From: sashiko-bot@kernel.org
To: "Maxime Ripard" <mripard@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 08/78] drm/bridge: adv7511: Switch to atomic_create_state
Date: Mon, 08 Jun 2026 15:24:27 +0000 [thread overview]
Message-ID: <20260608152428.6C0B01F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260608-drm-no-more-bridge-reset-v2-8-0a91018bf886@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The HPD workqueue (adv7511->hpd_work) is not cancelled when the driver is unbound or fails to probe after the IRQ is registered, leading to a Use-After-Free.
--
commit 27fb30e849a482fc0f7d55469140b878f0a937a9
Author: Maxime Ripard <mripard@kernel.org>
drm/bridge: adv7511: Switch to atomic_create_state
This commit deprecates the drm_bridge_funcs.atomic_reset callback and its
helpers. It switches the adv7511 bridge driver to use atomic_create_state
and drm_atomic_helper_bridge_create_state instead.
> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> index 02f8f7e78a163..db99e252aeebc 100644
> --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> @@ -1004,7 +1004,7 @@ static const struct drm_bridge_funcs adv7511_bridge_funcs = {
> .atomic_disable = adv7511_bridge_atomic_disable,
> .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state,
> - .atomic_reset = drm_atomic_helper_bridge_reset,
> + .atomic_create_state = drm_atomic_helper_bridge_create_state,
>
> .hdmi_tmds_char_rate_valid = adv7511_bridge_hdmi_tmds_char_rate_valid,
[Severity: High]
This isn't a bug introduced by this patch, but I noticed a pre-existing
issue in this driver's error handling and removal paths regarding the HPD
workqueue.
In adv7511_probe(), an IRQ handler is registered via
devm_request_threaded_irq() which can schedule adv7511->hpd_work. If the
probe fails after this point, the error path does not cancel the work
before returning:
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c:adv7511_probe() {
...
err_unregister_audio:
drm_bridge_remove(&adv7511->bridge);
i2c_unregister_device(adv7511->i2c_cec);
...
}
Similarly, adv7511_remove() does not cancel the work either:
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c:adv7511_remove() {
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
of_node_put(adv7511->host_node);
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
...
}
Because devres eventually frees the IRQ but free_irq() does not cancel
already scheduled work, could this lead to a use-after-free?
If the work remains pending after the final reference to the adv7511
structure is dropped, any executing adv7511_hpd_work() would dereference
the freed memory.
Should cancel_work_sync(&adv7511->hpd_work) be called in these paths to
prevent the work from executing after the structure is freed?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-drm-no-more-bridge-reset-v2-0-0a91018bf886@kernel.org?part=8
next prev parent reply other threads:[~2026-06-08 15:24 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 14:35 [PATCH v2 00/78] drm/bridge: Convert all reset users to create_state Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 01/78] drm/bridge: cdns-dsi: Return an error pointer on allocation failure Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 02/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:53 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 03/78] drm/atomic-state-helper: Rename __drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 15:06 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 04/78] drm/atomic-state-helper: Reorder __drm_atomic_helper_bridge_state_init() arguments Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 05/78] drm/atomic-state-helper: Drop memset from __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 06/78] drm/bridge: Add new atomic_create_state callback Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 07/78] drm/atomic-state-helper: Add drm_atomic_helper_bridge_create_state() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 08/78] drm/bridge: adv7511: Switch to atomic_create_state Maxime Ripard
2026-06-08 15:24 ` sashiko-bot [this message]
2026-06-08 14:35 ` [PATCH v2 09/78] drm/bridge: analogix_dp: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 10/78] drm/bridge: anx7625: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 11/78] drm/bridge: chipone-icn6211: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 12/78] drm/bridge: display-connector: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 13/78] drm/bridge: fsl-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 14/78] drm/bridge: imx8mp-hdmi-pvi: " Maxime Ripard
2026-06-08 15:45 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 15/78] drm/bridge: imx8qm-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 16/78] drm/bridge: imx8qxp-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 17/78] drm/bridge: imx8qxp-pixel-combiner: " Maxime Ripard
2026-06-08 15:55 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 18/78] drm/bridge: imx8qxp-pixel-link: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 19/78] drm/bridge: imx8qxp-pxl2dpi: " Maxime Ripard
2026-06-08 16:00 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 20/78] drm/bridge: inno-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 21/78] drm/bridge: ite-it6263: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 22/78] drm/bridge: ite-it6505: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 23/78] drm/bridge: ite-it66121: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 24/78] drm/bridge: lontium-lt9211: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 25/78] drm/bridge: lontium-lt9611: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 26/78] drm/bridge: lvds-codec: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 27/78] drm/bridge: nwl-dsi: " Maxime Ripard
2026-06-08 16:15 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 28/78] drm/bridge: panel: " Maxime Ripard
2026-06-08 16:17 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 29/78] drm/bridge: parade-ps8640: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 30/78] drm/bridge: samsung-dsim: " Maxime Ripard
2026-06-08 16:26 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 31/78] drm/bridge: sii902x: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 32/78] drm/bridge: ssd2825: " Maxime Ripard
2026-06-08 16:33 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 33/78] drm/bridge: dw-dp: " Maxime Ripard
2026-06-08 16:40 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 34/78] drm/bridge: dw-hdmi-qp: " Maxime Ripard
2026-06-08 16:43 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 35/78] drm/bridge: dw-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 36/78] drm/bridge: dw-mipi-dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 37/78] drm/bridge: dw-mipi-dsi2: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 38/78] drm/bridge: tc358762: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 39/78] drm/bridge: tc358767: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 40/78] drm/bridge: tc358768: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 41/78] drm/bridge: tc358775: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 42/78] drm/bridge: ti-dlpc3433: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 43/78] drm/bridge: ti-sn65dsi83: " Maxime Ripard
2026-06-08 17:03 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 44/78] drm/bridge: ti-sn65dsi86: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 45/78] drm/bridge: ti-tdp158: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 46/78] drm/bridge: ti-tfp410: " Maxime Ripard
2026-06-08 17:11 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 47/78] drm/imx: parallel-display: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 48/78] drm/ingenic: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 49/78] drm/mediatek: dp: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 50/78] drm/mediatek: dpi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 51/78] drm/mediatek: dsi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 52/78] drm/mediatek: hdmi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 53/78] drm/mediatek: hdmi_v2: " Maxime Ripard
2026-06-08 15:31 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 54/78] drm/meson: encoder_cvbs: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 55/78] drm/meson: encoder_dsi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 56/78] drm/meson: encoder_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 57/78] drm/msm: dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 58/78] drm/msm: hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 59/78] drm/omap: hdmi4: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 60/78] drm/omap: hdmi5: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 61/78] drm/renesas: rcar-du: lvds: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 62/78] drm/renesas: rcar-du: mipi_dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 63/78] drm/renesas: rz-du: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 64/78] drm/rockchip: cdn-dp: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 65/78] drm/rockchip: rk3066_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 66/78] drm/rockchip: lvds: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 67/78] drm/stm: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 68/78] drm/tests: bridge: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 69/78] drm/tidss: encoder: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 70/78] drm/tidss: oldi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 71/78] drm/vc4: dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 72/78] drm/verisilicon: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 73/78] drm/xlnx: zynqmp_dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 74/78] drm/atomic-state-helper: Remove drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 75/78] drm/bridge: cdns-dsi: Use __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 76/78] drm/bridge: cdns-dsi: Switch to atomic_create_state Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 77/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:37 ` [PATCH v2 78/78] drm/bridge: Remove atomic_reset support Maxime Ripard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608152428.6C0B01F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=mripard@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.