From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/bridge: it6505: fix use-after-free in it6505_parse_dt()
Date: Sun, 12 Apr 2026 11:30:02 +1000
Message-ID: <review-patch1-20260409084817.470401-1-vulab@iscas.ac.cn>
In-Reply-To: <20260409084817.470401-1-vulab@iscas.ac.cn>
References: <20260409084817.470401-1-vulab@iscas.ac.cn> <20260409084817.470401-1-vulab@iscas.ac.cn>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Patch Review

**The identified bug is real.** In the original code:
```c
ep =3D of_graph_get_endpoint_by_regs(np, 0, 0);
of_node_put(ep);

if (ep) {
    len =3D of_property_read_variable_u64_array(ep, /* use-after-free */
                          "link-frequencies",
                          &link_frequencies, 0, 1);
```
`of_node_put(ep)` is called before `ep` is used in `of_property_read_variab=
le_u64_array()`. Moving the put after the last use of `ep` is the correct f=
ix for this instance.

**Issue 1 =E2=80=94 Unnecessary `of_node_put(ep)` in the `else` branch.** T=
he patch adds:
```c
} else {
    of_node_put(ep);
    dev_err(dev, "error endpoint, use default");
```
The `else` branch is only entered when `ep =3D=3D NULL`. `of_node_put(NULL)=
` is a no-op (it checks for NULL internally), so this call is dead code. It=
's harmless but misleading =E2=80=94 it gives the impression that a real re=
ference is being released. This should be removed.

**Issue 2 =E2=80=94 Same bug exists at lines 3344=E2=80=933353 (unfixed).**=
 The exact same use-after-free pattern exists earlier in the function for t=
he *first* endpoint lookup:
```c
ep =3D of_graph_get_endpoint_by_regs(np, 1, 0);   /* line 3344 */
of_node_put(ep);                                  /* line 3345 =E2=80=94 to=
o early! */

if (ep) {
    len =3D it6505_get_data_lanes_count(ep, 1, 4);  /* line 3348 =E2=80=94 =
use-after-free */

    if (len > 0 && len !=3D 3) {
        of_property_read_u32_array(ep, "data-lanes",  /* line 3351 =E2=80=
=94 use-after-free */
                       data_lanes, len);
```
Here `ep` is used in both `it6505_get_data_lanes_count()` and `of_property_=
read_u32_array()` after the refcount has already been dropped. A complete f=
ix should address both instances. Since the commit message says "fix use-af=
ter-free in it6505_parse_dt()" and the Fixes tag references the commit that=
 introduced *both* patterns, readers would expect both to be fixed.

**Recommendation:** Resubmit with both instances fixed, and drop the no-op =
`of_node_put(ep)` from the `else` branches. The fix for both should be the =
same: move `of_node_put(ep)` to inside the `if (ep)` block, after the last =
use of `ep`.

---
Generated by Claude Code Patch Reviewer