From: sashiko-bot@kernel.org
To: "Luca Ceresoli" <luca.ceresoli@bootlin.com>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH 16/37] drm/display: bridge-connector: move per-connector fields to the dynamic connector
Date: Tue, 19 May 2026 11:17:26 +0000 [thread overview]
Message-ID: <20260519111726.AB5ADC2BCB8@smtp.kernel.org> (raw)
In-Reply-To: <20260519-drm-bridge-hotplug-v1-16-45e2bdb3dfb4@bootlin.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] HPD and OOB hotplug events are misrouted to the newest dynamic connector and can cause a NULL pointer dereference.
- [High] Use-After-Free due to drmm_ CEC registration for dynamically freed connectors.
- [Medium] Memory leak of bridge references on error path in drm_bridge_connector_add_connector().
--
commit 2da47a06a9f55cba5481389b325a75953c4b3912
Author: Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/display: bridge-connector: move per-connector fields to the dynamic connector
This commit moves various bridge pointers and the hdmi_funcs pointer from
struct drm_bridge_connector to struct drm_bridge_connector_dynconn. This
ensures these fields share the same allocation and lifetime as the
dynamically-created connector they reference, in preparation for bridge
hotplugging support.
> --- a/drivers/gpu/drm/display/drm_bridge_connector.c
> +++ b/drivers/gpu/drm/display/drm_bridge_connector.c
> @@ -225,7 +228,9 @@ static void drm_bridge_connector_enable_hpd(struct drm_connector *connector)
> {
> struct drm_bridge_connector *bridge_connector =
> to_drm_bridge_connector(connector);
> - struct drm_bridge *hpd = bridge_connector->bridge_hpd;
> + struct drm_bridge_connector_dynconn *dynconn =
> + to_drm_bridge_connector_dynconn(connector);
> + struct drm_bridge *hpd = dynconn->bridge_hpd;
>
> if (hpd)
> drm_bridge_hpd_enable(hpd, drm_bridge_connector_hpd_cb,
> bridge_connector);
> }
Does registering bridge_connector as the callback data here cause hotplug
detection events to be misrouted?
When an event fires, the handler resolves the target via
&bridge_connector->dynconn->connector. If multiple dynamic connectors are
created concurrently, bridge_connector->dynconn will point to the most
recently created one, potentially corrupting the state of a newer connector.
Additionally, if bridge_connector->dynconn has been set to NULL (such as
after a hot-unplug), could this path trigger a NULL pointer dereference when
the callback accesses connector->status?
[ ... ]
> @@ -320,7 +325,7 @@ static void drm_bridge_connector_dynconn_destroy(struct drm_connector *connector
> container_of(connector, struct drm_bridge_connector_dynconn, connector);
>
> drm_connector_cleanup(connector);
> - drm_bridge_connector_put_bridges(dynconn->bridge_connector);
> + drm_bridge_connector_put_bridges(dynconn);
> kfree(dynconn);
> }
Since drm_bridge_connector_init_hdmi_audio_cec() registers components using
drmm_connector_hdmi_cec_notifier_register() and
drmm_connector_hdmi_cec_register(), the cleanup actions are deferred and
bound to the global drm_device (connector->dev).
Because the connector is explicitly freed here via kfree(dynconn), will
the delayed drmm_ actions dereference the freed connector pointer when the
drm_device is eventually torn down, leading to a use-after-free regression?
[ ... ]
> @@ -841,26 +845,26 @@ static int drm_bridge_connector_get_bridges(struct drm_bridge_connector_dynconn
> * Ensure the last bridge declares OP_EDID or OP_MODES or both.
> */
> if (bridge->ops & DRM_BRIDGE_OP_EDID || bridge->ops & DRM_BRIDGE_OP_MODES) {
> - drm_bridge_put(bridge_connector->bridge_edid);
> - bridge_connector->bridge_edid = NULL;
> - drm_bridge_put(bridge_connector->bridge_modes);
> - bridge_connector->bridge_modes = NULL;
> + drm_bridge_put(dynconn->bridge_edid);
> + dynconn->bridge_edid = NULL;
> + drm_bridge_put(dynconn->bridge_modes);
> + dynconn->bridge_modes = NULL;
>
> if (bridge->ops & DRM_BRIDGE_OP_EDID)
> - bridge_connector->bridge_edid = drm_bridge_get(bridge);
> + dynconn->bridge_edid = drm_bridge_get(bridge);
When this function populates these bridge references in dynconn, if it later
encounters an error (like returning -EINVAL for missing callbacks), the
caller drm_bridge_connector_add_connector() will free dynconn without calling
drm_bridge_connector_put_bridges().
