the control handler. */
v4l2_ctrl_handler_init(&lut->ctrls, 1);
@@ -207,11 +209,14 @@ struct vsp1_lut *vsp1_lut_create(struct vsp1_device *vsp1)
if (lut->ctrls.error) {
dev_err(vsp1->dev, "lut: failed to initialize controls\n");
ret = lut->ctrls.error;
- vsp1_entity_destroy(&lut->entity);
- return ERR_PTR(ret);
+ goto error;
}
v4l2_ctrl_handler_setup(&lut->ctrls);
return lut;
+
+error:
+ vsp1_entity_destroy(&lut->entity);
+ return ERR_PTR(ret);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] media: renesas: vsp1: fix CLU/LUT entity leaks upon pool allocation failure
2026-06-04 7:36 [PATCH] media: renesas: vsp1: fix CLU/LUT entity leaks upon pool allocation failure Dawei Feng
@ 2026-06-04 7:54 ` sashiko-bot
0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-04 7:54 UTC (permalink / raw)
To: Dawei Feng; +Cc: linux-media, wsa+renesas
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] vsp1_hgo_create() and vsp1_hgt_create() trigger a kernel oops if vsp1_entity_init() fails, due to an error pointer dereference in vsp1_entity_destroy().
--
commit e81aa1a80df0db63e68e1a79f5ff07f7bd58f096
Author: Dawei Feng <dawei.feng@seu.edu.cn>
media: renesas: vsp1: fix CLU/LUT entity leaks upon pool allocation failure
This commit fixes resource leaks in vsp1_clu_create() and vsp1_lut_create()
by consolidating error handling. If vsp1_dl_body_pool_create() or control
initialization fails, it now uses a common error label to properly invoke
vsp1_entity_destroy().
> diff --git a/drivers/media/platform/renesas/vsp1/vsp1_clu.c b/drivers/media/platform/renesas/vsp1/vsp1_clu.c
> index a6e4bcab5101a..b0b85a00957ac 100644
> --- a/drivers/media/platform/renesas/vsp1/vsp1_clu.c
> +++ b/drivers/media/platform/renesas/vsp1/vsp1_clu.c
[ ... ]
> @@ -248,11 +250,14 @@ struct vsp1_clu *vsp1_clu_create(struct vsp1_device *vsp1)
> if (clu->ctrls.error) {
> dev_err(vsp1->dev, "clu: failed to initialize controls\n");
> ret = clu->ctrls.error;
> - vsp1_entity_destroy(&clu->entity);
> - return ERR_PTR(ret);
> + goto error;
> }
>
> v4l2_ctrl_handler_setup(&clu->ctrls);
>
> return clu;
> +
> +error:
> + vsp1_entity_destroy(&clu->entity);
[Severity: High]
This is a pre-existing issue, but does calling vsp1_entity_destroy() risk
a kernel panic if the entity state is an error pointer?
In drivers/media/platform/renesas/vsp1/vsp1_entity.c:vsp1_entity_init(),
if state allocation fails, it assigns an ERR_PTR to entity->state:
drivers/media/platform/renesas/vsp1/vsp1_entity.c:vsp1_entity_init() {
...
entity->state = __v4l2_subdev_state_alloc(&entity->subdev,
"vsp1:state->lock", &key);
if (IS_ERR(entity->state)) {
media_entity_cleanup(&entity->subdev.entity);
return PTR_ERR(entity->state);
}
...
}
If vsp1_entity_destroy() is later called, it unconditionally frees the state:
drivers/media/platform/renesas/vsp1/vsp1_entity.c:vsp1_entity_destroy() {
...
__v4l2_subdev_state_free(entity->state);
...
}
However, __v4l2_subdev_state_free() only checks for NULL, not IS_ERR():
drivers/media/v4l2-core/v4l2-subdev.c:__v4l2_subdev_state_free() {
if (!state)
return;
mutex_destroy(&state->_lock);
...
}
This causes a blind dereference of the error pointer.
While this patch calls vsp1_entity_destroy() after vsp1_entity_init() has
succeeded (making the state pointer valid here), callers like vsp1_hgo_create()
and vsp1_hgt_create() handle vsp1_entity_init() failures by immediately calling
vsp1_entity_destroy().
Could this cause a crash if state allocation fails during probe?
> + return ERR_PTR(ret);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604073654.1365717-1-dawei.feng@seu.edu.cn?part=1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-04 7:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-04 7:36 [PATCH] media: renesas: vsp1: fix CLU/LUT entity leaks upon pool allocation failure Dawei Feng
2026-06-04 7:54 ` sashiko-bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox