Commit 4de37a48 authored Aug 29, 2025 by Johan Hovold Committed by Chun-Kuang Hu Sep 10, 2025

drm/mediatek: fix potential OF node use-after-free



The for_each_child_of_node() helper drops the reference it takes to each
node as it iterates over children and an explicit of_node_put() is only
needed when exiting the loop early.

Drop the recently introduced bogus additional reference count decrement
at each iteration that could potentially lead to a use-after-free.

Fixes: 1f403699 ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv")
Cc: Ma Ke <make24@iscas.ac.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250829090345.21075-2-johan@kernel.org/


Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>

parent c3441488

drivers/gpu/drm/mediatek/mtk_drm_drv.c

+5 −6

Original line number	Diff line number	Diff line
		@@ -387,11 +387,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)

		of_id = of_match_node(mtk_drm_of_ids, node);
		if (!of_id)
		goto next_put_node;
		continue;

		pdev = of_find_device_by_node(node);
		if (!pdev)
		goto next_put_node;
		continue;

		drm_dev = device_find_child(&pdev->dev, NULL, mtk_drm_match);
		if (!drm_dev)
		@@ -417,12 +417,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
		next_put_device_pdev_dev:
		put_device(&pdev->dev);

		next_put_node:
		if (cnt == MAX_CRTC) {
		of_node_put(node);

		if (cnt == MAX_CRTC)
		break;
		}
		}

		if (drm_priv->data->mmsys_dev_num == cnt) {
		for (i = 0; i < cnt; i++)