From: sashiko-bot@kernel.org
To: "Luca Ceresoli" <luca.ceresoli@bootlin.com>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH 23/37] drm/encoder: add drm_encoder_cleanup_from()
Date: Tue, 19 May 2026 11:14:08 +0000 [thread overview]
Message-ID: <20260519111408.C2C75C2BCC6@smtp.kernel.org> (raw)
In-Reply-To: <20260519-drm-bridge-hotplug-v1-23-45e2bdb3dfb4@bootlin.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Infinite loop (kernel lockup) if `drm_bridge_detach()` returns early.
- [High] Unsafe list membership check leads to out-of-bounds traversal and memory corruption.
- [High] Moving bridges to a stack list breaks bridge chain iterators during detach callbacks.
--
commit 36261e8ecb547e8946c95a0aed4ce37428b2d56e
Author: Luca Ceresoli <luca.ceresoli@bootlin.com>
drm/encoder: add drm_encoder_cleanup_from()
Introduce a variant of drm_encoder_cleanup() to detach all bridges from
a given point to the end of the pipeline.
> diff --git a/drivers/gpu/drm/drm_encoder.c b/drivers/gpu/drm/drm_encoder.c
> --- a/drivers/gpu/drm/drm_encoder.c
> +++ b/drivers/gpu/drm/drm_encoder.c
[ ... ]
> +void drm_encoder_cleanup_from(struct drm_encoder *encoder, struct drm_bridge *bridge)
> +{
> + struct drm_bridge *next;
> + LIST_HEAD(tmplist);
> +
> + /*
> + * We need the bridge_chain_mutex to modify the chain, but
[ ... ]
> + */
> + mutex_lock(&encoder->bridge_chain_mutex);
> + if (!list_empty(&bridge->chain_node))
> + list_for_each_entry_safe_from(bridge, next, &encoder->bridge_chain, chain_node)
> + list_move_tail(&bridge->chain_node, &tmplist);
> + mutex_unlock(&encoder->bridge_chain_mutex);
Could this list_empty() check lead to an out-of-bounds traversal?
The check confirms the bridge is on a list, but not necessarily the
provided encoder's chain. If a caller mistakenly passes a bridge from a
different encoder, or if a concurrent caller processes a bridge already moved
to another thread's tmplist, list_for_each_entry_safe_from() will iterate
over that unrelated list.
Since the loop termination checks against &encoder->bridge_chain, it will
never find the list head, running past the end of the foreign list and
corrupting memory.
> +
> + while (!list_empty(&tmplist))
> + drm_bridge_detach(list_first_entry(&tmplist, struct drm_bridge, chain_node));
Can this loop become infinite if drm_bridge_detach() returns early?
Looking at drm_bridge_detach() in drm_bridge.c:
void drm_bridge_detach(struct drm_bridge *bridge)
{
if (WARN_ON(!bridge))
return;
if (WARN_ON(!bridge->dev))
return;
...
list_del_init(&bridge->chain_node);
...
If an early return triggers before list_del_init(), the bridge remains in
tmplist. The list never becomes empty, and the loop will process the exact
same failing bridge indefinitely. Should the bridge be unlinked from the
temporary list before calling drm_bridge_detach()?
Also, does moving bridges to a stack-allocated tmplist break bridge chain
iterators during the detach callbacks?
drm_bridge_detach() executes bridge->funcs->detach(bridge). If a driver
calls a chain traversal API like drm_bridge_chain_get_next_bridge() during
this detach callback, the macro checks:
list_is_last(&bridge->chain_node, &bridge->encoder->bridge_chain)
Because the bridge is currently on tmplist (a stack variable), this boundary
check fails. This causes the iterator to read past the list end, returning
the stack tmplist head cast as a struct drm_bridge *, leading to memory
corruption.
