Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:

Pre-existing issues:
- [High] Dropping `private->mutex_node` on bind deferral causes Use-After-Free 
on retry and double-free in remove.
--

commit f75632ba90679309b109146f80c6f864e8f03801
Author: WenTao Liang <[email protected]>
drm/mediatek: fix of_node leak in mtk_drm_probe loop

This commit prevents leaking of_node references in the mtk_drm_probe
loop by properly dropping previously stored references before overwriting
them for the same index.

> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c 
> b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> index c86a3f54f35bc..58860f7071a9e 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c

[ ... ]

[Severity: High]
This is a pre-existing issue, but while reviewing the lifecycle of
private->mutex_node managed in this patch, I noticed a potential problem in
mtk_drm_bind() in drivers/gpu/drm/mediatek/mtk_drm_drv.c:

        pdev = of_find_device_by_node(private->mutex_node);
        if (!pdev) {
                dev_err(dev, "Waiting for disp-mutex device %pOF\n",
                        private->mutex_node);
                of_node_put(private->mutex_node);
                return -EPROBE_DEFER;
        }

Since private->mutex_node is a persistent reference acquired in
mtk_drm_probe(), does dropping it on this -EPROBE_DEFER error path lead
to a use-after-free when the component framework retries the bind operation
and accesses it again?

Furthermore, since mtk_drm_remove() unconditionally cleans up this reference,
would this early drop also result in a double-free during teardown?

-- 
Sashiko AI review ยท 
https://sashiko.dev/#/patchset/[email protected]?part=1

Reply via email to