* [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
@ 2026-04-30 5:38 Guangshuo Li
2026-05-03 8:26 ` kernel test robot
2026-05-03 14:51 ` kernel test robot
0 siblings, 2 replies; 4+ messages in thread
From: Guangshuo Li @ 2026-04-30 5:38 UTC (permalink / raw)
To: Sakari Ailus, Bingbu Cao, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Hans Verkuil, linux-media, linux-staging,
linux-kernel
Cc: Guangshuo Li
ipu7_bus_initialize_device() stores the caller allocated pdata pointer in
adev->pdata and installs ipu7_bus_release() as the device release callback.
After auxiliary_device_init() succeeds, pdata is released by
ipu7_bus_release().
The isys and psys init error paths still call kfree(pdata) after
put_device() or after ipu7_bus_add_device() fails. In both cases the
auxiliary device release callback has already been invoked, so pdata has
already been freed through adev->pdata.
Remove the duplicate kfree(pdata) calls. Also cache the MMU init error
before calling put_device(), since put_device() may release the auxiliary
device container.
This issue was found by a static analysis tool I am developing.
Fixes: b7fe4c0019b1 ("media: staging/ipu7: add Intel IPU7 PCI device driver")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/staging/media/ipu7/ipu7.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/staging/media/ipu7/ipu7.c b/drivers/staging/media/ipu7/ipu7.c
index c771e763f8c5..069f0238c8cf 100644
--- a/drivers/staging/media/ipu7/ipu7.c
+++ b/drivers/staging/media/ipu7/ipu7.c
@@ -2169,21 +2169,19 @@ ipu7_isys_init(struct pci_dev *pdev, struct device *parent,
isys_adev->mmu = ipu7_mmu_init(dev, base, ISYS_MMID,
&ipdata->hw_variant);
if (IS_ERR(isys_adev->mmu)) {
- dev_err_probe(dev, PTR_ERR(isys_adev->mmu),
+ ret = PTR_ERR(isys_adev->mmu);
+ dev_err_probe(dev, ret,
"ipu7_mmu_init(isys_adev->mmu) failed\n");
put_device(&isys_adev->auxdev.dev);
- kfree(pdata);
- return ERR_CAST(isys_adev->mmu);
+ return ERR_CAST(ret);
}
isys_adev->mmu->dev = &isys_adev->auxdev.dev;
isys_adev->subsys = IPU_IS;
ret = ipu7_bus_add_device(isys_adev);
- if (ret) {
- kfree(pdata);
+ if (ret)
return ERR_PTR(ret);
- }
return isys_adev;
}
@@ -2216,21 +2214,19 @@ ipu7_psys_init(struct pci_dev *pdev, struct device *parent,
psys_adev->mmu = ipu7_mmu_init(&pdev->dev, base, PSYS_MMID,
&ipdata->hw_variant);
if (IS_ERR(psys_adev->mmu)) {
- dev_err_probe(&pdev->dev, PTR_ERR(psys_adev->mmu),
+ ret = PTR_ERR(psys_adev->mmu);
+ dev_err_probe(&pdev->dev, ret,
"ipu7_mmu_init(psys_adev->mmu) failed\n");
put_device(&psys_adev->auxdev.dev);
- kfree(pdata);
- return ERR_CAST(psys_adev->mmu);
+ return ERR_CAST(ret);
}
psys_adev->mmu->dev = &psys_adev->auxdev.dev;
psys_adev->subsys = IPU_PS;
ret = ipu7_bus_add_device(psys_adev);
- if (ret) {
- kfree(pdata);
+ if (ret)
return ERR_PTR(ret);
- }
return psys_adev;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
2026-04-30 5:38 [PATCH] media: staging/ipu7: Fix pdata double free in init error paths Guangshuo Li
@ 2026-05-03 8:26 ` kernel test robot
2026-05-03 14:51 ` kernel test robot
1 sibling, 0 replies; 4+ messages in thread
From: kernel test robot @ 2026-05-03 8:26 UTC (permalink / raw)
