Re: [PATCH] media: i2c: mt9p031: fix endpoint parsing use-after-free

Next message: Ankur Arora: "Re: [PATCH v12 07/15] atomic: Add atomic_cond_read_*_timeout()"
Previous message: nasser: "Re: [PATCH v2] staging: greybus: audio: check sscanf() result directly"
In reply to: Biren Pandya: "[PATCH] media: i2c: mt9p031: fix endpoint parsing use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Laurent Pinchart

Date: Mon Jun 15 2026 - 03:44:17 EST

On Sat, Jun 13, 2026 at 02:18:49PM +0530, Biren Pandya wrote:
> The mt9p031_probe() function calls fwnode_handle_put(np) immediately
> after parsing the endpoint. However, it subsequently calls
> fwnode_property_read_u32() twice using the same 'np' handle, leading
> to a potential use-after-free.
>
> Fix this by moving fwnode_handle_put(np) to the end of the endpoint
> property reading block, and adding it to the error path of
> v4l2_fwnode_endpoint_parse().
>
> Signed-off-by: Biren Pandya <birenpandya@xxxxxxxxx>
> ---
> drivers/media/i2c/mt9p031.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
> index ea5d43d..04c17cb 100644
> --- a/drivers/media/i2c/mt9p031.c
> +++ b/drivers/media/i2c/mt9p031.c
> @@ -1075,15 +1075,18 @@ static int mt9p031_parse_properties(struct mt9p031 *mt9p031, struct device *dev)
> return dev_err_probe(dev, -EINVAL, "endpoint node not found\n");
>
> ret = v4l2_fwnode_endpoint_parse(np, &endpoint);
> - fwnode_handle_put(np);
> - if (ret)
> + if (ret) {
> + fwnode_handle_put(np);
> return dev_err_probe(dev, -EINVAL, "could not parse endpoint\n");
> + }
>
> fwnode_property_read_u32(np, "input-clock-frequency",
> &mt9p031->ext_freq);
> fwnode_property_read_u32(np, "pixel-clock-frequency",
> &mt9p031->target_freq);
>
> + fwnode_handle_put(np);
> +

This seems to be a candidate for __free().

> mt9p031->pixclk_pol = !!(endpoint.bus.parallel.flags &
> V4L2_MBUS_PCLK_SAMPLE_RISING);
>

--
Regards,

Laurent Pinchart