From: sashiko-bot@kernel.org
To: "Maxime Ripard" <mripard@kernel.org>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 27/78] drm/bridge: nwl-dsi: Switch to atomic_create_state
Date: Mon, 08 Jun 2026 16:15:16 +0000 [thread overview]
Message-ID: <20260608161517.4365C1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608-drm-no-more-bridge-reset-v2-27-0a91018bf886@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The asynchronous DSI transfer operation is not properly canceled on timeout, leaving `dsi->xfer` pointing to a popped stack frame. This causes potential stack corruption if a delayed interrupt fires.
--
commit 83396eabd0228d642366b0524e14cdcca0036136
Author: Maxime Ripard <mripard@kernel.org>
drm/bridge: nwl-dsi: Switch to atomic_create_state
The drm_bridge_funcs.atomic_reset callback and its
drm_atomic_helper_bridge_reset() helper are deprecated. Switch to the
atomic_create_state callback and its counterpart.
> diff --git a/drivers/gpu/drm/bridge/nwl-dsi.c b/drivers/gpu/drm/bridge/nwl-dsi.c
> index 3c9ae93c4f671..09992529f3d85 100644
> --- a/drivers/gpu/drm/bridge/nwl-dsi.c
> +++ b/drivers/gpu/drm/bridge/nwl-dsi.c
> @@ -960,7 +960,7 @@ static u32 *nwl_bridge_atomic_get_input_bus_fmts(struct drm_bridge *bridge,
> static const struct drm_bridge_funcs nwl_dsi_bridge_funcs = {
> .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state,
> - .atomic_reset = drm_atomic_helper_bridge_reset,
> + .atomic_create_state = drm_atomic_helper_bridge_create_state,
[Severity: High]
This is a pre-existing issue, but I noticed a potential stack use-after-free
in the DSI transfer timeout path of this driver.
In nwl_dsi_host_transfer(), dsi->xfer is assigned a pointer to a
stack-allocated struct nwl_dsi_transfer. If wait_for_completion_timeout()
times out, the function returns without clearing the pointer:
drivers/gpu/drm/bridge/nwl-dsi.c:nwl_dsi_host_transfer()
if (!wait_for_completion_timeout(&xfer.completed,
NWL_DSI_MIPI_FIFO_TIMEOUT)) {
DRM_DEV_ERROR(dsi_host->dev, "[%02X] DSI transfer timed out\n",
xfer.cmd);
ret = -ETIMEDOUT;
} else {
ret = xfer.status;
}
clk_disable_unprepare(dsi->rx_esc_clk);
return ret;
If a delayed hardware completion or spurious interrupt fires after the
timeout and the original stack frame has been destroyed,
nwl_dsi_finish_transmission() might dereference this dangling pointer and
mutate stack memory:
drivers/gpu/drm/bridge/nwl-dsi.c:nwl_dsi_finish_transmission()
struct nwl_dsi_transfer *xfer = dsi->xfer;
//...
xfer->status = xfer->tx_len;
end_packet = true;
//...
if (end_packet)
complete(&xfer->completed);
Should dsi->xfer be set to NULL in the timeout path before returning, or
should pending transfers be explicitly aborted to prevent the interrupt
handler from writing to an invalid stack address?
> .atomic_check = nwl_dsi_bridge_atomic_check,
> .atomic_enable = nwl_dsi_bridge_atomic_enable,
> .atomic_disable = nwl_dsi_bridge_atomic_disable,
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-drm-no-more-bridge-reset-v2-0-0a91018bf886@kernel.org?part=27
next prev parent reply other threads:[~2026-06-08 16:15 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 14:35 [PATCH v2 00/78] drm/bridge: Convert all reset users to create_state Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 01/78] drm/bridge: cdns-dsi: Return an error pointer on allocation failure Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 02/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:53 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 03/78] drm/atomic-state-helper: Rename __drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 15:06 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 04/78] drm/atomic-state-helper: Reorder __drm_atomic_helper_bridge_state_init() arguments Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 05/78] drm/atomic-state-helper: Drop memset from __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 06/78] drm/bridge: Add new atomic_create_state callback Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 07/78] drm/atomic-state-helper: Add drm_atomic_helper_bridge_create_state() Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 08/78] drm/bridge: adv7511: Switch to atomic_create_state Maxime Ripard
2026-06-08 15:24 ` sashiko-bot
2026-06-08 14:35 ` [PATCH v2 09/78] drm/bridge: analogix_dp: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 10/78] drm/bridge: anx7625: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 11/78] drm/bridge: chipone-icn6211: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 12/78] drm/bridge: display-connector: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 13/78] drm/bridge: fsl-ldb: " Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 14/78] drm/bridge: imx8mp-hdmi-pvi: " Maxime Ripard
2026-06-08 15:45 ` sashiko-bot
2026-06-09 6:47 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 15/78] drm/bridge: imx8qm-ldb: " Maxime Ripard
2026-06-09 6:51 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 16/78] drm/bridge: imx8qxp-ldb: " Maxime Ripard
2026-06-09 6:52 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 17/78] drm/bridge: imx8qxp-pixel-combiner: " Maxime Ripard
2026-06-08 15:55 ` sashiko-bot
2026-06-09 6:53 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 18/78] drm/bridge: imx8qxp-pixel-link: " Maxime Ripard
2026-06-09 6:54 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 19/78] drm/bridge: imx8qxp-pxl2dpi: " Maxime Ripard
2026-06-08 16:00 ` sashiko-bot
