The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Signed-off-by: Biju Das biju.das.jz@bp.renesas.com --- Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable@vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..de55d687245a 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) };
host = of_find_mipi_dsi_host_by_node(adv->host_node); + of_node_put(adv->host_node); if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); @@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV;
- of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");
Hi Biju,
On Wed, Nov 6, 2024 at 7:49 PM Biju Das biju.das.jz@bp.renesas.com wrote:
The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Signed-off-by: Biju Das biju.das.jz@bp.renesas.com
Changes in v3:
- Replace __free construct with readable of_node_put().
Changes in v2:
- Added the tag "Cc: stable@vger.kernel.org" in the sign-off area.
- Dropped Archit Taneja invalid Mail address
Thanks for the update!
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) };
host = of_find_mipi_dsi_host_by_node(adv->host_node);
of_node_put(adv->host_node);
This still looks fragile to me, as afterwards a pointer to a freed node is left in struct adv7511.host_node. It would be safer to also clear adv->host_node here.
However, taking a look from a distance, the code looks like:
static int adv7511_probe(struct i2c_client *i2c) { ... adv7533_parse_dt(dev->of_node, adv7511); ... if (adv7511->info->has_dsi) ret = adv7533_attach_dsi(adv7511); ... }
The only reason adv7511.host_node exists is to pass it from adv7533_parse_dt() to adv7533_attach_dsi(). So what about making this explicit? 1. Let adv7533_parse_dt() return the host_node or an error pointer, 2. Pass the host_node as a parameter to adv7533_attach_dsi(), 3. Call of_node_put() in adv7511_probe() after use.
if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n");@@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV;
of_node_put(adv->host_node);adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");
Gr{oetje,eeting}s,
Geert
On Wed, Nov 06, 2024 at 08:04:16PM +0100, Geert Uytterhoeven wrote:
Hi Biju,
On Wed, Nov 6, 2024 at 7:49 PM Biju Das biju.das.jz@bp.renesas.com wrote:
The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Signed-off-by: Biju Das biju.das.jz@bp.renesas.com
Changes in v3:
- Replace __free construct with readable of_node_put().
Changes in v2:
- Added the tag "Cc: stable@vger.kernel.org" in the sign-off area.
- Dropped Archit Taneja invalid Mail address
Thanks for the update!
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) };
host = of_find_mipi_dsi_host_by_node(adv->host_node);
of_node_put(adv->host_node);This still looks fragile to me, as afterwards a pointer to a freed node is left in struct adv7511.host_node. It would be safer to also clear adv->host_node here.
However, taking a look from a distance, the code looks like:
static int adv7511_probe(struct i2c_client *i2c) { ... adv7533_parse_dt(dev->of_node, adv7511); ... if (adv7511->info->has_dsi) ret = adv7533_attach_dsi(adv7511); ... }The only reason adv7511.host_node exists is to pass it from adv7533_parse_dt() to adv7533_attach_dsi(). So what about making this explicit?
- Let adv7533_parse_dt() return the host_node or an error pointer,
- Pass the host_node as a parameter to adv7533_attach_dsi(),
- Call of_node_put() in adv7511_probe() after use.
Or, alternatively, if keeping the node pointer in the adv7511 structure is preferred, call of_node_put() at .remove() time.
if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n");@@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV;
of_node_put(adv->host_node);adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");
Hi Laurent,
Thanks for the feedback.
-----Original Message----- From: Laurent Pinchart laurent.pinchart@ideasonboard.com Sent: 06 November 2024 19:33 Subject: Re: [PATCH v3 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
On Wed, Nov 06, 2024 at 08:04:16PM +0100, Geert Uytterhoeven wrote:
Hi Biju,
On Wed, Nov 6, 2024 at 7:49 PM Biju Das biju.das.jz@bp.renesas.com wrote:
The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable@vger.kernel.org Signed-off-by: Biju Das biju.das.jz@bp.renesas.com
Changes in v3:
- Replace __free construct with readable of_node_put().
Changes in v2:
- Added the tag "Cc: stable@vger.kernel.org" in the sign-off area.
- Dropped Archit Taneja invalid Mail address
Thanks for the update!
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) };
host = of_find_mipi_dsi_host_by_node(adv->host_node);
of_node_put(adv->host_node);This still looks fragile to me, as afterwards a pointer to a freed node is left in struct adv7511.host_node. It would be safer to also clear adv->host_node here.
However, taking a look from a distance, the code looks like:
static int adv7511_probe(struct i2c_client *i2c) { ... adv7533_parse_dt(dev->of_node, adv7511); ... if (adv7511->info->has_dsi) ret = adv7533_attach_dsi(adv7511); ... }The only reason adv7511.host_node exists is to pass it from adv7533_parse_dt() to adv7533_attach_dsi(). So what about making this explicit?
- Let adv7533_parse_dt() return the host_node or an error pointer,
- Pass the host_node as a parameter to adv7533_attach_dsi(),
- Call of_node_put() in adv7511_probe() after use.
Or, alternatively, if keeping the node pointer in the adv7511 structure is preferred, call of_node_put() at .remove() time.
We don't need to store unnecessary pointer if we handle the host_node pointer in the probe(). I will go with Geert's suggestion.
Cheers, Biju
if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n");@@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV;
of_node_put(adv->host_node);adv->use_timing_gen = !of_property_read_bool(np,"adi,disable-timing-generator");
-- Regards,
Laurent Pinchart
linux-stable-mirror@lists.linaro.org
-
Biju Das -
Geert Uytterhoeven -
Laurent Pinchart