Re: [PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers_init()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-after-free on DRM mode objects (plane, CRTC) due to `devm_kzalloc` memory allocation combined with `drmm_mode_config_init` lifecycle management, and incorrect explicit freeing via `devm_kfree()`.
--

commit 0b8e61159a658d64dd9da573a68be2d6791f659b
Author: Jason Xiang <jx@jasonxiang.net>

drm/logicvc: Fix layer_node reference leak in logicvc_layers_init()

This commit fixes a reference leak on layer_node in the error path of
logicvc_layers_init() by adding an of_node_put() call.

> diff --git a/drivers/gpu/drm/logicvc/logicvc_layer.c b/drivers/gpu/drm/logicvc/logicvc_layer.c
> index 7f5ba000188ab..e83a2aafed779 100644
> --- a/drivers/gpu/drm/logicvc/logicvc_layer.c
> +++ b/drivers/gpu/drm/logicvc/logicvc_layer.c
> @@ -613,6 +613,7 @@ int logicvc_layers_init(struct logicvc_drm *logicvc)
>  
>  		ret = logicvc_layer_init(logicvc, layer_node, index);
>  		if (ret) {
> +			of_node_put(layer_node);
>  			of_node_put(layers_node);
>  			goto error;

[Severity: High]
This isn't a bug introduced by this patch, but does jumping to this error
label cause a use-after-free on DRM mode objects?

Looking at logicvc_layer_init(), layers are allocated with devm_kzalloc():

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layer_init() {
	...
	layer = devm_kzalloc(dev, sizeof(*layer), GFP_KERNEL);
	...
	ret = drm_universal_plane_init(drm_dev, &layer->drm_plane, ...);
	...
}

If an error occurs in logicvc_layers_init() after some layers are
successfully initialized, it jumps to the error label:

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layers_init() {
	...
error:
	list_for_each_entry_safe(layer, next, &logicvc->layers_list, list)
		logicvc_layer_fini(logicvc, layer);
	...
}

Then logicvc_layer_fini() explicitly frees the layer memory using devm_kfree():

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layer_fini() {
	...
	list_del(&layer->list);
	devm_kfree(dev, layer);
}

Since the layer was registered with drm_universal_plane_init(), manually
freeing the layer without calling drm_plane_cleanup() leaves a dangling
pointer in drm_dev->mode_config.plane_list.

Additionally, on driver unbind or probe unwind, devres cleans up memory
before drmm_mode_config_init() runs its cleanup, which could iterate over
freed objects. A similar pattern appears to exist for the CRTC allocation
in logicvc_crtc_init().

Does this driver need to be updated to use drmm_universal_plane_alloc() and
similar drmm_* helpers to safely tie the object lifecycles to the DRM device
instead of devres?

>  		}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625023359.26011-1-jx@jasonxiang.net?part=1