2026-06-09 6:54 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 20/78] drm/bridge: inno-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 21/78] drm/bridge: ite-it6263: " Maxime Ripard
2026-06-09 6:45 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 22/78] drm/bridge: ite-it6505: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 23/78] drm/bridge: ite-it66121: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 24/78] drm/bridge: lontium-lt9211: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 25/78] drm/bridge: lontium-lt9611: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 26/78] drm/bridge: lvds-codec: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 27/78] drm/bridge: nwl-dsi: " Maxime Ripard
2026-06-08 16:15 ` sashiko-bot [this message]
2026-06-08 14:36 ` [PATCH v2 28/78] drm/bridge: panel: " Maxime Ripard
2026-06-08 16:17 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 29/78] drm/bridge: parade-ps8640: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 30/78] drm/bridge: samsung-dsim: " Maxime Ripard
2026-06-08 16:26 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 31/78] drm/bridge: sii902x: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 32/78] drm/bridge: ssd2825: " Maxime Ripard
2026-06-08 16:33 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 33/78] drm/bridge: dw-dp: " Maxime Ripard
2026-06-08 16:40 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 34/78] drm/bridge: dw-hdmi-qp: " Maxime Ripard
2026-06-08 16:43 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 35/78] drm/bridge: dw-hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 36/78] drm/bridge: dw-mipi-dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 37/78] drm/bridge: dw-mipi-dsi2: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 38/78] drm/bridge: tc358762: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 39/78] drm/bridge: tc358767: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 40/78] drm/bridge: tc358768: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 41/78] drm/bridge: tc358775: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 42/78] drm/bridge: ti-dlpc3433: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 43/78] drm/bridge: ti-sn65dsi83: " Maxime Ripard
2026-06-08 17:03 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 44/78] drm/bridge: ti-sn65dsi86: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 45/78] drm/bridge: ti-tdp158: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 46/78] drm/bridge: ti-tfp410: " Maxime Ripard
2026-06-08 17:11 ` sashiko-bot
2026-06-08 14:36 ` [PATCH v2 47/78] drm/imx: parallel-display: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 48/78] drm/ingenic: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 49/78] drm/mediatek: dp: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 50/78] drm/mediatek: dpi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 51/78] drm/mediatek: dsi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 52/78] drm/mediatek: hdmi: " Maxime Ripard
2026-06-08 15:32 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 53/78] drm/mediatek: hdmi_v2: " Maxime Ripard
2026-06-08 15:31 ` AngeloGioacchino Del Regno
2026-06-08 14:36 ` [PATCH v2 54/78] drm/meson: encoder_cvbs: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 55/78] drm/meson: encoder_dsi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 56/78] drm/meson: encoder_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 57/78] drm/msm: dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 58/78] drm/msm: hdmi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 59/78] drm/omap: hdmi4: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 60/78] drm/omap: hdmi5: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 61/78] drm/renesas: rcar-du: lvds: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 62/78] drm/renesas: rcar-du: mipi_dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 63/78] drm/renesas: rz-du: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 64/78] drm/rockchip: cdn-dp: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 65/78] drm/rockchip: rk3066_hdmi: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 66/78] drm/rockchip: lvds: " Maxime Ripard
2026-06-08 14:36 ` Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 67/78] drm/stm: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 68/78] drm/tests: bridge: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 69/78] drm/tidss: encoder: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 70/78] drm/tidss: oldi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 71/78] drm/vc4: dsi: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 72/78] drm/verisilicon: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 73/78] drm/xlnx: zynqmp_dp: " Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 74/78] drm/atomic-state-helper: Remove drm_atomic_helper_bridge_reset() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 75/78] drm/bridge: cdns-dsi: Use __drm_atomic_helper_bridge_state_init() Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 76/78] drm/bridge: cdns-dsi: Switch to atomic_create_state Maxime Ripard
2026-06-08 14:36 ` [PATCH v2 77/78] drm/bridge: cdns-mhdp8546: " Maxime Ripard
2026-06-08 14:37 ` [PATCH v2 78/78] drm/bridge: Remove atomic_reset support Maxime Ripard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608161517.4365C1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=mripard@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.