From: sashiko-bot@kernel.org
To: "Maxime Ripard" <mripard@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 03/78] drm/atomic-state-helper: Rename __drm_atomic_helper_bridge_reset()
Date: Mon, 08 Jun 2026 15:06:50 +0000 [thread overview]
Message-ID: <20260608150650.B86671F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608-drm-no-more-bridge-reset-v2-3-0a91018bf886@kernel.org>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] drm_bridge_attach() ignores the return value of drm_atomic_private_obj_init(), hiding allocation failures.
- [High] cdns_mhdp_bridge_atomic_duplicate_state() triggers a fatal NULL pointer dereference if bridge state is NULL.
- [High] cdns_mhdp_bridge_atomic_destroy_state() crashes when passed a NULL state during teardown.
--
commit e02bc473e33cd57fec3ea4025b707696ba1bef80
Author: Maxime Ripard <mripard@kernel.org>
Date: Mon Jun 8 14:35:45 2026 +0000
drm/atomic-state-helper: Rename __drm_atomic_helper_bridge_reset()
__drm_atomic_helper_bridge_reset() is used to initialize a
newly allocated drm_bridge_state, and is being typically called by the
drm_bridge_funcs.atomic_reset implementation.
Since we want to consolidate DRM objects state allocation around the
atomic_create_state callback that will only allocate and initialize a
new drm_bridge_state instance, we will need to call
__drm_atomic_helper_bridge_reset() from both the atomic_reset and
atomic_create_state hooks.
To avoid any confusion, we can thus rename
__drm_atomic_helper_bridge_reset() to
__drm_atomic_helper_bridge_state_init().
> diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> index 46779b49545bd..2e74dc33e0859 100644
> --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> @@ -1929,7 +1929,7 @@ cdns_mhdp_bridge_atomic_reset(struct drm_bridge *bridge)
> if (!cdns_mhdp_state)
> return ERR_PTR(-ENOMEM);
>
> - __drm_atomic_helper_bridge_reset(bridge, &cdns_mhdp_state->base);
> + __drm_atomic_helper_bridge_state_init(bridge, &cdns_mhdp_state->base);
[Severity: High]
This isn't a bug introduced by this patch, but since we are consolidating
state allocations, what happens if the state is NULL?
In drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c:cdns_mhdp_bridge_atomic_duplicate_state(),
the function calls into the core duplicate helper without validating that the
source state is non-NULL:
state = kzalloc_obj(*state);
if (!state)
return NULL;
__drm_atomic_helper_bridge_duplicate_state(bridge, &state->base);
If bridge->base.state is NULL, does this cause a crash during memcpy in
__drm_atomic_helper_private_obj_duplicate_state()?
[Severity: High]
This is also a pre-existing issue, but a similar problem seems to exist in the
teardown path.
In drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c:cdns_mhdp_bridge_atomic_destroy_state(),
the function dereferences the state parameter without verifying it is non-NULL:
struct cdns_mhdp_bridge_state *cdns_mhdp_state;
cdns_mhdp_state = to_cdns_mhdp_bridge_state(state);
if (cdns_mhdp_state->current_mode) {
Could this cause a NULL pointer dereference if atomic_destroy_state() is called
after a failed initialization?
> return &cdns_mhdp_state->base;
> }
[ ... ]
> diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c
> index cc70508d4fdba..f79d259fe5506 100644
> --- a/drivers/gpu/drm/drm_atomic_state_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_state_helper.c
[ ... ]
> @@ -848,7 +848,7 @@ drm_atomic_helper_bridge_reset(struct drm_bridge *bridge)
> if (!bridge_state)
> return ERR_PTR(-ENOMEM);
>
> - __drm_atomic_helper_bridge_reset(bridge, bridge_state);
> + __drm_atomic_helper_bridge_state_init(bridge, bridge_state);
> return bridge_state;
> }
[Severity: High]
This isn't a bug introduced by this patch, but I noticed an error propagation
issue when reviewing the atomic state allocation lifecycle.
In drivers/gpu/drm/drm_bridge.c:drm_bridge_attach(), the return value of
drm_atomic_private_obj_init() is ignored:
if (drm_bridge_is_atomic(bridge))
drm_atomic_private_obj_init(bridge->dev, &bridge->base,
&drm_bridge_priv_state_funcs);
return 0;
If the initial atomic state allocation fails, drm_atomic_private_obj_init()
returns -ENOMEM, but drm_bridge_attach() continues and returns 0.
