From: sashiko-bot@kernel.org
To: "Luca Ceresoli" <luca.ceresoli@bootlin.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH 22/37] drm/bridge: initialize chain_node list head on detach and attach errors
Date: Tue, 19 May 2026 11:17:06 +0000 [thread overview]
Message-ID: <20260519111706.72A18C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260519-drm-bridge-hotplug-v1-22-45e2bdb3dfb4@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Data race and NULL pointer dereference in drm_bridge_attach() error path during dynamic hotplug
--
commit b83693320d718d054d9327b487d4044213901c1e
Author: Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/bridge: initialize chain_node list head on detach and attach errors
This commit updates drm_bridge_detach() and the error path of
drm_bridge_attach() to use list_del_init() instead of list_del(). This
ensures the bridge chain_node list head is clearly empty when detached,
preventing double-detach issues during hotplug operations.
> diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c
> index f179e00745b7c..5b89168411aa0 100644
> --- a/drivers/gpu/drm/drm_bridge.c
> +++ b/drivers/gpu/drm/drm_bridge.c
> @@ -598,7 +598,7 @@ int drm_bridge_attach(struct drm_encoder *encoder, struct drm_bridge *bridge,
> bridge->dev = NULL;
> bridge->encoder = NULL;
> mutex_lock(&encoder->bridge_chain_mutex);
> - list_del(&bridge->chain_node);
> + list_del_init(&bridge->chain_node);
> mutex_unlock(&encoder->bridge_chain_mutex);
This is an existing issue not introduced by this patch, but since dynamic
bridge hotplugging support is being introduced, can this sequence cause a NULL
pointer dereference?
In this error path, bridge->dev and bridge->encoder are cleared to NULL
outside the encoder->bridge_chain_mutex critical section, while the bridge
is still linked into the encoder->bridge_chain.
If drm_bridge_attach() is executed at runtime and fails, a concurrent
userspace atomic modeset iterating over encoder->bridge_chain could observe
the bridge with bridge->encoder == NULL. Drivers typically use this to
fetch the connector:
connector = drm_atomic_get_new_connector_for_encoder(state, bridge->encoder);
If bridge->encoder is NULL, this returns a NULL connector, which could lead
to a crash when calling drm_connector_index(connector).
Should the field assignments be moved inside the mutex-protected block, or
after the bridge is removed from the list?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-drm-bridge-hotplug-v1-0-45e2bdb3dfb4@bootlin.com?part=22
next prev parent reply other threads:[~2026-05-19 11:17 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 10:37 [PATCH 00/37] drm bridge hotplug Luca Ceresoli
2026-05-19 10:37 ` [PATCH 01/37] drm/connector: split drmm_connector_hdmi_init() in 3 parts Luca Ceresoli
2026-06-08 11:37 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 02/37] drm/connector: add drm_connector_hdmi_dynamic_init() Luca Ceresoli
2026-05-19 11:04 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 03/37] drm/display: bridge-connector: rename variable for consistency Luca Ceresoli
2026-05-19 10:37 ` [PATCH 04/37] drm/display: bridge-connector: store the drm_device pointer Luca Ceresoli
2026-06-08 11:34 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 05/37] drm/display: bridge-connector: split code creating the connector to a subfunction Luca Ceresoli
2026-06-08 11:40 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 06/37] drm/display: bridge-connector: use a drm_bridge_connector internally, not a drm_connector Luca Ceresoli
2026-06-08 11:41 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 07/37] drm/display: bridge-connector: extract drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 11:01 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 08/37] drm/display: bridge-connector: return int from drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 10:58 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 09/37] drm/display: bridge-connector: extract drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 10/37] drm/display: bridge-connector: return int from drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 11/37] drm/display: bridge-connector: return int from drm_bridge_connector_add_connector() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 12/37] drm/display: bridge-connector: hoist error management to common code Luca Ceresoli