To: Guangshuo Li, Sakari Ailus, Bingbu Cao, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Hans Verkuil, linux-staging, linux-kernel
Cc: llvm, oe-kbuild-all, linux-media, Guangshuo Li
Hi Guangshuo,
kernel test robot noticed the following build errors:
[auto build test ERROR on staging/staging-testing]
url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-staging-ipu7-Fix-pdata-double-free-in-init-error-paths/20260501-032323
base: staging/staging-testing
patch link: https://lore.kernel.org/r/20260430053820.446080-1-lgs201920130244%40gmail.com
patch subject: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
config: x86_64-randconfig-076-20260503 (https://download.01.org/0day-ci/archive/20260503/202605031607.jGN5iKun-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605031607.jGN5iKun-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605031607.jGN5iKun-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/staging/media/ipu7/ipu7.c:2176:19: error: incompatible integer to pointer conversion passing 'int' to parameter of type 'const void *' [-Wint-conversion]
2176 | return ERR_CAST(ret);
| ^~~
include/linux/err.h:102:64: note: passing argument to parameter 'ptr' here
102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
| ^
drivers/staging/media/ipu7/ipu7.c:2221:19: error: incompatible integer to pointer conversion passing 'int' to parameter of type 'const void *' [-Wint-conversion]
2221 | return ERR_CAST(ret);
| ^~~
include/linux/err.h:102:64: note: passing argument to parameter 'ptr' here
102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
| ^
2 errors generated.
vim +2176 drivers/staging/media/ipu7/ipu7.c
2125
2126 static struct ipu7_bus_device *
2127 ipu7_isys_init(struct pci_dev *pdev, struct device *parent,
2128 const struct ipu_buttress_ctrl *ctrl, void __iomem *base,
2129 const struct ipu_isys_internal_pdata *ipdata,
2130 unsigned int nr)
2131 {
2132 struct fwnode_handle *fwnode = dev_fwnode(&pdev->dev);
2133 struct ipu7_bus_device *isys_adev;
2134 struct device *dev = &pdev->dev;
2135 struct ipu7_isys_pdata *pdata;
2136 int ret;
2137
2138 ret = ipu7_isys_check_fwnode_graph(fwnode);
2139 if (ret) {
2140 if (fwnode && !IS_ERR_OR_NULL(fwnode->secondary)) {
2141 dev_err(dev,
2142 "fwnode graph has no endpoints connection\n");
2143 return ERR_PTR(-EINVAL);
2144 }
2145
2146 ret = ipu_bridge_init(dev, ipu_bridge_parse_ssdb);
2147 if (ret) {
2148 dev_err_probe(dev, ret, "IPU bridge init failed\n");
2149 return ERR_PTR(ret);
2150 }
2151 }
2152
2153 pdata = kzalloc_obj(*pdata);
2154 if (!pdata)
2155 return ERR_PTR(-ENOMEM);
2156
2157 pdata->base = base;
2158 pdata->ipdata = ipdata;
2159
2160 isys_adev = ipu7_bus_initialize_device(pdev, parent, pdata, ctrl,
2161 IPU_ISYS_NAME);
2162 if (IS_ERR(isys_adev)) {
2163 dev_err_probe(dev, PTR_ERR(isys_adev),
2164 "ipu7_bus_initialize_device isys failed\n");
2165 kfree(pdata);
2166 return ERR_CAST(isys_adev);
2167 }
2168
2169 isys_adev->mmu = ipu7_mmu_init(dev, base, ISYS_MMID,
2170 &ipdata->hw_variant);
2171 if (IS_ERR(isys_adev->mmu)) {
2172 ret = PTR_ERR(isys_adev->mmu);
2173 dev_err_probe(dev, ret,