Could this regression result in leaking these newly acquired bridge references
on the error path?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-drm-bridge-hotplug-v1-0-45e2bdb3dfb4@bootlin.com?part=16
next prev parent reply other threads:[~2026-05-19 11:17 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 10:37 [PATCH 00/37] drm bridge hotplug Luca Ceresoli
2026-05-19 10:37 ` [PATCH 01/37] drm/connector: split drmm_connector_hdmi_init() in 3 parts Luca Ceresoli
2026-06-08 11:37 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 02/37] drm/connector: add drm_connector_hdmi_dynamic_init() Luca Ceresoli
2026-05-19 11:04 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 03/37] drm/display: bridge-connector: rename variable for consistency Luca Ceresoli
2026-05-19 10:37 ` [PATCH 04/37] drm/display: bridge-connector: store the drm_device pointer Luca Ceresoli
2026-06-08 11:34 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 05/37] drm/display: bridge-connector: split code creating the connector to a subfunction Luca Ceresoli
2026-06-08 11:40 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 06/37] drm/display: bridge-connector: use a drm_bridge_connector internally, not a drm_connector Luca Ceresoli
2026-06-08 11:41 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 07/37] drm/display: bridge-connector: extract drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 11:01 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 08/37] drm/display: bridge-connector: return int from drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 10:58 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 09/37] drm/display: bridge-connector: extract drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 10/37] drm/display: bridge-connector: return int from drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 11/37] drm/display: bridge-connector: return int from drm_bridge_connector_add_connector() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 12/37] drm/display: bridge-connector: hoist error management to common code Luca Ceresoli
2026-05-19 10:37 ` [PATCH 13/37] drm/display: bridge-connector: move drm_bridge_connector_put_bridges() definition eariler Luca Ceresoli
2026-05-19 10:37 ` [PATCH 14/37] drm/display: bridge-connector: add non-drmm variant of drm_bridge_connector_put_bridges() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 15/37] drm/display: bridge-connector: allocate the connector dynamically Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-06-08 11:46 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 16/37] drm/display: bridge-connector: move per-connector fields to the dynamic connector Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot [this message]
2026-05-19 10:37 ` [PATCH 17/37] drm/display: bridge-connector: protect dynconn creation and destruction with a mutex Luca Ceresoli
2026-05-19 11:18 ` sashiko-bot
2026-06-08 11:49 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 18/37] drm/bridge: samsung-dsim: remove the panel_bridge on host_detach Luca Ceresoli
2026-06-08 11:53 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 19/37] drm/bridge: samsung-dsim: move drm_bridge_add() call to probe Luca Ceresoli
2026-05-19 11:16 ` sashiko-bot
2026-06-08 11:58 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 20/37] drm/bridge: samsung-dsim: attach: return -EPROBE_DEFER is next bridge not yet available Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 21/37] drm/bridge: initialize chain_node list head on allocation Luca Ceresoli
2026-05-19 10:37 ` [PATCH 22/37] drm/bridge: initialize chain_node list head on detach and attach errors Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 23/37] drm/encoder: add drm_encoder_cleanup_from() Luca Ceresoli
2026-05-19 11:14 ` sashiko-bot
2026-06-08 12:10 ` Maxime Ripard
2026-06-09 10:10 ` Luca Ceresoli
2026-06-09 12:43 ` Maxime Ripard
2026-05-19 10:37 ` [PATCH 24/37] drm/atomic: move drm_atomic_helper_disable_all() and drm_atomic_helper_shutdown() from drm_atomic_helper to drm_atomic Luca Ceresoli
2026-05-19 10:57 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 25/37] drm/bridge: shutdown and cleanup on bridge unplug Luca Ceresoli
2026-05-19 11:09 ` sashiko-bot
2026-06-08 12:07 ` Maxime Ripard
2026-06-09 9:31 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 26/37] drm: event-notifier: add mechanism to notify about hotplug events Luca Ceresoli
2026-05-19 11:06 ` sashiko-bot
2026-06-08 12:13 ` Maxime Ripard
2026-06-09 9:30 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 27/37] drm/bridge: notify about detached bridges Luca Ceresoli
2026-05-19 11:32 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 28/37] drm/mipi-dsi: turn DRM_MIPI_DSI into a tristate Luca Ceresoli
2026-05-19 11:07 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 29/37] drm/mipi-dsi: notify about DSI attach Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 30/37] drm/bridge: add drm_bridge_is_tail() to know whether a bridge completes the pipeline Luca Ceresoli
2026-05-19 10:59 ` sashiko-bot
2026-06-08 12:34 ` Maxime Ripard
2026-06-09 8:23 ` Luca Ceresoli
2026-05-19 10:37 ` [PATCH 31/37] drm/bridge: panel: implement .is_tail Luca Ceresoli
2026-05-19 15:12 ` Neil Armstrong
2026-05-19 10:37 ` [PATCH 32/37] drm/bridge: display-connector: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 33/37] drm/bridge: samsung-dsim: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 34/37] drm/bridge: ti-sn65dsi83: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 35/37] drm/bridge: drm_bridge_attach(): don't fail on -EPROBE_DEFER Luca Ceresoli
2026-05-19 11:21 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 36/37] drm/display: bridge-connector: handle bridge hotplug Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 37/37] drm/mxsfb/lcdif: enable " Luca Ceresoli
2026-05-19 11:33 ` sashiko-bot
2026-06-01 15:44 ` [PATCH 00/37] drm " Luca Ceresoli
2026-06-09 7:47 ` Luca Ceresoli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519111726.AB5ADC2BCB8@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=luca.ceresoli@bootlin.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.