From: sashiko-bot@kernel.org
To: "Naman Arora" <namanarora029@gmail.com>
Cc: neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org
Subject: Re: [PATCH 2/6] drm/tidss: Open-code drm_simple_encoder_init()
Date: Sun, 31 May 2026 07:57:01 +0000 [thread overview]
Message-ID: <20260531075701.ECC9B1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260531073532.8609-3-namanarora029@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free on driver unbind or probe failure due to mixed devm/drmm lifecycles for the combined encoder/bridge structure.
--
commit b7421f2a0634d4a6488478cb165139b91f9afc7d
Author: Naman Arora <namanarora029@gmail.com>
drm/tidss: Open-code drm_simple_encoder_init()
The helper drm_simple_encoder_init() is a thin wrapper around
drm_encoder_init() with a simple destroy-only encoder funcs struct.
Remove the dependency on drm_simple_kms_helper by open-coding the
encoder initialization directly in the driver.
> diff --git a/drivers/gpu/drm/tidss/tidss_encoder.c b/drivers/gpu/drm/tidss/tidss_encoder.c
> index 34db8d2a3792e..1841dc14c739b 100644
> --- a/drivers/gpu/drm/tidss/tidss_encoder.c
> +++ b/drivers/gpu/drm/tidss/tidss_encoder.c
[ ... ]
> @@ -95,8 +98,9 @@ int tidss_encoder_create(struct tidss_device *tidss,
> if (IS_ERR(t_enc))
> return PTR_ERR(t_enc);
>
> - ret = drm_simple_encoder_init(&tidss->ddev, &t_enc->encoder,
> - encoder_type);
> + ret = drm_encoder_init(&tidss->ddev, &t_enc->encoder,
> + &tidss_drm_encoder_funcs,
> + encoder_type, NULL);
[Severity: High]
This is a pre-existing issue, but could this mix of devm and drm lifecycles
lead to a use-after-free during driver unbind or probe failure?
The t_enc struct is allocated using devm_drm_bridge_alloc(), giving it an
initial refcount of 1. Here, drm_encoder_init() registers the embedded
t_enc->encoder. Later in this function, drm_bridge_attach() will increase
the refcount to 2.
During driver unbind, devres LIFO cleanup executes the bridge release action,
calling drm_bridge_put() and dropping the refcount to 1. Next, the drm_device
release action triggers drm_mode_config_cleanup(), which calls
drm_encoder_cleanup().
Inside drm_encoder_cleanup(), calling drm_bridge_detach() drops the final
refcount to 0, causing t_enc to be freed. Immediately after that,
drm_encoder_cleanup() accesses the now-freed encoder structure.
A similar issue appears to happen if drm_bridge_attach() fails during probe,
as devres would free t_enc, leaving a dangling pointer for
drm_mode_config_cleanup() to trip over.
> if (ret)
> return ret;
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260531074627.8936-1-namanarora029@gmail.com?part=2
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-05-31 7:57 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-31 7:35 [PATCH 0/6] drm: Open-code drm_simple_encoder_init() in several drivers Naman Arora
2026-05-31 7:35 ` Naman Arora
2026-05-31 7:35 ` [PATCH 1/6] drm/fsl-dcu: Open-code drm_simple_encoder_init() Naman Arora
2026-05-31 7:35 ` Naman Arora
2026-05-31 7:35 ` [PATCH 2/6] drm/tidss: " Naman Arora
2026-05-31 7:35 ` Naman Arora
2026-05-31 7:57 ` sashiko-bot [this message]
2026-05-31 7:35 ` [PATCH 3/6] drm/virtio: " Naman Arora
2026-05-31 7:35 ` Naman Arora
2026-05-31 8:00 ` sashiko-bot
2026-05-31 7:46 ` [PATCH 4/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_cvbs Naman Arora
2026-05-31 7:46 ` Naman Arora
2026-05-31 7:46 ` [PATCH 5/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_hdmi Naman Arora
2026-05-31 7:46 ` Naman Arora
2026-05-31 8:17 ` sashiko-bot
2026-05-31 7:46 ` [PATCH 6/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_dsi Naman Arora
2026-05-31 7:46 ` Naman Arora
2026-05-31 8:25 ` sashiko-bot
2026-05-31 8:08 ` [PATCH 4/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_cvbs sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260531075701.ECC9B1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=namanarora029@gmail.com \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.