From: Wentao Liang <vulab@iscas.ac.cn>
To: andrzej.hajda@intel.com, neil.armstrong@linaro.org,
rfoss@kernel.org, maarten.lankhorst@linux.intel.com,
mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com,
simona@ffwll.ch
Cc: Laurent.pinchart@ideasonboard.com, jonas@kwiboo.se,
jernej.skrabec@gmail.com, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, Wentao Liang <vulab@iscas.ac.cn>,
stable@vger.kernel.org
Subject: [PATCH] drm/bridge: it6505: fix use-after-free in it6505_parse_dt()
Date: Thu, 9 Apr 2026 08:48:17 +0000 [thread overview]
Message-ID: <20260409084817.470401-1-vulab@iscas.ac.cn> (raw)
In it6505_parse_dt(), of_node_put(ep) is called prematurely before the
last access to ep when reading the "link-frequencies" property, leading
to a use-after-free if the node's reference count drops to zero. Move
the of_node_put() calls after the last use of ep in both the success
and error paths.
Fixes: 380d920b582d ("drm/bridge: add it6505 driver to read data-lanes and link-frequencies from dt")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
drivers/gpu/drm/bridge/ite-it6505.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
index a094803ba7aa..4155b5e67c2d 100644
--- a/drivers/gpu/drm/bridge/ite-it6505.c
+++ b/drivers/gpu/drm/bridge/ite-it6505.c
@@ -3361,13 +3361,13 @@ static void it6505_parse_dt(struct it6505 *it6505)
}
ep = of_graph_get_endpoint_by_regs(np, 0, 0);
- of_node_put(ep);
if (ep) {
len = of_property_read_variable_u64_array(ep,
"link-frequencies",
&link_frequencies, 0,
1);
+ of_node_put(ep);
if (len >= 0) {
do_div(link_frequencies, 1000);
if (link_frequencies > 297000) {
@@ -3382,6 +3382,7 @@ static void it6505_parse_dt(struct it6505 *it6505)
*max_dpi_pixel_clock = DPI_PIXEL_CLK_MAX;
}
} else {
+ of_node_put(ep);
dev_err(dev, "error endpoint, use default");
*max_dpi_pixel_clock = DPI_PIXEL_CLK_MAX;
}
--
2.34.1
next reply other threads:[~2026-04-09 8:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 8:48 Wentao Liang [this message]
2026-04-12 1:30 ` Claude review: drm/bridge: it6505: fix use-after-free in it6505_parse_dt() Claude Code Review Bot
2026-04-12 1:30 ` Claude Code Review Bot
-- strict thread matches above, loose matches on Subject: below --
2026-04-07 9:38 [PATCH] " Wentao Liang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409084817.470401-1-vulab@iscas.ac.cn \
--to=vulab@iscas.ac.cn \
--cc=Laurent.pinchart@ideasonboard.com \
--cc=airlied@gmail.com \
--cc=andrzej.hajda@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jernej.skrabec@gmail.com \
--cc=jonas@kwiboo.se \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=rfoss@kernel.org \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox