From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: fbdev:modedb: fix a possible UAF in fb_find_mode()
Date: Wed, 27 May 2026 15:06:24 +1000
Message-ID: <review-overall-20260526091507.421730-1-islituo@gmail.com>
In-Reply-To: <20260526091507.421730-1-islituo@gmail.com>
References: <20260526091507.421730-1-islituo@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Overall Series Review

Subject: fbdev:modedb: fix a possible UAF in fb_find_mode()
Author: Tuo Li <islituo@gmail.com>
Patches: 1
Reviewed: 2026-05-27T15:06:24.893069

---

This is a single patch claiming to fix a use-after-free (UAF) in `fb_find_mode()`. The claimed bug is that `mode_option_buf` (a `kstrdup`'d buffer from `fb_get_options`) is freed while the pointer `name`, which aliases it, is still in use.

**The bug claim is valid in the original code.** In the original code, `kfree(mode_option_buf)` was placed at the `done:` label, immediately before the CVT path and the database-search loop. The `name` pointer (which may alias `mode_option_buf`) is then used in the `name_matches()` call at line 783. This is a genuine UAF when `mode_option` was originally NULL and got populated from `fb_get_options`.

**However, the fix is incomplete and introduces new bugs.** It misses several return paths that still leak `mode_option_buf`.

---

---
Generated by Claude Code Patch Reviewer