From: sashiko-bot@kernel.org
To: "Maxime Ripard" <mripard@kernel.org>
Cc: linux-sunxi@lists.linux.dev
Subject: Re: [PATCH v5 03/19] drm/atomic: Drop drm_private_obj.state assignment from create_state
Date: Tue, 19 May 2026 11:35:30 +0000 [thread overview]
Message-ID: <20260519113530.C2AE1C2BCB3@smtp.kernel.org> (raw)
In-Reply-To: <20260519-drm-mode-config-init-v5-3-388b03321e38@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Unbalanced Lifecycle / List Management Error in drm_atomic_private_obj_init() leads to UAF or NULL pointer dereference.
--
commit 44b9224847cfbcc3b1c83e99bfc50096eaebde99
Author: Maxime Ripard <mripard@kernel.org>
drm/atomic: Drop drm_private_obj.state assignment from create_state
The initial intent of the atomic_create_state hook was to simply
allocate a proper drm_private_state and return it, without any side
effect. This patch removes a redundant assignment in
__drm_atomic_helper_private_obj_create_state() that defeats this purpose.
> This assignment defeats the purpose, but is also redundant since
> drm_atomic_private_obj_init(), the only call site for the
> atomic_create_state hook, will also set this pointer to the newly
> allocated state.
This isn't a bug introduced by this patch, but since the commit message
discusses drm_atomic_private_obj_init(), I noticed a potential lifecycle
issue in that function.
In drm_atomic_private_obj_init(), the private object is added to
privobj_list before invoking the atomic_create_state() callback:
drivers/gpu/drm/drm_atomic.c:drm_atomic_private_obj_init() {
...
list_add_tail(&obj->head, &dev->mode_config.privobj_list);
state = obj->funcs->atomic_create_state(obj);
if (IS_ERR(state))
return PTR_ERR(state);
obj->state = state;
...
}
If atomic_create_state() fails, the function returns an error but fails to
remove the partially initialized object from privobj_list.
Since many callers (e.g., vc4_ctm_obj_init(), drm_bridge_is_atomic(),
drm_dp_mst_topology_mgr_init()) ignore the return value, could this leave
the object in privobj_list with obj->state == NULL?
If this occurs, could the next atomic commit trigger a NULL pointer
dereference when drm_atomic_get_private_obj_state() invokes
atomic_duplicate_state(), and implementations call kmemdup(obj->state, ...)?
Also, if the device is torn down and drm_atomic_private_obj_fini() is called,
it unconditionally executes:
drivers/gpu/drm/drm_atomic.c:drm_atomic_private_obj_fini() {
...
obj->funcs->atomic_destroy_state(obj, obj->state);
...
}
Since obj->state is NULL, would wrappers using container_of() evaluate to a
negative pointer offset, causing a panic when kfree() is called on it?
> diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c
> index cc70508d4fdba..a82568d87e4f7 100644
> --- a/drivers/gpu/drm/drm_atomic_state_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_state_helper.c
> @@ -731,8 +731,6 @@ void __drm_atomic_helper_private_obj_create_state(struct drm_private_obj *obj,
> {
> if (state)
> state->obj = obj;
> -
> - obj->state = state;
> }
> EXPORT_SYMBOL(__drm_atomic_helper_private_obj_create_state);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-drm-mode-config-init-v5-0-388b03321e38@kernel.org?part=3
next prev parent reply other threads:[~2026-05-19 11:35 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 9:01 [PATCH v5 00/19] drm/atomic: Rework initial state allocation Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 01/19] drm/atomic: Document atomic commit lifetime Maxime Ripard
2026-05-26 8:59 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 02/19] drm/colorop: Fix typos in the doc Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 03/19] drm/atomic: Drop drm_private_obj.state assignment from create_state Maxime Ripard
2026-05-19 11:35 ` sashiko-bot [this message]
2026-05-26 9:03 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 04/19] drm/atomic: Expand atomic_create_state expectations for drm_private_obj Maxime Ripard
2026-05-26 9:03 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 05/19] drm/mode-config: Document drm_private_obj exclusion from drm_mode_config_reset() Maxime Ripard
2026-05-26 9:05 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 06/19] drm/colorop: Rename __drm_colorop_state_reset() Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 07/19] drm/colorop: Create drm_atomic_helper_colorop_create_state() Maxime Ripard
2026-05-19 9:34 ` sashiko-bot
2026-05-19 9:01 ` [PATCH v5 08/19] drm/atomic-state-helper: Fix __drm_atomic_helper_plane_reset() doc typo Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 09/19] drm/atomic-state-helper: Rename __drm_atomic_helper_plane_state_reset() Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 10/19] drm/plane: Add new atomic_create_state callback Maxime Ripard
2026-05-26 9:08 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 11/19] drm/atomic-state-helper: Rename __drm_atomic_helper_crtc_state_reset() Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 12/19] drm/crtc: Add new atomic_create_state callback Maxime Ripard
2026-05-26 9:22 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 13/19] drm/atomic-state-helper: Rename __drm_atomic_helper_connector_state_reset() Maxime Ripard
2026-05-19 9:01 ` [PATCH v5 14/19] drm/hdmi: Rename __drm_atomic_helper_connector_hdmi_reset() Maxime Ripard
2026-05-19 9:13 ` sashiko-bot
2026-05-19 9:01 ` [PATCH v5 15/19] drm/connector: Add new atomic_create_state callback Maxime Ripard
2026-05-26 9:28 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 16/19] drm/mode-config: Create drm_mode_config_create_initial_state() Maxime Ripard
2026-05-26 9:33 ` Thomas Zimmermann
2026-05-19 9:01 ` [PATCH v5 17/19] drm/drv: Switch skeleton to drm_mode_config_create_initial_state() Maxime Ripard
2026-05-26 9:34 ` Thomas Zimmermann
2026-05-19 9:02 ` [PATCH v5 18/19] drm/tidss: Convert to atomic_create_state Maxime Ripard
2026-05-19 9:02 ` [PATCH v5 19/19] drm/bridge_connector: " Maxime Ripard
2026-05-19 9:09 ` ✗ CI.checkpatch: warning for drm/atomic: Rework initial state allocation (rev4) Patchwork
2026-05-19 9:10 ` ✓ CI.KUnit: success " Patchwork
2026-05-19 9:49 ` ✓ Xe.CI.BAT: " Patchwork
2026-05-19 13:12 ` ✗ i915.CI.BAT: failure " Patchwork
2026-05-19 19:24 ` ✗ Xe.CI.FULL: " Patchwork
2026-05-26 9:36 ` [PATCH v5 00/19] drm/atomic: Rework initial state allocation Thomas Zimmermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519113530.C2AE1C2BCB3@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=mripard@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.