[PATCH] drm/mipi-dsi: fix of_node reference leak in of_mipi_dsi_device_add error path

[PATCH] drm/mipi-dsi: fix of_node reference leak in of_mipi_dsi_device_add error path

[Wentao Liang]

of_mipi_dsi_device_add() acquires an of_node reference via
of_node_get() before passing it to mipi_dsi_device_register_full().
However, when mipi_dsi_device_register_full() fails (e.g.,
mipi_dsi_device_add() returns an error), the acquired reference is
never released, causing the device_node to leak.

device_set_node() merely stores the fwnode pointer without taking
an additional refcount, so the reference from of_node_get() is the
only one the device holds on the success path.  On the error path
the reference must be released by the caller that acquired it.

Fix this by checking the return value of
mipi_dsi_device_register_full() and calling of_node_put() on error.

Fixes: c63ae8a9686b ("drm/dsi: Use mipi_dsi_device_register_full() for DSI device creation")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/gpu/drm/drm_mipi_dsi.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
index 0390e14d3157..b54c10d92c57 100644
--- a/drivers/gpu/drm/drm_mipi_dsi.c
+++ b/drivers/gpu/drm/drm_mipi_dsi.c
@@ -163,6 +163,7 @@ of_mipi_dsi_device_add(struct mipi_dsi_host *host, struct device_node *node)
 {
 	struct mipi_dsi_device_info info = { };
 	int ret;
+	struct mipi_dsi_device *dsi;
 	u32 reg;
 
 	if (of_alias_from_compatible(node, info.type, sizeof(info.type)) < 0) {
@@ -179,8 +180,10 @@ of_mipi_dsi_device_add(struct mipi_dsi_host *host, struct device_node *node)
 
 	info.channel = reg;
 	info.node = of_node_get(node);
-
-	return mipi_dsi_device_register_full(host, &info);
+	dsi = mipi_dsi_device_register_full(host, &info);
+	if (IS_ERR(dsi))
+		of_node_put(node);
+	return dsi;
 }
 #else
 static struct mipi_dsi_device *
-- 
2.34.1

Claude review: drm/mipi-dsi: fix of_node reference leak in of_mipi_dsi_device_add error path

[Claude Code Review Bot]

Overall Series Review

Subject: drm/mipi-dsi: fix of_node reference leak in of_mipi_dsi_device_add error path
Author: Wentao Liang <vulab@iscas.ac.cn>
Patches: 1
Reviewed: 2026-05-25T16:47:47.286637

---

This is a single-patch fix for a real `of_node` reference leak in `of_mipi_dsi_device_add()`. The analysis is correct: when `mipi_dsi_device_register_full()` fails, the reference acquired by `of_node_get(node)` at line 182 is never released.

There are **two** failure paths inside `mipi_dsi_device_register_full()` that can leak:

1. **Early parameter validation failures** (lines 215-223): `info->node` is never stored into a device, so the ref is simply orphaned.
2. **`mipi_dsi_device_add()` failure** (lines 237-240): The allocated `dsi` is freed with `kfree(dsi)` rather than `put_device(&dsi->dev)`, so the `.release` callback (`mipi_dsi_dev_release`, which does `of_node_put`) is never invoked.

The fix is correct and minimal. However, there is a secondary bug worth noting: the `kfree(dsi)` at line 239 in `mipi_dsi_device_register_full` is itself a bug — after `device_initialize()` has been called (in `mipi_dsi_device_alloc`), the device must be freed via `put_device()`, not `kfree()`. Using `kfree` after `device_initialize` can lead to issues if anything has taken a reference on the device. That's a pre-existing issue outside the scope of this patch, but it means the `of_node_put` in the release callback can never fire on this error path anyway, reinforcing that the caller-side fix is necessary.

**Verdict: The patch is correct and should be applied.** One minor style nit below.

---
Generated by Claude Code Patch Reviewer

Claude review: drm/mipi-dsi: fix of_node reference leak in of_mipi_dsi_device_add error path

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The bug analysis is accurate. `of_node_get(node)` at line 182 takes a reference, and none of the failure paths inside `mipi_dsi_device_register_full()` release it. The fix correctly calls `of_node_put(node)` (not `of_node_put(info.node)` — both point to the same node, but using `node` directly is fine since `info.node` was set to `of_node_get(node)`).

**Minor style nit:** The new variable declaration breaks reverse-Christmas-tree ordering:

```c
struct mipi_dsi_device_info info = { };
int ret;
struct mipi_dsi_device *dsi;
u32 reg;
```

Per kernel coding conventions, local variable declarations should go longest-to-shortest line. The preferred ordering would be:

```c
struct mipi_dsi_device_info info = { };
struct mipi_dsi_device *dsi;
u32 reg;
int ret;
```

This is a trivial style issue and shouldn't block the patch, but a v2 could clean it up.

**Commit message:** Well-written. The explanation of why `device_set_node()` doesn't take its own reference is helpful context. The `Fixes:` tag and `Cc: stable` are appropriate.

**One observation for the commit message:** The message says "when `mipi_dsi_device_register_full()` fails (e.g., `mipi_dsi_device_add()` returns an error)" — it's worth noting that the early validation checks in `mipi_dsi_device_register_full()` (invalid channel, NULL info) also leak the reference, not just the `mipi_dsi_device_add()` sub-failure. The fix handles all of these, which is correct.

**Recommendation:** Acked with the suggestion to fix the declaration ordering in a v2 if the maintainer prefers it.

---
Generated by Claude Code Patch Reviewer