From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/bridge: it6505: fix use-after-free in it6505_parse_dt()
Date: Sun, 12 Apr 2026 13:40:31 +1000 [thread overview]
Message-ID: <review-patch1-20260407093800.291489-1-vulab@iscas.ac.cn> (raw)
In-Reply-To: <20260407093800.291489-1-vulab@iscas.ac.cn>
Patch Review
**The bug is real.** In the original code, the pattern is:
```c
ep = of_graph_get_endpoint_by_regs(np, 1, 0);
of_node_put(ep); // <-- drops refcount immediately
if (ep) {
len = it6505_get_data_lanes_count(ep, 1, 4); // <-- uses freed node
...
```
`of_graph_get_endpoint_by_regs()` returns a refcounted `device_node`. Calling `of_node_put()` immediately can drop the refcount to zero and free the node, making the subsequent dereference inside the `if (ep)` block a use-after-free. This same pattern occurs twice — once for endpoint (1,0) and once for endpoint (0,0).
**The fix is correct.** The patch moves `of_node_put(ep)` to the end of each `if (ep)` block, after `ep` is no longer needed:
```c
ep = of_graph_get_endpoint_by_regs(np, 1, 0);
if (ep) {
len = it6505_get_data_lanes_count(ep, 1, 4);
...
of_node_put(ep); // <-- moved here, after all uses
} else {
...
}
```
**Observations:**
1. **The `else` branches don't need `of_node_put()`** — when `ep` is `NULL`, `of_node_put(NULL)` is a documented no-op in the kernel, so omitting it is fine and arguably cleaner.
2. **The fix is applied consistently** to both occurrences of the pattern in the function (endpoint regs (1,0) and (0,0)).
3. **Minor nit on the commit message:** The phrase "the node may be freed before being accessed in the if (ep) block" is slightly misleading. `of_node_put()` *does* drop the reference, and if the refcount reaches zero the node *will* be freed — it's not just "may be." In practice, `of_graph_get_endpoint_by_regs()` typically returns a node with refcount 1, so `of_node_put()` will free it. A more precise commit message would say "the node is freed before being accessed."
4. **Cc: stable is appropriate** given this is a real use-after-free bug, and the `Fixes:` tag correctly identifies commit `380d920b582d` which introduced this buggy pattern.
5. **No functional concerns** — the surrounding logic is unchanged, and the ref is properly balanced (one `of_graph_get_endpoint_by_regs()` get, one `of_node_put()` put, on the only path where `ep` is non-NULL).
**Reviewed-by: Looks good.** The patch correctly fixes a real use-after-free. The only suggestion would be a minor commit message wording improvement ("is freed" vs "may be freed"), which is not worth a respin.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-04-12 3:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 9:38 [PATCH] drm/bridge: it6505: fix use-after-free in it6505_parse_dt() Wentao Liang
2026-04-12 3:40 ` Claude Code Review Bot [this message]
2026-04-12 3:40 ` Claude review: " Claude Code Review Bot
-- strict thread matches above, loose matches on Subject: below --
2026-04-09 8:48 [PATCH] " Wentao Liang
2026-04-12 1:30 ` Claude review: " Claude Code Review Bot
2026-04-12 1:30 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260407093800.291489-1-vulab@iscas.ac.cn \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox