From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: fbdev: sm501fb: fix potential memory leak in sm501fb_probe() Date: Sat, 16 May 2026 11:10:43 +1000 Message-ID: In-Reply-To: <20260514-fbdev-v1-14-b3a2474fa720@cse.iitm.ac.in> References: <20260514-fbdev-v1-0-b3a2474fa720@cse.iitm.ac.in> <20260514-fbdev-v1-14-b3a2474fa720@cse.iitm.ac.in> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Status: Needs revision =E2=80=94 potential double-free** ```c err_alloc: +#if defined(CONFIG_OF) + kfree(info->edid_data); +#endif kfree(info); ``` I verified in the source tree that `info->edid_data` is allocated via `kmem= dup()` under `#if defined(CONFIG_OF)` in `sm501fb_probe()`. However, I foun= d a critical issue: **`sm501fb_init_fb()` (called from `sm501fb_start()`) already frees `info->= edid_data` in certain code paths without setting it to NULL:** ```c if (info->edid_data) { ret =3D fb_find_mode(...); kfree(info->edid_data); /* edid_data is NOT set to NULL here! */ } ``` If `sm501fb_start()` succeeds (calling `sm501fb_init_fb()` which frees `edi= d_data`), but a later step like `register_framebuffer()` fails, the error p= ath goes through `err_started` =E2=86=92 `err_probed_panel` =E2=86=92 `err_= probed_crt` =E2=86=92 `err_alloc`, which would call `kfree(info->edid_data)= ` on an already-freed pointer =E2=80=94 a **double-free bug**. **Recommended fix:** Either: 1. Add `info->edid_data =3D NULL` after the `kfree()` in `sm501fb_init_fb()= ` as a separate preparatory patch, or 2. Use `kfree(info->edid_data); info->edid_data =3D NULL;` pattern here and= in `sm501fb_init_fb()`. Also, the `#if defined(CONFIG_OF)` guard is unnecessary since `edid_data` i= s unconditionally defined in `struct sm501fb_info` and `kfree(NULL)` is a n= o-op. Removing the guard would be cleaner. --- Generated by Claude Code Patch Reviewer