[PATCH] media: i2c: mt9p031: fix endpoint parsing use-after-free

Next message: Lothar Rubusch: "Re: [PATCH RESEND v2 1/1] crypto: atmel-sha204a - fix heap info leak on I2C transfer failure"
Previous message: David Laight: "Re: [PATCH] lib/raid/xor: x86: Add AVX-512 optimized xor_gen()"
Next in thread: Laurent Pinchart: "Re: [PATCH] media: i2c: mt9p031: fix endpoint parsing use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Biren Pandya

Date: Sat Jun 13 2026 - 04:50:27 EST

The mt9p031_probe() function calls fwnode_handle_put(np) immediately
after parsing the endpoint. However, it subsequently calls
fwnode_property_read_u32() twice using the same 'np' handle, leading
to a potential use-after-free.

Fix this by moving fwnode_handle_put(np) to the end of the endpoint
property reading block, and adding it to the error path of
v4l2_fwnode_endpoint_parse().

Signed-off-by: Biren Pandya <birenpandya@xxxxxxxxx>
---
drivers/media/i2c/mt9p031.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
index ea5d43d..04c17cb 100644
--- a/drivers/media/i2c/mt9p031.c
+++ b/drivers/media/i2c/mt9p031.c
@@ -1075,15 +1075,18 @@ static int mt9p031_parse_properties(struct mt9p031 *mt9p031, struct device *dev)
return dev_err_probe(dev, -EINVAL, "endpoint node not found\n");

ret = v4l2_fwnode_endpoint_parse(np, &endpoint);
- fwnode_handle_put(np);
- if (ret)
+ if (ret) {
+ fwnode_handle_put(np);
return dev_err_probe(dev, -EINVAL, "could not parse endpoint\n");
+ }

fwnode_property_read_u32(np, "input-clock-frequency",
&mt9p031->ext_freq);
fwnode_property_read_u32(np, "pixel-clock-frequency",
&mt9p031->target_freq);

+ fwnode_handle_put(np);
+
mt9p031->pixclk_pol = !!(endpoint.bus.parallel.flags &
V4L2_MBUS_PCLK_SAMPLE_RISING);

--
2.50.1 (Apple Git-155)