Does this leave the bridge successfully attached to the pipeline but with a
NULL atomic state (bridge->base.state == NULL)? Could this set up the NULL
pointer dereferences mentioned earlier, and should drm_bridge_attach() be
updated to handle this error?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-drm-no-more-bridge-reset-v2-0-0a91018bf886@kernel.org?part=3
next prev parent reply other threads:[~2026-06-08 15:06 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 14:35 [PATCH v2 00/78] drm/bridge: Convert all reset users to create_state Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 01/78] drm/bridge: cdns-dsi: Return an error pointer on allocation failure Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 02/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:53 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 03/78] drm/atomic-state-helper: Rename __drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 15:06 ` sashiko-bot [this message]
2026-06-08 14:35 ` [PATCH v2 04/78] drm/atomic-state-helper: Reorder __drm_atomic_helper_bridge_state_init() arguments Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 05/78] drm/atomic-state-helper: Drop memset from __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 06/78] drm/bridge: Add new atomic_create_state callback Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 07/78] drm/atomic-state-helper: Add drm_atomic_helper_bridge_create_state() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 08/78] drm/bridge: adv7511: Switch to atomic_create_state Maxime Ripard
2026-06-08 15:24 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 09/78] drm/bridge: analogix_dp: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 10/78] drm/bridge: anx7625: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 11/78] drm/bridge: chipone-icn6211: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 12/78] drm/bridge: display-connector: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 13/78] drm/bridge: fsl-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 14/78] drm/bridge: imx8mp-hdmi-pvi: " Maxime Ripard
2026-06-08 15:45 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 15/78] drm/bridge: imx8qm-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 16/78] drm/bridge: imx8qxp-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 17/78] drm/bridge: imx8qxp-pixel-combiner: " Maxime Ripard
2026-06-08 15:55 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 18/78] drm/bridge: imx8qxp-pixel-link: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 19/78] drm/bridge: imx8qxp-pxl2dpi: " Maxime Ripard
2026-06-08 16:00 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 20/78] drm/bridge: inno-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 21/78] drm/bridge: ite-it6263: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 22/78] drm/bridge: ite-it6505: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 23/78] drm/bridge: ite-it66121: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 24/78] drm/bridge: lontium-lt9211: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 25/78] drm/bridge: lontium-lt9611: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 26/78] drm/bridge: lvds-codec: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 27/78] drm/bridge: nwl-dsi: " Maxime Ripard
2026-06-08 16:15 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 28/78] drm/bridge: panel: " Maxime Ripard
2026-06-08 16:17 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 29/78] drm/bridge: parade-ps8640: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 30/78] drm/bridge: samsung-dsim: " Maxime Ripard
2026-06-08 16:26 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 31/78] drm/bridge: sii902x: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 32/78] drm/bridge: ssd2825: " Maxime Ripard
2026-06-08 16:33 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 33/78] drm/bridge: dw-dp: " Maxime Ripard
2026-06-08 16:40 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 34/78] drm/bridge: dw-hdmi-qp: " Maxime Ripard
2026-06-08 16:43 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 35/78] drm/bridge: dw-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 36/78] drm/bridge: dw-mipi-dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 37/78] drm/bridge: dw-mipi-dsi2: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 38/78] drm/bridge: tc358762: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 39/78] drm/bridge: tc358767: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 40/78] drm/bridge: tc358768: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 41/78] drm/bridge: tc358775: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 42/78] drm/bridge: ti-dlpc3433: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 43/78] drm/bridge: ti-sn65dsi83: " Maxime Ripard
2026-06-08 17:03 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 44/78] drm/bridge: ti-sn65dsi86: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 45/78] drm/bridge: ti-tdp158: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 46/78] drm/bridge: ti-tfp410: " Maxime Ripard
2026-06-08 17:11 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 47/78] drm/imx: parallel-display: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 48/78] drm/ingenic: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 49/78] drm/mediatek: dp: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 50/78] drm/mediatek: dpi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 51/78] drm/mediatek: dsi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 52/78] drm/mediatek: hdmi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 53/78] drm/mediatek: hdmi_v2: " Maxime Ripard
2026-06-08 15:31 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 54/78] drm/meson: encoder_cvbs: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 55/78] drm/meson: encoder_dsi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 56/78] drm/meson: encoder_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 57/78] drm/msm: dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 58/78] drm/msm: hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 59/78] drm/omap: hdmi4: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 60/78] drm/omap: hdmi5: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 61/78] drm/renesas: rcar-du: lvds: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 62/78] drm/renesas: rcar-du: mipi_dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 63/78] drm/renesas: rz-du: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 64/78] drm/rockchip: cdn-dp: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 65/78] drm/rockchip: rk3066_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 66/78] drm/rockchip: lvds: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 67/78] drm/stm: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 68/78] drm/tests: bridge: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 69/78] drm/tidss: encoder: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 70/78] drm/tidss: oldi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 71/78] drm/vc4: dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 72/78] drm/verisilicon: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 73/78] drm/xlnx: zynqmp_dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 74/78] drm/atomic-state-helper: Remove drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 75/78] drm/bridge: cdns-dsi: Use __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 76/78] drm/bridge: cdns-dsi: Switch to atomic_create_state Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 77/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:37 ` [PATCH v2 78/78] drm/bridge: Remove atomic_reset support Maxime Ripard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608150650.B86671F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=mripard@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.