2174 "ipu7_mmu_init(isys_adev->mmu) failed\n");
2175 put_device(&isys_adev->auxdev.dev);
> 2176 return ERR_CAST(ret);
2177 }
2178
2179 isys_adev->mmu->dev = &isys_adev->auxdev.dev;
2180 isys_adev->subsys = IPU_IS;
2181
2182 ret = ipu7_bus_add_device(isys_adev);
2183 if (ret)
2184 return ERR_PTR(ret);
2185
2186 return isys_adev;
2187 }
2188
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
2026-04-30 5:38 [PATCH] media: staging/ipu7: Fix pdata double free in init error paths Guangshuo Li
2026-05-03 8:26 ` kernel test robot
@ 2026-05-03 14:51 ` kernel test robot
2026-05-04 12:48 ` Guangshuo Li
1 sibling, 1 reply; 4+ messages in thread
From: kernel test robot @ 2026-05-03 14:51 UTC (permalink / raw)
To: Guangshuo Li, Sakari Ailus, Bingbu Cao, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Hans Verkuil, linux-staging, linux-kernel
Cc: oe-kbuild-all, linux-media, Guangshuo Li
Hi Guangshuo,
kernel test robot noticed the following build errors:
[auto build test ERROR on staging/staging-testing]
url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-staging-ipu7-Fix-pdata-double-free-in-init-error-paths/20260501-032323
base: staging/staging-testing
patch link: https://lore.kernel.org/r/20260430053820.446080-1-lgs201920130244%40gmail.com
patch subject: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
config: i386-allyesconfig (https://download.01.org/0day-ci/archive/20260503/202605032224.WHCEx7uc-lkp@intel.com/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605032224.WHCEx7uc-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605032224.WHCEx7uc-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/staging/media/ipu7/ipu7.c: In function 'ipu7_isys_init':
>> drivers/staging/media/ipu7/ipu7.c:2176:33: error: passing argument 1 of 'ERR_CAST' makes pointer from integer without a cast [-Wint-conversion]
2176 | return ERR_CAST(ret);
| ^~~
| |
| int
In file included from include/linux/cleanup.h:6,
from include/linux/acpi.h:11,
from drivers/staging/media/ipu7/ipu7.c:6:
include/linux/err.h:102:64: note: expected 'const void *' but argument is of type 'int'
102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
| ~~~~~~~~~~~~^~~
drivers/staging/media/ipu7/ipu7.c: In function 'ipu7_psys_init':
drivers/staging/media/ipu7/ipu7.c:2221:33: error: passing argument 1 of 'ERR_CAST' makes pointer from integer without a cast [-Wint-conversion]
2221 | return ERR_CAST(ret);
| ^~~
| |
| int
include/linux/err.h:102:64: note: expected 'const void *' but argument is of type 'int'
102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
| ~~~~~~~~~~~~^~~
vim +/ERR_CAST +2176 drivers/staging/media/ipu7/ipu7.c
2125
2126 static struct ipu7_bus_device *
2127 ipu7_isys_init(struct pci_dev *pdev, struct device *parent,
2128 const struct ipu_buttress_ctrl *ctrl, void __iomem *base,
2129 const struct ipu_isys_internal_pdata *ipdata,
2130 unsigned int nr)
2131 {
2132 struct fwnode_handle *fwnode = dev_fwnode(&pdev->dev);
2133 struct ipu7_bus_device *isys_adev;
2134 struct device *dev = &pdev->dev;
2135 struct ipu7_isys_pdata *pdata;
2136 int ret;
2137
2138 ret = ipu7_isys_check_fwnode_graph(fwnode);
2139 if (ret) {
