[PATCH] drm/bridge: it6505: fix use-after-free in it6505_parse_dt()

Next message: Krzysztof Kozlowski: "Re: [PATCH 1/2] dt-bindings: arm: fsl: Add SolidRun i.MX8DXL SoM and HummingBoard"
Previous message: Thomas Wei&#xDF;schuh: "Re: [PATCH 0/5] driver core: Allow the constification of device attributes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wentao Liang

Date: Thu Apr 09 2026 - 04:52:17 EST

In it6505_parse_dt(), of_node_put(ep) is called prematurely before the
last access to ep when reading the "link-frequencies" property, leading
to a use-after-free if the node's reference count drops to zero. Move
the of_node_put() calls after the last use of ep in both the success
and error paths.

Fixes: 380d920b582d ("drm/bridge: add it6505 driver to read data-lanes and link-frequencies from dt")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/gpu/drm/bridge/ite-it6505.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
index a094803ba7aa..4155b5e67c2d 100644
--- a/drivers/gpu/drm/bridge/ite-it6505.c
+++ b/drivers/gpu/drm/bridge/ite-it6505.c
@@ -3361,13 +3361,13 @@ static void it6505_parse_dt(struct it6505 *it6505)
}

ep = of_graph_get_endpoint_by_regs(np, 0, 0);
- of_node_put(ep);

if (ep) {
len = of_property_read_variable_u64_array(ep,
"link-frequencies",
&link_frequencies, 0,
1);
+ of_node_put(ep);
if (len >= 0) {
do_div(link_frequencies, 1000);
if (link_frequencies > 297000) {
@@ -3382,6 +3382,7 @@ static void it6505_parse_dt(struct it6505 *it6505)
*max_dpi_pixel_clock = DPI_PIXEL_CLK_MAX;
}
} else {
+ of_node_put(ep);
dev_err(dev, "error endpoint, use default");
*max_dpi_pixel_clock = DPI_PIXEL_CLK_MAX;
}
--
2.34.1