This patch series aims to fix 2 bugs in ADV7535 driver 1) use-after-free bug in adv7533_attach_dsi() 2) out-of-bounds array in adv7511_dsi_config_timing_gen() for clock_div_by_lanes[].
Biju Das (2): drm: adv7511: Fix use-after-free in adv7533_attach_dsi() drm: adv7511: Fix out-of-bounds array in clock_div_by_lanes
drivers/gpu/drm/bridge/adv7511/adv7533.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
The host_node pointer assigned and freed in adv7533_parse_dt() and later adv7533_attach_dsi() uses the same. Fix this issue by freeing the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Signed-off-by: Biju Das biju.das.jz@bp.renesas.com --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..3e57ba838e5e 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -133,6 +133,7 @@ int adv7533_patch_cec_registers(struct adv7511 *adv)
int adv7533_attach_dsi(struct adv7511 *adv) { + struct device_node *np __free(device_node) = adv->host_node; struct device *dev = &adv->i2c_main->dev; struct mipi_dsi_host *host; struct mipi_dsi_device *dsi; @@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV;
- of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");
Hi,
Thanks for your patch.
FYI: kernel test robot notices the stable kernel rule is not satisfied.
The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opti...
Rule: add the tag "Cc: stable@vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH 1/2] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Link: https://lore.kernel.org/stable/20241105110236.112631-2-biju.das.jz%40bp.rene...
Fix out-of-bounds array in adv7511_dsi_config_timing_gen() for clock_div_by_lanes[], when dsi lanes = 1.
Fixes: 78fa479d703c ("drm/bridge: adv7533: Use internal timing generator") Reported-by: Hien Huynh hien.huynh.px@renesas.com Signed-off-by: Biju Das biju.das.jz@bp.renesas.com --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 3e57ba838e5e..0c2236e53af5 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -185,6 +185,9 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator");
+ if (adv->use_timing_gen && num_lanes == 1) + return -EINVAL; + /* TODO: Check if these need to be parsed by DT or not */ adv->rgb = true; adv->embedded_sync = false;
linux-stable-mirror@lists.linaro.org
-
Biju Das -
kernel test robot