2140 if (fwnode && !IS_ERR_OR_NULL(fwnode->secondary)) {
2141 dev_err(dev,
2142 "fwnode graph has no endpoints connection\n");
2143 return ERR_PTR(-EINVAL);
2144 }
2145
2146 ret = ipu_bridge_init(dev, ipu_bridge_parse_ssdb);
2147 if (ret) {
2148 dev_err_probe(dev, ret, "IPU bridge init failed\n");
2149 return ERR_PTR(ret);
2150 }
2151 }
2152
2153 pdata = kzalloc_obj(*pdata);
2154 if (!pdata)
2155 return ERR_PTR(-ENOMEM);
2156
2157 pdata->base = base;
2158 pdata->ipdata = ipdata;
2159
2160 isys_adev = ipu7_bus_initialize_device(pdev, parent, pdata, ctrl,
2161 IPU_ISYS_NAME);
2162 if (IS_ERR(isys_adev)) {
2163 dev_err_probe(dev, PTR_ERR(isys_adev),
2164 "ipu7_bus_initialize_device isys failed\n");
2165 kfree(pdata);
2166 return ERR_CAST(isys_adev);
2167 }
2168
2169 isys_adev->mmu = ipu7_mmu_init(dev, base, ISYS_MMID,
2170 &ipdata->hw_variant);
2171 if (IS_ERR(isys_adev->mmu)) {
2172 ret = PTR_ERR(isys_adev->mmu);
2173 dev_err_probe(dev, ret,
2174 "ipu7_mmu_init(isys_adev->mmu) failed\n");
2175 put_device(&isys_adev->auxdev.dev);
> 2176 return ERR_CAST(ret);
2177 }
2178
2179 isys_adev->mmu->dev = &isys_adev->auxdev.dev;
2180 isys_adev->subsys = IPU_IS;
2181
2182 ret = ipu7_bus_add_device(isys_adev);
2183 if (ret)
2184 return ERR_PTR(ret);
2185
2186 return isys_adev;
2187 }
2188
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
2026-05-03 14:51 ` kernel test robot
@ 2026-05-04 12:48 ` Guangshuo Li
0 siblings, 0 replies; 4+ messages in thread
From: Guangshuo Li @ 2026-05-04 12:48 UTC (permalink / raw)
To: kernel test robot
Cc: Sakari Ailus, Bingbu Cao, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Hans Verkuil, linux-staging, linux-kernel,
oe-kbuild-all, linux-media
Hi kernel test robot,
Thanks for the report.
On Sun, 3 May 2026 at 22:52, kernel test robot <lkp@intel.com> wrote:
>
> Hi Guangshuo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on staging/staging-testing]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/media-staging-ipu7-Fix-pdata-double-free-in-init-error-paths/20260501-032323
> base: staging/staging-testing
> patch link: https://lore.kernel.org/r/20260430053820.446080-1-lgs201920130244%40gmail.com
> patch subject: [PATCH] media: staging/ipu7: Fix pdata double free in init error paths
> config: i386-allyesconfig (https://download.01.org/0day-ci/archive/20260503/202605032224.WHCEx7uc-lkp@intel.com/config)
> compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260503/202605032224.WHCEx7uc-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202605032224.WHCEx7uc-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> drivers/staging/media/ipu7/ipu7.c: In function 'ipu7_isys_init':
> >> drivers/staging/media/ipu7/ipu7.c:2176:33: error: passing argument 1 of 'ERR_CAST' makes pointer from integer without a cast [-Wint-conversion]
> 2176 | return ERR_CAST(ret);
> | ^~~
> | |
> | int
> In file included from include/linux/cleanup.h:6,
> from include/linux/acpi.h:11,
> from drivers/staging/media/ipu7/ipu7.c:6:
> include/linux/err.h:102:64: note: expected 'const void *' but argument is of type 'int'
> 102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
> | ~~~~~~~~~~~~^~~
