From nobody Mon Jun 15 00:04:01 2026
Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2889B30CD82;
	Tue,  7 Apr 2026 08:46:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=159.226.251.81
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775551617; cv=none;
 b=Xq9kHhkyvjwmM8wNF5mkuLZF51dalhGw7tUO3cd3AtAwp88ZPQiwfZgz9sfv+Iru6SMwfqsGtIZbXylgP6oHUKJEPy5S9jnMRvaMivyDlrR7rIuP4rqle9G0GhQrLgCjLnlqDGTwqBuT+v/eebxfuIJiP6fXUQ2HlJ3dgMROISw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775551617; c=relaxed/simple;
	bh=WScGkQHvR7DFG40Qml3fjW2R7irgKbJ7gjaxBc7tTVM=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=N5nl0YzQ3frM2Af1v9um90g/hBqkmZ3s090Irff87LqXSkSfOrNHzLmNRuduooqnsxx7vxRJOcldzYbFOwdPc9j9eTWUrue0do2f5dBpsnRkOa7fUEYGN1oq+Zwd6OrpXUrsv0wqc9Hvak8nCZKtdzUo26UB4sEr0ylRe/hWdDM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn;
 spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=iscas.ac.cn
Received: from dfae2b116770.home.arpa (unknown [124.16.138.129])
	by APP-03 (Coremail) with SMTP id rQCowACXueB4xNRpdqk5DQ--.4556S2;
	Tue, 07 Apr 2026 16:46:48 +0800 (CST)
From: Wentao Liang <vulab@iscas.ac.cn>
To: Thierry Reding <thierry.reding@gmail.com>,
	Mikko Perttunen <mperttunen@nvidia.com>,
	David Airlie <airlied@gmail.com>,
	Simona Vetter <simona@ffwll.ch>,
	Jonathan Hunter <jonathanh@nvidia.com>
Cc: dri-devel@lists.freedesktop.org,
	linux-tegra@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Wentao Liang <vulab@iscas.ac.cn>,
	stable@vger.kernel.org
Subject: [PATCH] drm/tegra: rgb: Fix use-after-free and leak in
 tegra_dc_rgb_probe()
Date: Tue,  7 Apr 2026 08:46:29 +0000
Message-Id: <20260407084629.283151-1-vulab@iscas.ac.cn>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: rQCowACXueB4xNRpdqk5DQ--.4556S2
X-Coremail-Antispam: 1UD129KBjvdXoWrZw45uryDGrWxCF1ktr1DZFb_yoWkAwb_CF
	4UXrZ7Wr1SqFs5Ar17CrW3ZrZIkFn09r40qa1xta4fK3y7WF4UXFyq9rn8ZryUWan7KFnx
	Ja1vvF4a9r47KjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
	9fnUUIcSsGvfJTRUUUbTkFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG
	6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w
	A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Cr0_
	Gr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s
	0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII
	jxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr
	1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxa
	n2IY04v7MxkF7I0En4kS14v26r1q6r43MxkIecxEwVAFwVW8ZwCF04k20xvY0x0EwIxGrw
	CFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE
	14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2
	IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxK
	x2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI
	0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUhTmhUUUUU=
X-CM-SenderInfo: pyxotu46lvutnvoduhdfq/1tbiBwsKA2nUmXe1mgAAs5
Content-Type: text/plain; charset="utf-8"

Move the of_device_is_available() check before devm_add_action_or_reset()
to avoid using np after it may have been freed (if the action registration
fails). Also release np immediately when the device is not available to
prevent a reference leak.

Fixes: 3c3642335065 ("drm/tegra: rgb: Fix the unbound reference count")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/gpu/drm/tegra/rgb.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
index ff5a749710db..d7586fc820ce 100644
--- a/drivers/gpu/drm/tegra/rgb.c
+++ b/drivers/gpu/drm/tegra/rgb.c
@@ -215,13 +215,15 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
 	if (!np)
 		return -ENODEV;
=20
+	if (!of_device_is_available(np)) {
+		of_node_put(np);
+		return -ENODEV;
+	}
+
 	err =3D devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
 	if (err < 0)
 		return err;
=20
-	if (!of_device_is_available(np))
-		return -ENODEV;
-
 	rgb =3D devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
 	if (!rgb)
 		return -ENOMEM;
--=20
2.34.1