Re: [PATCH 3/6] soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free

From: Markus Elfring
Date: Tue Feb 20 2024 - 06:11:24 EST


> Specifically, the dp-hpd bridge is currently registered before all
> resources have been acquired which means that it can also be
> deregistered on probe deferrals.
>
> In the meantime there is a race window where the new aux bridge driver
> (or PHY driver previously) may have looked up the dp-hpd bridge and
> stored a (non-reference-counted) pointer to the bridge which is about to
> be deallocated.

> +++ b/drivers/soc/qcom/pmic_glink_altmode.c

> @@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
> alt_port->index = port;
> INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
>
> - alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
> + alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
> if (IS_ERR(alt_port->bridge)) {
> fwnode_handle_put(fwnode);
> return PTR_ERR(alt_port->bridge);


The function call “fwnode_handle_put(fwnode)” is used in multiple if branches.
https://elixir.bootlin.com/linux/v6.8-rc5/source/drivers/soc/qcom/pmic_glink_altmode.c#L435

I suggest to add a jump target so that a bit of exception handling
can be better reused at the end of this function implementation.

Regards,
Markus