[PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers_init()
@ 2026-06-25  2:33 Jason Xiang
  2026-06-25  2:44 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Jason Xiang @ 2026-06-25  2:33 UTC (permalink / raw)
  To: Paul Kocialkowski, dri-devel
  Cc: Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, David Airlie,
	Simona Vetter, linux-kernel, Jason Xiang

for_each_child_of_node() returns each child node with its reference
count incremented, so breaking out of the loop early requires
dropping the reference on the current node. In logicvc_layers_init(),
when logicvc_layer_init() fails, the error path releases the parent
"layers" node but not the child node 'layer_node' that the loop is
currently holding, leaking its reference. The leak has been present
since the driver was introduced.

Release 'layer_node' before jumping to the error label.

Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller")
Signed-off-by: Jason Xiang <jx@jasonxiang.net>
---
 drivers/gpu/drm/logicvc/logicvc_layer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/logicvc/logicvc_layer.c b/drivers/gpu/drm/logicvc/logicvc_layer.c
index 7f5ba000188a..e83a2aafed77 100644
--- a/drivers/gpu/drm/logicvc/logicvc_layer.c
+++ b/drivers/gpu/drm/logicvc/logicvc_layer.c
@@ -613,6 +613,7 @@ int logicvc_layers_init(struct logicvc_drm *logicvc)
 
 		ret = logicvc_layer_init(logicvc, layer_node, index);
 		if (ret) {
+			of_node_put(layer_node);
 			of_node_put(layers_node);
 			goto error;
 		}

base-commit: f0e6f20cb52b14c2c441f04e21cef0c95d498cac
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers_init()
  2026-06-25  2:33 [PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers_init() Jason Xiang
@ 2026-06-25  2:44 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-25  2:44 UTC (permalink / raw)
  To: Jason Xiang; +Cc: dri-devel

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-after-free on DRM mode objects (plane, CRTC) due to `devm_kzalloc` memory allocation combined with `drmm_mode_config_init` lifecycle management, and incorrect explicit freeing via `devm_kfree()`.
--

commit 0b8e61159a658d64dd9da573a68be2d6791f659b
Author: Jason Xiang <jx@jasonxiang.net>

drm/logicvc: Fix layer_node reference leak in logicvc_layers_init()

This commit fixes a reference leak on layer_node in the error path of
logicvc_layers_init() by adding an of_node_put() call.

> diff --git a/drivers/gpu/drm/logicvc/logicvc_layer.c b/drivers/gpu/drm/logicvc/logicvc_layer.c
> index 7f5ba000188ab..e83a2aafed779 100644
> --- a/drivers/gpu/drm/logicvc/logicvc_layer.c
> +++ b/drivers/gpu/drm/logicvc/logicvc_layer.c
> @@ -613,6 +613,7 @@ int logicvc_layers_init(struct logicvc_drm *logicvc)
>  
>  		ret = logicvc_layer_init(logicvc, layer_node, index);
>  		if (ret) {
> +			of_node_put(layer_node);
>  			of_node_put(layers_node);
>  			goto error;

[Severity: High]
This isn't a bug introduced by this patch, but does jumping to this error
label cause a use-after-free on DRM mode objects?

Looking at logicvc_layer_init(), layers are allocated with devm_kzalloc():

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layer_init() {
	...
	layer = devm_kzalloc(dev, sizeof(*layer), GFP_KERNEL);
	...
	ret = drm_universal_plane_init(drm_dev, &layer->drm_plane, ...);
	...
}

If an error occurs in logicvc_layers_init() after some layers are
successfully initialized, it jumps to the error label:

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layers_init() {
	...
error:
	list_for_each_entry_safe(layer, next, &logicvc->layers_list, list)
		logicvc_layer_fini(logicvc, layer);
	...
}

Then logicvc_layer_fini() explicitly frees the layer memory using devm_kfree():

drivers/gpu/drm/logicvc/logicvc_layer.c:logicvc_layer_fini() {
	...
	list_del(&layer->list);
	devm_kfree(dev, layer);
}

Since the layer was registered with drm_universal_plane_init(), manually
freeing the layer without calling drm_plane_cleanup() leaves a dangling
pointer in drm_dev->mode_config.plane_list.

Additionally, on driver unbind or probe unwind, devres cleans up memory
before drmm_mode_config_init() runs its cleanup, which could iterate over
freed objects. A similar pattern appears to exist for the CRTC allocation
in logicvc_crtc_init().

Does this driver need to be updated to use drmm_universal_plane_alloc() and
similar drmm_* helpers to safely tie the object lifecycles to the DRM device
instead of devres?

>  		}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260625023359.26011-1-jx@jasonxiang.net?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-25  2:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25  2:33 [PATCH] drm/logicvc: Fix layer_node reference leak in logicvc_layers_init() Jason Xiang
2026-06-25  2:44 ` sashiko-bot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.