2026-05-19 10:37 ` [PATCH 13/37] drm/display: bridge-connector: move drm_bridge_connector_put_bridges() definition eariler Luca Ceresoli
2026-05-19 10:37 ` [PATCH 14/37] drm/display: bridge-connector: add non-drmm variant of drm_bridge_connector_put_bridges() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 15/37] drm/display: bridge-connector: allocate the connector dynamically Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-06-08 11:46 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 16/37] drm/display: bridge-connector: move per-connector fields to the dynamic connector Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 17/37] drm/display: bridge-connector: protect dynconn creation and destruction with a mutex Luca Ceresoli
2026-05-19 11:18 ` sashiko-bot
2026-06-08 11:49 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 18/37] drm/bridge: samsung-dsim: remove the panel_bridge on host_detach Luca Ceresoli
2026-06-08 11:53 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 19/37] drm/bridge: samsung-dsim: move drm_bridge_add() call to probe Luca Ceresoli
2026-05-19 11:16 ` sashiko-bot
2026-06-08 11:58 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 20/37] drm/bridge: samsung-dsim: attach: return -EPROBE_DEFER is next bridge not yet available Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 21/37] drm/bridge: initialize chain_node list head on allocation Luca Ceresoli
2026-05-19 10:37 ` [PATCH 22/37] drm/bridge: initialize chain_node list head on detach and attach errors Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot [this message]
2026-05-19 10:37 ` [PATCH 23/37] drm/encoder: add drm_encoder_cleanup_from() Luca Ceresoli
2026-05-19 11:14 ` sashiko-bot
2026-06-08 12:10 ` Maxime Ripard
2026-06-09 10:10 ` Luca Ceresoli
2026-06-09 12:43 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 24/37] drm/atomic: move drm_atomic_helper_disable_all() and drm_atomic_helper_shutdown() from drm_atomic_helper to drm_atomic Luca Ceresoli
2026-05-19 10:57 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 25/37] drm/bridge: shutdown and cleanup on bridge unplug Luca Ceresoli
2026-05-19 11:09 ` sashiko-bot
2026-06-08 12:07 ` Maxime Ripard
2026-06-09 9:31 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 26/37] drm: event-notifier: add mechanism to notify about hotplug events Luca Ceresoli
2026-05-19 11:06 ` sashiko-bot
2026-06-08 12:13 ` Maxime Ripard
2026-06-09 9:30 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 27/37] drm/bridge: notify about detached bridges Luca Ceresoli
2026-05-19 11:32 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 28/37] drm/mipi-dsi: turn DRM_MIPI_DSI into a tristate Luca Ceresoli
2026-05-19 11:07 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 29/37] drm/mipi-dsi: notify about DSI attach Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 30/37] drm/bridge: add drm_bridge_is_tail() to know whether a bridge completes the pipeline Luca Ceresoli
2026-05-19 10:59 ` sashiko-bot
2026-06-08 12:34 ` Maxime Ripard
2026-06-09 8:23 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 31/37] drm/bridge: panel: implement .is_tail Luca Ceresoli
2026-05-19 15:12 ` Neil Armstrong
2026-05-19 10:37 ` [PATCH 32/37] drm/bridge: display-connector: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 33/37] drm/bridge: samsung-dsim: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 34/37] drm/bridge: ti-sn65dsi83: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 35/37] drm/bridge: drm_bridge_attach(): don't fail on -EPROBE_DEFER Luca Ceresoli
2026-05-19 11:21 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 36/37] drm/display: bridge-connector: handle bridge hotplug Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 37/37] drm/mxsfb/lcdif: enable " Luca Ceresoli
2026-05-19 11:33 ` sashiko-bot
2026-06-01 15:44 ` [PATCH 00/37] drm " Luca Ceresoli
2026-06-09 7:47 ` Luca Ceresoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519111706.72A18C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=luca.ceresoli@bootlin.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.