From: sashiko-bot@kernel.org
To: "Albert Esteve" <aesteve@redhat.com>
Cc: linux-sunxi@lists.linux.dev, Frank.Li@kernel.org,
dri-devel@lists.freedesktop.org,
wsa+renesas@sang-engineering.com, imx@lists.linux.dev
Subject: Re: [PATCH 4/5] drm/bridge: release panel reference on all lookup exit paths
Date: Fri, 26 Jun 2026 12:23:40 +0000 [thread overview]
Message-ID: <20260626122341.0DBC21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626-drm_refcount_wiring-v1-4-cca1a7b3bdef@redhat.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Dropping the panel reference before removing the bridge creates a Use-After-Free window during driver removal.
- [Medium] Panel references acquired during probe/attach are not released on error paths, causing memory leaks.
- [Medium] Panel reference leaks when wrapping a panel in a bridge without dropping the lookup reference.
--
commit 621578b5ce602b599c8bef0b18966f05081671b7
Author: Albert Esteve <aesteve@redhat.com>
drm/bridge: release panel reference on all lookup exit paths
of_drm_find_panel() and drm_of_find_panel_or_bridge() now return a
counted reference that the caller must release with drm_panel_put().
For bridge drivers that immediately wrap the panel in a panel_bridge
(which acquires its own reference), release the lookup reference right
after the bridge creation call.
[Severity: Medium]
Since the lookup functions now return a counted reference, does this
change introduce memory leaks on driver probe error paths?
If a driver successfully acquires the panel reference during probe or
attach, but a subsequent initialization step fails (like clock
registration, component addition, or memory allocation), it appears the
reference is leaked if drm_panel_put is not called before returning the
error.
For example, in exynos_dp_probe, if component_add fails, the panel
reference is not released. Similar leaks appear to happen on error
paths in analogix_dp_aux_done_probing, sun6i_dsi_attach,
tegra_output_probe, and lvds_probe.
[Severity: Medium]
Additionally, are there missing conversions for drivers that wrap the
panel in a bridge?
The commit message notes that bridge drivers immediately wrapping the
panel must release the lookup reference right after the bridge creation
call, since the bridge acquires its own reference.
However, it looks like several drivers were missed, such as
lvds_codec_probe, fsl_ldb_probe, lt9211_parse_dt, ssd2825_probe,
tc358767_probe, and tc358768_probe. In these functions, the panel is
wrapped with devm_drm_panel_bridge_add or drm_panel_bridge_add_typed,
but the initial lookup reference is never dropped.
> diff --git a/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c b/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c
> index f3fe47b12edca..1fe11b075f860 100644
> --- a/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c
> +++ b/drivers/gpu/drm/bridge/analogix/analogix-anx6345.c
> @@ -756,6 +756,9 @@ static void anx6345_i2c_remove(struct i2c_client *client)
> {
> struct anx6345 *anx6345 = i2c_get_clientdata(client);
>
> + if (anx6345->panel)
> + drm_panel_put(anx6345->panel);
> +
> drm_bridge_remove(&anx6345->bridge);
[Severity: High]
Does this create a use-after-free window?
By dropping the last reference to the panel here, the panel object might
be freed. However, the bridge is removed after this step. During this
window, the bridge remains globally visible and registered.
If a concurrent drm commit or modeset (like an atomic disable) executes
on the display pipeline before drm_bridge_remove is called, it could
invoke the bridge callbacks which would dereference the already-freed
panel pointer.
Would it be safer to unregister the bridge before dropping the reference
to the internal structures it relies on?
[ ... ]
> diff --git a/drivers/gpu/drm/stm/lvds.c b/drivers/gpu/drm/stm/lvds.c
> index 50a878688e477..77735e26c56e3 100644
> --- a/drivers/gpu/drm/stm/lvds.c
> +++ b/drivers/gpu/drm/stm/lvds.c
> @@ -1189,6 +1189,9 @@ static void lvds_remove(struct platform_device *pdev)
> {
> struct stm_lvds *lvds = platform_get_drvdata(pdev);
>
> + if (lvds->panel)
> + drm_panel_put(lvds->panel);
> +
> lvds_pixel_clk_unregister(lvds);
>
> drm_bridge_remove(&lvds->lvds_bridge);
[Severity: High]
Could this also trigger a use-after-free for the panel?
Similar to the anx6345 driver, the panel reference is dropped before the
bridge is removed. A concurrent atomic disable could execute in this
window and dereference the freed panel inside the bridge callbacks.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626-drm_refcount_wiring-v1-0-cca1a7b3bdef@redhat.com?part=4
next prev parent reply other threads:[~2026-06-26 12:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 12:03 [PATCH 0/5] drm/panel: refcounting panel lookups and references Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:03 ` [PATCH 1/5] drm/panel: have drm_panel_add/remove manage a list reference Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:47 ` Maxime Ripard
2026-06-26 12:47 ` Maxime Ripard
2026-06-26 12:03 ` [PATCH 2/5] drm/bridge/panel: hold a reference to the wrapped panel Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:24 ` sashiko-bot
2026-06-26 12:48 ` Maxime Ripard
2026-06-26 12:48 ` Maxime Ripard
2026-06-26 12:03 ` [PATCH 3/5] drm/panel: make *find_panel*() return a counted reference Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:50 ` Maxime Ripard
2026-06-26 12:50 ` Maxime Ripard
2026-06-26 15:11 ` Albert Esteve
2026-06-26 15:11 ` Albert Esteve
2026-06-26 12:03 ` [PATCH 4/5] drm/bridge: release panel reference on all lookup exit paths Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:23 ` sashiko-bot [this message]
2026-06-26 12:53 ` Maxime Ripard
2026-06-26 12:53 ` Maxime Ripard
2026-06-26 13:11 ` Albert Esteve
2026-06-26 13:11 ` Albert Esteve
2026-06-26 12:03 ` [PATCH 5/5] drm: release panel reference after panel bridge creation Albert Esteve
2026-06-26 12:03 ` Albert Esteve
2026-06-26 12:28 ` sashiko-bot
2026-06-26 12:59 ` Maxime Ripard
2026-06-26 12:59 ` Maxime Ripard
2026-06-26 15:05 ` Albert Esteve
2026-06-26 15:05 ` Albert Esteve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626122341.0DBC21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=aesteve@redhat.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=imx@lists.linux.dev \
--cc=linux-sunxi@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.