From: sashiko-bot@kernel.org
To: "Louis Chauvet" <louis.chauvet@bootlin.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v5 37/38] drm/vkms: Add connector parent configuration in vkms_config
Date: Sat, 27 Jun 2026 03:57:04 +0000 [thread overview]
Message-ID: <20260627035705.B6C171F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260627-vkms-all-config-v5-37-854aa0840926@bootlin.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Error paths in `vkms_connector_hot_add()` free the connector via `__free(kfree)` without tearing down the DRM connector, causing a Use-After-Free and IDA leak.
- [Medium] The MST PATH property generation creates a malformed string and silently drops a valid port ID when the connector hierarchy depth exceeds 16.
- [Medium] Dynamic configuration of connector parent relationships results in inconsistent or stale DRM PATH properties.
--
commit 3d7cb6751094b4d573bbf296f74ba57a8170fe00
Author: Louis Chauvet <louis.chauvet@bootlin.com>
drm/vkms: Add connector parent configuration in vkms_config
This patch adds support for configuring the parent connector and port_id
in vkms_config to emulate MST connectors. It updates the PATH property
strings for nested MST configurations and manages dynamic connector
lifecycles.
> diff --git a/drivers/gpu/drm/vkms/vkms_config.c b/drivers/gpu/drm/vkms/vkms_config.c
> --- a/drivers/gpu/drm/vkms/vkms_config.c
> +++ b/drivers/gpu/drm/vkms/vkms_config.c
> @@ -996,8 +996,16 @@ struct vkms_config_connector *vkms_config_create_connector(struct vkms_config *c
> }
> EXPORT_SYMBOL_IF_KUNIT(vkms_config_create_connector);
>
> -void vkms_config_destroy_connector(struct vkms_config_connector *connector_cfg)
> +void vkms_config_destroy_connector(struct vkms_config *config,
> + struct vkms_config_connector *connector_cfg)
> {
> + struct vkms_config_connector *connector_cfg_tmp;
> +
> + vkms_config_for_each_connector(config, connector_cfg_tmp) {
> + if (connector_cfg_tmp->parent == connector_cfg)
> + connector_cfg_tmp->parent = NULL;
> + }
> +
[Severity: Medium]
When dynamically destroying a parent connector, this unlinks it from the
child connectors, but doesn't it leave the active children with stale
DRM PATH properties pointing to destroyed DRM object IDs?
Also, if a child is dynamically added before its parent, the child's PATH
property is silently skipped in vkms_connector_build_path_property() due to
the missing root, and it appears it is never retroactively updated.
[ ... ]
> diff --git a/drivers/gpu/drm/vkms/vkms_connector.c b/drivers/gpu/drm/vkms/vkms_connector.c
> --- a/drivers/gpu/drm/vkms/vkms_connector.c
> +++ b/drivers/gpu/drm/vkms/vkms_connector.c
> @@ -8,6 +8,76 @@
> #include "vkms_config.h"
> #include "vkms_connector.h"
>
> +/**
> + * vkms_connector_build_path_property() - Build the PATH property string for MST connectors
[ ... ]
> + if (!root_cfg || !root_cfg->connector)
> + return;
> +
> + root_connector = root_cfg->connector;
> +
> + len = snprintf(path, sizeof(path), "mst:%d", root_connector->base.base.id);
> +
> + for (i = port_count - 2; i >= 0; i--) {
[Severity: Medium]
If the connector hierarchy exceeds 16 nodes, port_count will hit the
ARRAY_SIZE(port_ids) limit of 16. Does starting the loop at port_count - 2
(which evaluates to 14) accidentally skip the last recorded array element at
port_ids[15]?
Since the root node is not stored in the array when truncation occurs, it
seems this drops a valid intermediate node from the PATH property string.
> + int added = snprintf(path + len, sizeof(path) - len,
> + "-%u", port_ids[i]);
> + if (added < 0 || len + added >= sizeof(path))
> + return;
> + len += added;
> + }
> +
> + drm_connector_set_path_property(&connector->base, path);
> +}
[ ... ]
> @@ -240,6 +312,8 @@ struct vkms_connector *vkms_connector_hot_add(struct vkms_device *vkmsdev,
> if (ret)
> return ERR_PTR(ret);
[Severity: High]
Can this error path lead to a Use-After-Free and IDA leak?
The connector struct is allocated with __free(kfree). Earlier in this
function, drm_connector_dynamic_init() registers the connector base object
into the DRM mode object IDR and allocates IDAs.
If a subsequent step fails and we return ERR_PTR(ret) here, the __free(kfree)
attribute will directly free the connector memory without calling
drm_connector_cleanup(), leaving dangling pointers in the DRM IDR.
>
> + vkms_connector_build_path_property(connector, connector_cfg);
> +
> ret = drm_connector_dynamic_register(&connector->base);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260627-vkms-all-config-v5-0-854aa0840926@bootlin.com?part=37
next prev parent reply other threads:[~2026-06-27 3:57 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-27 3:30 [PATCH v5 00/38] VKMS: Introduce multiple configFS attributes Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 01/38] drm/drm_mode_config: Add helper to get plane type name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 02/38] drm/blend: Get a rotation name from it's bitfield Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 03/38] drm/drm_color_mgmt: Expose drm_get_color_encoding_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 04/38] drm/drm_color_mgmt: Expose drm_get_color_range_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 05/38] drm/connector: Export drm_get_colorspace_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 06/38] drm/drm_atomic_state_helper: Properly load default value for rotation Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 07/38] Documentation: ABI: vkms: Add current VKMS ABI documentation Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 08/38] drm/vkms: Add error handling in plane config creation Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 09/38] drm/vkms: Simplify plane_release code Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 10/38] drm/vkms: Explicitly display plane type Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 11/38] drm/vkms: Use enabled/disabled instead of 1/0 for debug Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 12/38] drm/vkms: Explicitly display connector status Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 13/38] drm/vkms: Introduce config for plane name Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 14/38] drm/vkms: Use plane folder name as " Louis Chauvet
2026-06-27 3:43 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 15/38] drm/vkms: Introduce config for plane rotation Louis Chauvet
2026-06-27 3:42 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 16/38] drm/vkms: Use DRM_ROTATION_FMT macros for rotation display Louis Chauvet
2026-06-27 3:39 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 17/38] drm/vkms: Introduce configfs for plane rotation Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 18/38] drm/vkms: Introduce config for plane color encoding Louis Chauvet
2026-06-27 3:43 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 19/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:49 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 20/38] drm/vkms: Introduce config for plane color range Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 21/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 22/38] drm/vkms: Introduce config for plane format Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 23/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 24/38] drm/vkms: Properly render plane using their zpos Louis Chauvet
2026-06-27 3:44 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 25/38] drm/vkms: Introduce config for plane zpos property Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 26/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 27/38] drm/vkms: Introduce config for connector type Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 28/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 29/38] drm/vkms: Rename vkms_connector_init to vkms_connector_init_static Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 30/38] drm/vkms: Introduce config for connector supported colorspace Louis Chauvet
2026-06-27 3:58 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 31/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 32/38] drm/vkms: Introduce config for connector EDID Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 33/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:50 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 34/38] drm/vkms: Store the enabled/disabled status for connector Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 35/38] drm/vkms: Allow to hot-add connectors Louis Chauvet
2026-06-27 3:50 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 36/38] drm/vkms: Introduce configfs for dynamic connector creation Louis Chauvet
2026-06-27 3:55 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 37/38] drm/vkms: Add connector parent configuration in vkms_config Louis Chauvet
2026-06-27 3:57 ` sashiko-bot [this message]
2026-06-27 3:30 ` [PATCH v5 38/38] drm/vkms: Add ConfigFS interface for connector parent and port_id Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627035705.B6C171F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=louis.chauvet@bootlin.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.