In line 825 (#1), "fwnode_handle_put(ep);" drops the reference to ep
and may cause ep to be released. However, ep is subsequently used in
lines 831 (#3) by "ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-
voltage", &clk_volt);". This may result in an use-after-put bug.
It can be fixed by removing "fwnode_handle_put(ep);" in line 825 (#1)
and call it respectively before the function returns (line 827, #2) and
after ep has been used again (line 831, #3).
806 static int ov02a10_check_hwcfg(struct device *dev,
struct ov02a10 *ov02a10)
807 {
...
825 fwnode_handle_put(ep); //#1 Memory can be released.
826 if (ret)
827 return ret;
//#2 One of the branch ways ends here.
// Function returns.
...
830 ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-voltage",
831 &clk_volt);
//#3 Use of memory after it may be freed.
...
853 return ret;
854 }
Signed-off-by: Wentao_Liang <Wentao_Liang_g@xxxxxxx>
---
drivers/media/i2c/ov02a10.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov02a10.c b/drivers/media/i2c/ov02a10.c
index a3ce5500d355..1066a17e9cf8 100644
--- a/drivers/media/i2c/ov02a10.c
+++ b/drivers/media/i2c/ov02a10.c
@@ -822,13 +822,15 @@ static int ov02a10_check_hwcfg(struct device *dev, struct ov02a10 *ov02a10)
return -ENXIO;
ret = v4l2_fwnode_endpoint_alloc_parse(ep, &bus_cfg);
- fwnode_handle_put(ep);
- if (ret)
+ if (ret) {
+ fwnode_handle_put(ep);
return ret;
+ }
/* Optional indication of MIPI clock voltage unit */
ret = fwnode_property_read_u32(ep, "ovti,mipi-clock-voltage",
&clk_volt);
+ fwnode_handle_put(ep);
if (!ret)
ov02a10->mipi_clock_voltage = clk_volt;
--
2.25.1