> +}
> +EXPORT_SYMBOL(drm_encoder_cleanup_from);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260519-drm-bridge-hotplug-v1-0-45e2bdb3dfb4@bootlin.com?part=23
next prev parent reply other threads:[~2026-05-19 11:14 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 10:37 [PATCH 00/37] drm bridge hotplug Luca Ceresoli
2026-05-19 10:37 ` [PATCH 01/37] drm/connector: split drmm_connector_hdmi_init() in 3 parts Luca Ceresoli
2026-05-19 10:37 ` [PATCH 02/37] drm/connector: add drm_connector_hdmi_dynamic_init() Luca Ceresoli
2026-05-19 11:04 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 03/37] drm/display: bridge-connector: rename variable for consistency Luca Ceresoli
2026-05-19 10:37 ` [PATCH 04/37] drm/display: bridge-connector: store the drm_device pointer Luca Ceresoli
2026-05-19 10:37 ` [PATCH 05/37] drm/display: bridge-connector: split code creating the connector to a subfunction Luca Ceresoli
2026-05-19 10:37 ` [PATCH 06/37] drm/display: bridge-connector: use a drm_bridge_connector internally, not a drm_connector Luca Ceresoli
2026-05-19 10:37 ` [PATCH 07/37] drm/display: bridge-connector: extract drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 11:01 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 08/37] drm/display: bridge-connector: return int from drm_bridge_connector_get_bridges() Luca Ceresoli
2026-05-19 10:58 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 09/37] drm/display: bridge-connector: extract drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 10/37] drm/display: bridge-connector: return int from drm_bridge_connector_init_hdmi_audio_cec() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 11/37] drm/display: bridge-connector: return int from drm_bridge_connector_add_connector() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 12/37] drm/display: bridge-connector: hoist error management to common code Luca Ceresoli
2026-05-19 10:37 ` [PATCH 13/37] drm/display: bridge-connector: move drm_bridge_connector_put_bridges() definition eariler Luca Ceresoli
2026-05-19 10:37 ` [PATCH 14/37] drm/display: bridge-connector: add non-drmm variant of drm_bridge_connector_put_bridges() Luca Ceresoli
2026-05-19 10:37 ` [PATCH 15/37] drm/display: bridge-connector: allocate the connector dynamically Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 16/37] drm/display: bridge-connector: move per-connector fields to the dynamic connector Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 17/37] drm/display: bridge-connector: protect dynconn creation and destruction with a mutex Luca Ceresoli
2026-05-19 11:18 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 18/37] drm/bridge: samsung-dsim: remove the panel_bridge on host_detach Luca Ceresoli
2026-05-19 10:37 ` [PATCH 19/37] drm/bridge: samsung-dsim: move drm_bridge_add() call to probe Luca Ceresoli
2026-05-19 11:16 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 20/37] drm/bridge: samsung-dsim: attach: return -EPROBE_DEFER is next bridge not yet available Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 21/37] drm/bridge: initialize chain_node list head on allocation Luca Ceresoli
2026-05-19 10:37 ` [PATCH 22/37] drm/bridge: initialize chain_node list head on detach and attach errors Luca Ceresoli
2026-05-19 11:17 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 23/37] drm/encoder: add drm_encoder_cleanup_from() Luca Ceresoli
2026-05-19 11:14 ` sashiko-bot [this message]
2026-05-19 10:37 ` [PATCH 24/37] drm/atomic: move drm_atomic_helper_disable_all() and drm_atomic_helper_shutdown() from drm_atomic_helper to drm_atomic Luca Ceresoli
2026-05-19 10:57 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 25/37] drm/bridge: shutdown and cleanup on bridge unplug Luca Ceresoli
2026-05-19 11:09 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 26/37] drm: event-notifier: add mechanism to notify about hotplug events Luca Ceresoli
2026-05-19 11:06 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 27/37] drm/bridge: notify about detached bridges Luca Ceresoli
2026-05-19 11:32 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 28/37] drm/mipi-dsi: turn DRM_MIPI_DSI into a tristate Luca Ceresoli
2026-05-19 11:07 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 29/37] drm/mipi-dsi: notify about DSI attach Luca Ceresoli
2026-05-19 11:13 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 30/37] drm/bridge: add drm_bridge_is_tail() to know whether a bridge completes the pipeline Luca Ceresoli
2026-05-19 10:59 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 31/37] drm/bridge: panel: implement .is_tail Luca Ceresoli
2026-05-19 15:12 ` Neil Armstrong
2026-05-19 10:37 ` [PATCH 32/37] drm/bridge: display-connector: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 33/37] drm/bridge: samsung-dsim: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 34/37] drm/bridge: ti-sn65dsi83: " Luca Ceresoli
2026-05-19 10:37 ` [PATCH 35/37] drm/bridge: drm_bridge_attach(): don't fail on -EPROBE_DEFER Luca Ceresoli
2026-05-19 11:21 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 36/37] drm/display: bridge-connector: handle bridge hotplug Luca Ceresoli
2026-05-19 11:15 ` sashiko-bot
2026-05-19 10:37 ` [PATCH 37/37] drm/mxsfb/lcdif: enable " Luca Ceresoli
2026-05-19 11:33 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519111408.C2C75C2BCC6@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=luca.ceresoli@bootlin.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox