[PATCH] media: v4l2-core: Fix Use-After-Free in v4l2_subdev_get_fwnode_pad_1_to_1

[Biren Pandya]

v4l2_subdev_get_fwnode_pad_1_to_1() drops the fwnode reference via
fwnode_handle_put() before passing it to device_match_fwnode(). This
creates a Use-After-Free vulnerability. If the freed memory is instantly
reallocated by SLUB, the pointer comparison could accidentally match
the wrong pad or trigger a KASAN panic.

Fix this by using the __free(fwnode_handle) scoped guard. This safely
binds the fwnode lifecycle to the function scope, holding the reference
during the match and releasing it automatically upon return.

Signed-off-by: Biren Pandya <birenpandya@xxxxxxxxx>
---
 drivers/media/v4l2-core/v4l2-subdev.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
index 831c69c958b8..e6b133ef7850 100644
--- a/drivers/media/v4l2-core/v4l2-subdev.c
+++ b/drivers/media/v4l2-core/v4l2-subdev.c
@@ -7,7 +7,7 @@
  * Contact: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
  *	    Sakari Ailus <sakari.ailus@xxxxxx>
  */
-
+#include <linux/cleanup.h>
 #include <linux/export.h>
 #include <linux/ioctl.h>
 #include <linux/leds.h>
@@ -1243,7 +1243,7 @@ const struct v4l2_file_operations v4l2_subdev_fops = {
 int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
 				      struct fwnode_endpoint *endpoint)
 {
-	struct fwnode_handle *fwnode;
+	struct fwnode_handle *fwnode __free(fwnode_handle) = NULL;
 	struct v4l2_subdev *sd;
 
 	if (!is_media_entity_v4l2_subdev(entity))
@@ -1252,7 +1252,6 @@ int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
 	sd = media_entity_to_v4l2_subdev(entity);
 
 	fwnode = fwnode_graph_get_port_parent(endpoint->local_fwnode);
-	fwnode_handle_put(fwnode);
 
 	if (device_match_fwnode(sd->dev, fwnode))
 		return endpoint->port;

-- 
2.50.1 (Apple Git-155)