[PATCH] media: v4l2-subdev: Fix Use-After-Free risk in fwnode pad matching

[Biren Pandya]

In v4l2_subdev_get_fwnode_pad_1_to_1(), fwnode_handle_put() is called immediately after fetching the endpoint's parent node. However, the pointer is subsequently passed into device_match_fwnode().

While device_match_fwnode() only performs a pointer comparison and does not dereference the pointer, passing a dangling pointer is a Use-After-Free violation. If the memory allocator immediately reuses the freed fwnode address for another node, the comparison will yield a false positive. Furthermore, static analysis and KASAN strictly flag passing dangling pointers to functions.

Fix this by replacing the manual fwnode_handle_put() with the __free(fwnode_handle) scoped guard, which guarantees the reference is safely held for the remainder of the function scope.

Fixes: 8fe784b9abb2 ("media: v4l2-subdev: add v4l2_subdev_get_fwnode_pad_1_to_1")

Signed-off-by: Biren Pandya <birenpandya@xxxxxxxxx>
---
 drivers/media/v4l2-core/v4l2-subdev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index 831c69c958b8..24c95082ded5 100644
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -8,6 +8,7 @@
  *	    Sakari Ailus <sakari.ailus@xxxxxx>
  */
 
+#include <linux/cleanup.h>
 #include <linux/export.h>
 #include <linux/ioctl.h>
 #include <linux/leds.h>
@@ -1243,7 +1244,6 @@ const struct v4l2_file_operations v4l2_subdev_fops = {
 int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
 				      struct fwnode_endpoint *endpoint)
 {
-	struct fwnode_handle *fwnode;
 	struct v4l2_subdev *sd;
 
 	if (!is_media_entity_v4l2_subdev(entity))
@@ -1251,8 +1251,8 @@ int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
 
 	sd = media_entity_to_v4l2_subdev(entity);
 
-	fwnode = fwnode_graph_get_port_parent(endpoint->local_fwnode);
-	fwnode_handle_put(fwnode);
+	struct fwnode_handle *fwnode __free(fwnode_handle) =
+		fwnode_graph_get_port_parent(endpoint->local_fwnode);
 
 	if (device_match_fwnode(sd->dev, fwnode))
 		return endpoint->port;
-- 
2.50.1 (Apple Git-155)