From nobody Fri Oct  3 14:34:25 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD1AA2E7647;
	Fri, 29 Aug 2025 09:05:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1756458334; cv=none;
 b=ooFzzcyjxzSRsRRDCWm/KOfRS0cNfjlA9CvEc6/su6VAuSDLt9iMNOF2xdOCdAkLnyXieUC5T5FtosIr0G1mX5PrJMASXOrKOGc+mwd3camTMil0F0yliPMQq2bHoLPGKnmeO+EqWTz3HRlGl2ZifBDZrzEwo9Pz2COR3UERiJA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1756458334; c=relaxed/simple;
	bh=ivKqM50M4iw0RSehXQduIKjOJqOijpdsoVz0fl/OOBI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=GziQcO99jv5Qjuuk18y7TXVbQxcBmq4N68Gjn4k7aDABFgh08Re99h7ElzznKGRTQn8ankYyOditTLqgYK/i0I+bvVNBhSkFNXl7tiVz0gXVkYWY6P5b2J4jEqUQ88CnD/SdsO4zA3tbY4JtDsQGWI+D4ntiVswKP9rjjncT9BU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=bF7FcMOz; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="bF7FcMOz"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9460DC4CEF4;
	Fri, 29 Aug 2025 09:05:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1756458333;
	bh=ivKqM50M4iw0RSehXQduIKjOJqOijpdsoVz0fl/OOBI=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=bF7FcMOzYYva//9gz2v556cx+Y++Ep1b+HAJ3LmAnQnhupdAwtkKiCvzYKg5h8zi/
	 nK2N74IQ8/Zoa3mo6w5uv1/cWVL3ZvZ+AgLmrek0If3qdKoo1NLwjdZondqkJ+8hlv
	 UFs4GmorG4DL/ZaXJqG1DBw7zi6XqjiRhOuYb7cjB9C236SAPo8AJRzzBH+YWmYYfL
	 H3m3Gs7UogVIo+FGAx/sr4+4whBDug5BVQvTam8xtuiCg3CRXS+Rtg8ecRqvltaldJ
	 HoUNmwpQta+TupsaN8Bm6jRuJkOhbRTxswIkcZhHjlMrWGkpf7Pg/ZFnY3i9hEJovB
	 itacSAnYKBdbg==
Received: from johan by xi.lan with local (Exim 4.98.2)
	(envelope-from <johan@kernel.org>)
	id 1urv2x-000000005WF-0cxW;
	Fri, 29 Aug 2025 11:05:23 +0200
From: Johan Hovold <johan@kernel.org>
To: Chun-Kuang Hu <chunkuang.hu@kernel.org>,
	Philipp Zabel <p.zabel@pengutronix.de>
Cc: David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>,
	Ma Ke <make24@iscas.ac.cn>,
	dri-devel@lists.freedesktop.org,
	linux-mediatek@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Johan Hovold <johan@kernel.org>,
	stable@vger.kernel.org
Subject: [PATCH 1/2] drm/mediatek: fix potential OF node use-after-free
Date: Fri, 29 Aug 2025 11:03:44 +0200
Message-ID: <20250829090345.21075-2-johan@kernel.org>
X-Mailer: git-send-email 2.49.1
In-Reply-To: <20250829090345.21075-1-johan@kernel.org>
References: <20250829090345.21075-1-johan@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The for_each_child_of_node() helper drops the reference it takes to each
node as it iterates over children and an explicit of_node_put() is only
needed when exiting the loop early.

Drop the recently introduced bogus additional reference count decrement
at each iteration that could potentially lead to a use-after-free.

Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks i=
n mtk_drm_get_all_drm_priv")
Cc: Ma Ke <make24@iscas.ac.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabor=
a.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/media=
tek/mtk_drm_drv.c
index 34131ae2c207..3b02ed0a16da 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -388,11 +388,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *d=
ev)
=20
 		of_id =3D of_match_node(mtk_drm_of_ids, node);
 		if (!of_id)
-			goto next_put_node;
+			continue;
=20
 		pdev =3D of_find_device_by_node(node);
 		if (!pdev)
-			goto next_put_node;
+			continue;
=20
 		drm_dev =3D device_find_child(&pdev->dev, NULL, mtk_drm_match);
 		if (!drm_dev)
@@ -418,11 +418,10 @@ static bool mtk_drm_get_all_drm_priv(struct device *d=
ev)
 next_put_device_pdev_dev:
 		put_device(&pdev->dev);
=20
-next_put_node:
-		of_node_put(node);
-
-		if (cnt =3D=3D MAX_CRTC)
+		if (cnt =3D=3D MAX_CRTC) {
+			of_node_put(node);
 			break;
+		}
 	}
=20
 	if (drm_priv->data->mmsys_dev_num =3D=3D cnt) {
--=20
2.49.1
From nobody Fri Oct  3 14:34:25 2025
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD2972F9C53
	for <linux-kernel@vger.kernel.org>; Fri, 29 Aug 2025 09:05:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1756458333; cv=none;
 b=b7q/jg25npRORG3jzEneNlQCzbDf4onIs0N6CMS8URqJfQA3hDUWB3xNnbwNP6xNU7mcNg9NJ503WOud4MyXMSTpwwuXjoM5Daz877YhfpKA3/BTKmthZDdnzGT2PMLEzOdk3EIl8XYTCE01H6n85Of1i3p2KQlsyd78YpLlGfE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1756458333; c=relaxed/simple;
	bh=vYVabSltptJRE83ss4FzMAYlVF/0xeNcsPWfCCvyH88=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=FpBb7QDlIDrdpD/pYX+ihtVPUCTQb7a7iD4H0ktuW3oLcalQb4kkkqG5tPkfEq+sMoO0FnGSThbuywld7F/eImQYs4JwCw865VIk362KderkOre0AXpsOdko88YaCQGPO6CRKsBXLKQahmrmYJm2MX84LtekeIUAx5SGAb6YOx0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=G22pMn2m; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="G22pMn2m"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 997B4C4CEF5;
	Fri, 29 Aug 2025 09:05:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1756458333;
	bh=vYVabSltptJRE83ss4FzMAYlVF/0xeNcsPWfCCvyH88=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=G22pMn2mPsU48neBJG5HJBNrKPDONRCT4j7/5Q1t9M8uJZGA7cmxMmok1u7yUgUoe
	 0t3AjiJpU0w4aHv8CHKUtCdp9BB5mwINnmG1kmuR5OmiNg/lOifbESKFe0ytn8VX1p
	 IZoX64m1TA/7Bp+fipeSq1WsPRbp9r/TUbziLrJDuS+YUWRxit9k2F07//4mLcGby9
	 Sd1fbIDU3ggDWf8/Yn6Z3JZ8Z50WKsmiSTXkSV9vhcp+6wi0JX93raVTzRqL8iYGX9
	 SOK0actdeTa34s9N28zD0ZqhOju8Q1phurizAqXkgU1Iem2rjm5dTflJmZv56OIg4v
	 hZi3+djVxatrw==
Received: from johan by xi.lan with local (Exim 4.98.2)
	(envelope-from <johan@kernel.org>)
	id 1urv2x-000000005WH-0zjm;
	Fri, 29 Aug 2025 11:05:23 +0200
From: Johan Hovold <johan@kernel.org>
To: Chun-Kuang Hu <chunkuang.hu@kernel.org>,
	Philipp Zabel <p.zabel@pengutronix.de>
Cc: David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>,
	Ma Ke <make24@iscas.ac.cn>,
	dri-devel@lists.freedesktop.org,
	linux-mediatek@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Johan Hovold <johan@kernel.org>
Subject: [PATCH 2/2] drm/mediatek: clean up driver data initialisation
Date: Fri, 29 Aug 2025 11:03:45 +0200
Message-ID: <20250829090345.21075-3-johan@kernel.org>
X-Mailer: git-send-email 2.49.1
In-Reply-To: <20250829090345.21075-1-johan@kernel.org>
References: <20250829090345.21075-1-johan@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The platform and drm devices are only used to look up the drm device and
its driver data respectively when initialising the driver data during
bind().

Drop the reference counts as soon as they have been used to make the
code more readable.

Note that the crtc count is never incremented on lookup failures.

Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabor=
a.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
---
 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/media=
tek/mtk_drm_drv.c
index 3b02ed0a16da..33b83576af7e 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -395,12 +395,14 @@ static bool mtk_drm_get_all_drm_priv(struct device *d=
ev)
 			continue;
=20
 		drm_dev =3D device_find_child(&pdev->dev, NULL, mtk_drm_match);
+		put_device(&pdev->dev);
 		if (!drm_dev)
-			goto next_put_device_pdev_dev;
+			continue;
=20
 		temp_drm_priv =3D dev_get_drvdata(drm_dev);
+		put_device(drm_dev);
 		if (!temp_drm_priv)
-			goto next_put_device_drm_dev;
+			continue;
=20
 		if (temp_drm_priv->data->main_len)
 			all_drm_priv[CRTC_MAIN] =3D temp_drm_priv;
@@ -412,12 +414,6 @@ static bool mtk_drm_get_all_drm_priv(struct device *de=
v)
 		if (temp_drm_priv->mtk_drm_bound)
 			cnt++;
=20
-next_put_device_drm_dev:
-		put_device(drm_dev);
-
-next_put_device_pdev_dev:
-		put_device(&pdev->dev);
-
 		if (cnt =3D=3D MAX_CRTC) {
 			of_node_put(node);
 			break;
--=20
2.49.1