The for_each_child_of_node() helper drops the reference it takes to each
node as it iterates over children and an explicit of_node_put() is only
needed when exiting the loop early.

Drop the recently introduced bogus additional reference count decrement
at each iteration that could potentially lead to a use-after-free.

Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv")
Cc: Ma Ke <make24@iscas.ac.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 34131ae2c207..3b02ed0a16da 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -388,11 +388,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
 
 		of_id = of_match_node(mtk_drm_of_ids, node);
 		if (!of_id)
-			goto next_put_node;
+			continue;
 
 		pdev = of_find_device_by_node(node);
 		if (!pdev)
-			goto next_put_node;
+			continue;
 
 		drm_dev = device_find_child(&pdev->dev, NULL, mtk_drm_match);
 		if (!drm_dev)
@@ -418,11 +418,10 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
 next_put_device_pdev_dev:
 		put_device(&pdev->dev);
 
-next_put_node:
-		of_node_put(node);
-
-		if (cnt == MAX_CRTC)
+		if (cnt == MAX_CRTC) {
+			of_node_put(node);
 			break;
+		}
 	}
 
 	if (drm_priv->data->mmsys_dev_num == cnt) {
-- 
2.49.1

On Fri, 2025-08-29 at 11:03 +0200, Johan Hovold wrote:
> External email : Please do not click links or open attachments until you have verified the sender or the content.
> 
> 
> The for_each_child_of_node() helper drops the reference it takes to each
> node as it iterates over children and an explicit of_node_put() is only
> needed when exiting the loop early.
> 
> Drop the recently introduced bogus additional reference count decrement
> at each iteration that could potentially lead to a use-after-free.

Reviewed-by: CK Hu <ck.hu@mediatek.com>

> 
> Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv")
> Cc: Ma Ke <make24@iscas.ac.cn>
> Cc: stable@vger.kernel.org
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +++++------
>  1 file changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> index 34131ae2c207..3b02ed0a16da 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> @@ -388,11 +388,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
> 
>                 of_id = of_match_node(mtk_drm_of_ids, node);
>                 if (!of_id)
> -                       goto next_put_node;
> +                       continue;
> 
>                 pdev = of_find_device_by_node(node);
>                 if (!pdev)
> -                       goto next_put_node;
> +                       continue;
> 
>                 drm_dev = device_find_child(&pdev->dev, NULL, mtk_drm_match);
>                 if (!drm_dev)
> @@ -418,11 +418,10 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev)
>  next_put_device_pdev_dev:
>                 put_device(&pdev->dev);
> 
> -next_put_node:
> -               of_node_put(node);
> -
> -               if (cnt == MAX_CRTC)
> +               if (cnt == MAX_CRTC) {
> +                       of_node_put(node);
>                         break;
> +               }
>         }
> 
>         if (drm_priv->data->mmsys_dev_num == cnt) {
> --
> 2.49.1
>