From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH] fbdev: imxfb: Use of_device_get_match_data()
Date: Mon, 18 May 2026 21:38:08 +0000 [thread overview]
Message-ID: <20260518213809.23571C2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518211303.10777-1-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The patch introduces a NULL pointer dereference for non-Device Tree probes by unconditionally assigning the result of `of_device_get_match_data()` to `pdev->id_entry`.
- [High] This problem wasn't introduced by this patch, but there is a Use-After-Free vulnerability during driver removal due to mismatched manual and `devm`-managed cleanups.
--
commit bacef9a3e606a55e0a0cb62b81ba7008a6e42804
Author: Rosen Penev <rosenp@gmail.com>
fbdev: imxfb: Use of_device_get_match_data()
This commit simplifies the driver by replacing an open-coded of_match_device()
lookup with a direct call to of_device_get_match_data() and drops an unused
include.
> diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
> index a077bf346bdf4..7a021da0a32a2 100644
> --- a/drivers/video/fbdev/imxfb.c
> +++ b/drivers/video/fbdev/imxfb.c
[ ... ]
> @@ -891,9 +889,7 @@ static int imxfb_probe(struct platform_device *pdev)
> if (ret < 0)
> return ret;
>
> - of_id = of_match_device(imxfb_of_dev_id, &pdev->dev);
> - if (of_id)
> - pdev->id_entry = of_id->data;
> + pdev->id_entry = of_device_get_match_data(&pdev->dev);
For devices matched via the legacy platform bus, of_device_get_match_data()
returns NULL.
This unconditionally overwrites the previously valid pdev->id_entry with NULL.
When imxfb_probe() subsequently calls imxfb_init_fbinfo(), does this cause a
NULL pointer dereference on pdev->id_entry?
drivers/video/fbdev/imxfb.c:imxfb_init_fbinfo() {
...
fbi->pdev = pdev;
fbi->devtype = pdev->id_entry->driver_data;
...
}
This problem wasn't introduced by this patch, but the driver registers the LCD
device using devm_lcd_device_register(), and explicitly frees the backing
memory structure fbi during imxfb_remove() and in probe error paths:
drivers/video/fbdev/imxfb.c:imxfb_remove() {
...
framebuffer_release(info);
}
Because devm cleanup runs only after the remove function returns, the LCD
device and its sysfs attributes remain active while pointing to freed memory.
If a userspace process accesses a sysfs attribute during this window, can it
trigger a use-after-free regression on the fbi structure?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518211303.10777-1-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-05-18 21:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 21:13 [PATCH] fbdev: imxfb: Use of_device_get_match_data() Rosen Penev
2026-05-18 21:38 ` sashiko-bot [this message]
2026-05-19 7:52 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518213809.23571C2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.