From: sashiko-bot@kernel.org
To: "Alexander Stein" <alexander.stein@ew.tq-group.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/4] drm/bridge: tc358767: register DP aux bus even in DRM_BRIDGE_ATTACH_NO_CONNECTOR case
Date: Wed, 24 Jun 2026 12:31:37 +0000 [thread overview]
Message-ID: <20260624123138.7D2161F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624121515.2301219-1-alexander.stein@ew.tq-group.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The bridge detach function `tc_edp_bridge_detach` does not call `drm_connector_cleanup()` for the connector initialized in `tc_edp_bridge_attach()`, leading to a use-after-free when the module unloads.
--
commit 29555064108dbff74cdded5aeba9baee8adfd8a7
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
drm/bridge: tc358767: register DP aux bus even in DRM_BRIDGE_ATTACH_NO_CONNECTOR case
This commit changes the bridge attach sequence to always register the DP aux
bus. It achieves this by moving the check for the no-connector flag to after
the aux registration is complete.
> diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
> index 7188935fdb826..a1663cc6c2236 100644
> --- a/drivers/gpu/drm/bridge/tc358767.c
> +++ b/drivers/gpu/drm/bridge/tc358767.c
> @@ -1833,14 +1833,14 @@ static int tc_edp_bridge_attach(struct drm_bridge *bridge,
> return ret;
> }
>
> - if (flags & DRM_BRIDGE_ATTACH_NO_CONNECTOR)
> - return 0;
> -
> tc->aux.drm_dev = drm;
> ret = drm_dp_aux_register(&tc->aux);
> if (ret < 0)
> return ret;
>
> + if (flags & DRM_BRIDGE_ATTACH_NO_CONNECTOR)
> + return 0;
> +
> /* Create DP/eDP connector */
> drm_connector_helper_add(&tc->connector, &tc_connector_helper_funcs);
> ret = drm_connector_init(drm, &tc->connector, &tc_connector_funcs, tc->bridge.type);
[Severity: High]
This isn't a bug introduced by this patch, but is a pre-existing issue. Does
tc_edp_bridge_detach() properly clean up the connector initialized here?
Looking at the detach function in drivers/gpu/drm/bridge/tc358767.c:
static void tc_edp_bridge_detach(struct drm_bridge *bridge)
{
drm_dp_aux_unregister(&bridge_to_tc(bridge)->aux);
}
It seems drm_connector_cleanup() is never called for tc->connector.
Since tc_data (which embeds the connector) is allocated via devm_kzalloc,
could the freed connector remain linked in the active drm_device connector
list when the driver is unbound?
Would this cause a use-after-free if the DRM core accesses the connector list
after the module is unloaded or unbound?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624121515.2301219-1-alexander.stein@ew.tq-group.com?part=1
prev parent reply other threads:[~2026-06-24 12:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 12:15 [PATCH 1/4] drm/bridge: tc358767: register DP aux bus even in DRM_BRIDGE_ATTACH_NO_CONNECTOR case Alexander Stein
2026-06-24 12:15 ` [PATCH 2/4] drm/bridge: tc358767: allow panels or bridges (connectors) on output Alexander Stein
2026-06-24 12:15 ` [PATCH 3/4] drm/bridge: tc358767: do not open-code devm_drm_of_get_bridge in DPI path Alexander Stein
2026-06-24 12:15 ` [PATCH 4/4] drm/bridge: tc358767: do not open-code devm_drm_of_get_bridge in DSI path Alexander Stein
2026-06-24 12:24 ` sashiko-bot
2026-06-24 12:31 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624123138.7D2161F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alexander.stein@ew.tq-group.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.