RE: [PATCH v3 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

Biju Das <biju.das.jz@xxxxxxxxxxxxxx> · Thu, 7 Nov 2024 11:32:25 +0000

Hi Laurent,

Thanks for the feedback.

> -----Original Message-----
> From: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
> Sent: 06 November 2024 19:33
> Subject: Re: [PATCH v3 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
> 
> On Wed, Nov 06, 2024 at 08:04:16PM +0100, Geert Uytterhoeven wrote:
> > Hi Biju,
> >
> > On Wed, Nov 6, 2024 at 7:49 PM Biju Das <biju.das.jz@xxxxxxxxxxxxxx> wrote:
> > > The host_node pointer assigned and freed in adv7533_parse_dt() and
> > > later adv7533_attach_dsi() uses the same. Fix this issue by freeing
> > > the host_node in adv7533_attach_dsi() instead of adv7533_parse_dt().
> > >
> > > Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI
> > > device")
> > > Cc: stable@xxxxxxxxxxxxxxx
> > > Signed-off-by: Biju Das <biju.das.jz@xxxxxxxxxxxxxx>
> > > ---
> > > Changes in v3:
> > >  - Replace __free construct with readable of_node_put().
> > > Changes in v2:
> > >  - Added the tag "Cc: stable@xxxxxxxxxxxxxxx" in the sign-off area.
> > >  - Dropped Archit Taneja invalid Mail address
> >
> > Thanks for the update!
> >
> > > --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
> > > +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
> > > @@ -143,6 +143,7 @@ int adv7533_attach_dsi(struct adv7511 *adv)
> > >                                                  };
> > >
> > >         host = of_find_mipi_dsi_host_by_node(adv->host_node);
> > > +       of_node_put(adv->host_node);
> >
> > This still looks fragile to me, as afterwards a pointer to a freed
> > node is left in struct adv7511.host_node. It would be safer to also
> > clear adv->host_node here.
> >
> > However, taking a look from a distance, the code looks like:
> >
> >     static int adv7511_probe(struct i2c_client *i2c)
> >     {
> >             ...
> >             adv7533_parse_dt(dev->of_node, adv7511);
> >             ...
> >             if (adv7511->info->has_dsi)
> >                     ret = adv7533_attach_dsi(adv7511);
> >             ...
> >     }
> >
> > The only reason adv7511.host_node exists is to pass it from
> > adv7533_parse_dt() to adv7533_attach_dsi().
> > So what about making this explicit?
> >   1. Let adv7533_parse_dt() return the host_node or an error pointer,
> >   2. Pass the host_node as a parameter to adv7533_attach_dsi(),
> >   3. Call of_node_put() in adv7511_probe() after use.
> 
> Or, alternatively, if keeping the node pointer in the adv7511 structure is preferred, call
> of_node_put() at .remove() time.

We don't need to store unnecessary pointer if we handle the host_node pointer in the probe().
I will go with Geert's suggestion.

Cheers,
Biju

> 
> > >         if (!host)
> > >                 return dev_err_probe(dev, -EPROBE_DEFER,
> > >                                      "failed to find dsi host\n");
> > > @@ -181,8 +182,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv)
> > >         if (!adv->host_node)
> > >                 return -ENODEV;
> > >
> > > -       of_node_put(adv->host_node);
> > > -
> > >         adv->use_timing_gen = !of_property_read_bool(np,
> > >
> > > "adi,disable-timing-generator");
> 
> --
> Regards,
> 
> Laurent Pinchart