Re: [PATCH] media: v4l2-core: Fix Use-After-Free in v4l2_subdev_get_fwnode_pad_1_to_1

[Laurent Pinchart]

On Tue, Jun 16, 2026 at 02:55:16PM +0530, Biren Pandya wrote:
> v4l2_subdev_get_fwnode_pad_1_to_1() drops the fwnode reference via
> fwnode_handle_put() before passing it to device_match_fwnode(). This
> creates a Use-After-Free vulnerability. If the freed memory is instantly
> reallocated by SLUB, the pointer comparison could accidentally match
> the wrong pad or trigger a KASAN panic.

There's no vulnerability in practice. The code change is still worth it
in my opinion, but the commit message needs an update.

> Fix this by using the __free(fwnode_handle) scoped guard. This safely
> binds the fwnode lifecycle to the function scope, holding the reference
> during the match and releasing it automatically upon return.
> 
> Signed-off-by: Biren Pandya <birenpandya@xxxxxxxxx>
> ---
>  drivers/media/v4l2-core/v4l2-subdev.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-subdev.c b/drivers/media/v4l2-core/v4l2-subdev.c
> index 831c69c958b8..e6b133ef7850 100644
> --- a/drivers/media/v4l2-core/v4l2-subdev.c
> +++ b/drivers/media/v4l2-core/v4l2-subdev.c
> @@ -7,7 +7,7 @@
>   * Contact: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
>   *	    Sakari Ailus <sakari.ailus@xxxxxx>
>   */
> -
> +#include <linux/cleanup.h>
>  #include <linux/export.h>
>  #include <linux/ioctl.h>
>  #include <linux/leds.h>
> @@ -1243,7 +1243,7 @@ const struct v4l2_file_operations v4l2_subdev_fops = {
>  int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
>  				      struct fwnode_endpoint *endpoint)
>  {
> -	struct fwnode_handle *fwnode;
> +	struct fwnode_handle *fwnode __free(fwnode_handle) = NULL;
>  	struct v4l2_subdev *sd;
>  
>  	if (!is_media_entity_v4l2_subdev(entity))
> @@ -1252,7 +1252,6 @@ int v4l2_subdev_get_fwnode_pad_1_to_1(struct media_entity *entity,
>  	sd = media_entity_to_v4l2_subdev(entity);
>  
>  	fwnode = fwnode_graph_get_port_parent(endpoint->local_fwnode);

The recommended usage is to declare the variable where initialized:

	struct fwnode_handle *fwnode __free(fwnode_handle) =
		fwnode_graph_get_port_parent(endpoint->local_fwnode);

> -	fwnode_handle_put(fwnode);
>  
>  	if (device_match_fwnode(sd->dev, fwnode))
>  		return endpoint->port;

-- 
Regards,

Laurent Pinchart