All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Naman Arora" <namanarora029@gmail.com>
Cc: linux-amlogic@lists.infradead.org, neil.armstrong@linaro.org
Subject: Re: [PATCH 4/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_cvbs
Date: Sun, 31 May 2026 08:08:42 +0000	[thread overview]
Message-ID: <20260531080842.CAAFB1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260531074627.8936-1-namanarora029@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Use-after-free during drm_encoder_cleanup() due to bridge refcount dropping to 0.
--

commit e742cfdccd21fa2f8380ad2c61f49c99edf808e1
Author: Naman Arora <namanarora029@gmail.com>

drm/meson: Open-code drm_simple_encoder_init() in encoder_cvbs

The helper drm_simple_encoder_init() is replaced with an open-coded
drm_encoder_init() to remove the dependency on drm_simple_kms_helper.
A simple destroy-only encoder funcs struct is added.

> diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
> index 8b26a0031cde0..9797e3f57e0be 100644
> --- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c
> +++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
[ ... ]
> @@ -257,8 +260,9 @@ int meson_encoder_cvbs_probe(struct meson_drm *priv)
>  	meson_encoder_cvbs->priv = priv;
>  
>  	/* Encoder */
> -	ret = drm_simple_encoder_init(priv->drm, &meson_encoder_cvbs->encoder,
> -				      DRM_MODE_ENCODER_TVDAC);
> +	ret = drm_encoder_init(priv->drm, &meson_encoder_cvbs->encoder,
> +			       &meson_encoder_cvbs_drm_encoder_funcs,
> +			       DRM_MODE_ENCODER_TVDAC, NULL);

[Severity: High]
This is a pre-existing issue, but does tying the encoder cleanup directly to
drm_encoder_cleanup() lead to a use-after-free during device unbind?

If the driver is unbound while userspace holds an open DRM device
reference, the platform unbind will drop the devm reference to the
meson_encoder_cvbs bridge container. The bridge is then kept alive
only by the attach reference.

When userspace finally closes the file descriptor, drm_mode_config_cleanup()
calls the encoder's destroy hook, which maps to drm_encoder_cleanup().

Inside drm_encoder_cleanup(), it drops the final bridge reference:

drm_encoder.c:drm_encoder_cleanup() {
    ...
    list_for_each_entry_safe(bridge, next, &tmplist, chain_node)
        drm_bridge_detach(bridge);
    ...

This frees the meson_encoder_cvbs container. However, drm_encoder_cleanup()
continues to access the embedded encoder:

    drm_mode_object_unregister(dev, &encoder->base);
    kfree(encoder->name);
    list_del(&encoder->head);
    ...
    memset(encoder, 0, sizeof(*encoder));
}

Could this sequence corrupt memory when it accesses the already freed
encoder structure?

>  	if (ret)
>  		return dev_err_probe(priv->dev, ret,
>  				     "Failed to init CVBS encoder\n");

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260531074627.8936-1-namanarora029@gmail.com?part=4

_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic

      parent reply	other threads:[~2026-05-31  8:08 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-31  7:35 [PATCH 0/6] drm: Open-code drm_simple_encoder_init() in several drivers Naman Arora
2026-05-31  7:35 ` Naman Arora
2026-05-31  7:35 ` [PATCH 1/6] drm/fsl-dcu: Open-code drm_simple_encoder_init() Naman Arora
2026-05-31  7:35   ` Naman Arora
2026-05-31  7:35 ` [PATCH 2/6] drm/tidss: " Naman Arora
2026-05-31  7:35   ` Naman Arora
2026-05-31  7:57   ` sashiko-bot
2026-05-31  7:35 ` [PATCH 3/6] drm/virtio: " Naman Arora
2026-05-31  7:35   ` Naman Arora
2026-05-31  8:00   ` sashiko-bot
2026-05-31  7:46 ` [PATCH 4/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_cvbs Naman Arora
2026-05-31  7:46   ` Naman Arora
2026-05-31  7:46   ` [PATCH 5/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_hdmi Naman Arora
2026-05-31  7:46     ` Naman Arora
2026-05-31  8:17     ` sashiko-bot
2026-05-31  7:46   ` [PATCH 6/6] drm/meson: Open-code drm_simple_encoder_init() in encoder_dsi Naman Arora
2026-05-31  7:46     ` Naman Arora
2026-05-31  8:25     ` sashiko-bot
2026-05-31  8:08   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260531080842.CAAFB1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-amlogic@lists.infradead.org \
    --cc=namanarora029@gmail.com \
    --cc=neil.armstrong@linaro.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.