From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/bridge: it6505: fix use-after-free in it6505_parse_dt() Date: Sun, 12 Apr 2026 13:40:31 +1000 Message-ID: In-Reply-To: <20260407093800.291489-1-vulab@iscas.ac.cn> References: <20260407093800.291489-1-vulab@iscas.ac.cn> <20260407093800.291489-1-vulab@iscas.ac.cn> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **The bug is real.** In the original code, the pattern is: ```c ep =3D of_graph_get_endpoint_by_regs(np, 1, 0); of_node_put(ep); // <-- drops refcount immediately if (ep) { len =3D it6505_get_data_lanes_count(ep, 1, 4); // <-- uses freed node ... ``` `of_graph_get_endpoint_by_regs()` returns a refcounted `device_node`. Calli= ng `of_node_put()` immediately can drop the refcount to zero and free the n= ode, making the subsequent dereference inside the `if (ep)` block a use-aft= er-free. This same pattern occurs twice =E2=80=94 once for endpoint (1,0) a= nd once for endpoint (0,0). **The fix is correct.** The patch moves `of_node_put(ep)` to the end of eac= h `if (ep)` block, after `ep` is no longer needed: ```c ep =3D of_graph_get_endpoint_by_regs(np, 1, 0); if (ep) { len =3D it6505_get_data_lanes_count(ep, 1, 4); ... of_node_put(ep); // <-- moved here, after all uses } else { ... } ``` **Observations:** 1. **The `else` branches don't need `of_node_put()`** =E2=80=94 when `ep` i= s `NULL`, `of_node_put(NULL)` is a documented no-op in the kernel, so omitt= ing it is fine and arguably cleaner. 2. **The fix is applied consistently** to both occurrences of the pattern i= n the function (endpoint regs (1,0) and (0,0)). 3. **Minor nit on the commit message:** The phrase "the node may be freed b= efore being accessed in the if (ep) block" is slightly misleading. `of_node= _put()` *does* drop the reference, and if the refcount reaches zero the nod= e *will* be freed =E2=80=94 it's not just "may be." In practice, `of_graph_= get_endpoint_by_regs()` typically returns a node with refcount 1, so `of_no= de_put()` will free it. A more precise commit message would say "the node i= s freed before being accessed." 4. **Cc: stable is appropriate** given this is a real use-after-free bug, a= nd the `Fixes:` tag correctly identifies commit `380d920b582d` which introd= uced this buggy pattern. 5. **No functional concerns** =E2=80=94 the surrounding logic is unchanged,= and the ref is properly balanced (one `of_graph_get_endpoint_by_regs()` ge= t, one `of_node_put()` put, on the only path where `ep` is non-NULL). **Reviewed-by: Looks good.** The patch correctly fixes a real use-after-fre= e. The only suggestion would be a minor commit message wording improvement = ("is freed" vs "may be freed"), which is not worth a respin. --- Generated by Claude Code Patch Reviewer