> drivers/staging/media/ipu7/ipu7.c: In function 'ipu7_psys_init':
> drivers/staging/media/ipu7/ipu7.c:2221:33: error: passing argument 1 of 'ERR_CAST' makes pointer from integer without a cast [-Wint-conversion]
> 2221 | return ERR_CAST(ret);
> | ^~~
> | |
> | int
> include/linux/err.h:102:64: note: expected 'const void *' but argument is of type 'int'
> 102 | static inline void * __must_check ERR_CAST(__force const void *ptr)
> | ~~~~~~~~~~~~^~~
>
>
> vim +/ERR_CAST +2176 drivers/staging/media/ipu7/ipu7.c
>
> 2125
> 2126 static struct ipu7_bus_device *
> 2127 ipu7_isys_init(struct pci_dev *pdev, struct device *parent,
> 2128 const struct ipu_buttress_ctrl *ctrl, void __iomem *base,
> 2129 const struct ipu_isys_internal_pdata *ipdata,
> 2130 unsigned int nr)
> 2131 {
> 2132 struct fwnode_handle *fwnode = dev_fwnode(&pdev->dev);
> 2133 struct ipu7_bus_device *isys_adev;
> 2134 struct device *dev = &pdev->dev;
> 2135 struct ipu7_isys_pdata *pdata;
> 2136 int ret;
> 2137
> 2138 ret = ipu7_isys_check_fwnode_graph(fwnode);
> 2139 if (ret) {
> 2140 if (fwnode && !IS_ERR_OR_NULL(fwnode->secondary)) {
> 2141 dev_err(dev,
> 2142 "fwnode graph has no endpoints connection\n");
> 2143 return ERR_PTR(-EINVAL);
> 2144 }
> 2145
> 2146 ret = ipu_bridge_init(dev, ipu_bridge_parse_ssdb);
> 2147 if (ret) {
> 2148 dev_err_probe(dev, ret, "IPU bridge init failed\n");
> 2149 return ERR_PTR(ret);
> 2150 }
> 2151 }
> 2152
> 2153 pdata = kzalloc_obj(*pdata);
> 2154 if (!pdata)
> 2155 return ERR_PTR(-ENOMEM);
> 2156
> 2157 pdata->base = base;
> 2158 pdata->ipdata = ipdata;
> 2159
> 2160 isys_adev = ipu7_bus_initialize_device(pdev, parent, pdata, ctrl,
> 2161 IPU_ISYS_NAME);
> 2162 if (IS_ERR(isys_adev)) {
> 2163 dev_err_probe(dev, PTR_ERR(isys_adev),
> 2164 "ipu7_bus_initialize_device isys failed\n");
> 2165 kfree(pdata);
> 2166 return ERR_CAST(isys_adev);
> 2167 }
> 2168
> 2169 isys_adev->mmu = ipu7_mmu_init(dev, base, ISYS_MMID,
> 2170 &ipdata->hw_variant);
> 2171 if (IS_ERR(isys_adev->mmu)) {
> 2172 ret = PTR_ERR(isys_adev->mmu);
> 2173 dev_err_probe(dev, ret,
> 2174 "ipu7_mmu_init(isys_adev->mmu) failed\n");
> 2175 put_device(&isys_adev->auxdev.dev);
> > 2176 return ERR_CAST(ret);
> 2177 }
> 2178
> 2179 isys_adev->mmu->dev = &isys_adev->auxdev.dev;
> 2180 isys_adev->subsys = IPU_IS;
> 2181
> 2182 ret = ipu7_bus_add_device(isys_adev);
> 2183 if (ret)
> 2184 return ERR_PTR(ret);
> 2185
> 2186 return isys_adev;
> 2187 }
> 2188
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
The build failure is caused by my use of ERR_CAST(ret) after caching
PTR_ERR(isys_adev->mmu) / PTR_ERR(psys_adev->mmu) into the integer variable
ret. ERR_CAST() expects an error pointer, not an integer error code.
I will fix this in v2 by returning ERR_PTR(ret) instead.
Thanks,
Guangshuo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-04 12:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-30 5:38 [PATCH] media: staging/ipu7: Fix pdata double free in init error paths Guangshuo Li
2026-05-03 8:26 ` kernel test robot
2026-05-03 14:51 ` kernel test robot
2026-05-04 12:48 ` Guangshuo Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox