From: sashiko-bot@kernel.org
To: "Maxime Ripard" <mripard@kernel.org>
Cc: dri-devel@lists.freedesktop.org, Frank.Li@kernel.org,
imx@lists.linux.dev
Subject: Re: [PATCH v2 14/78] drm/bridge: imx8mp-hdmi-pvi: Switch to atomic_create_state
Date: Mon, 08 Jun 2026 15:45:28 +0000 [thread overview]
Message-ID: <20260608154529.3A7E11F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260608-drm-no-more-bridge-reset-v2-14-0a91018bf886@kernel.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Unbalanced pm_runtime_put and potential unclocked register access if pm_runtime_resume_and_get fails in atomic_enable.
- [High] Use-After-Free and unmapped memory access due to devm_ resource lifetime mismatch when the device is unbound.
--
commit 935043b57c7562e813344d06040c4edaf524faa0
Author: Maxime Ripard <mripard@kernel.org>
drm/bridge: imx8mp-hdmi-pvi: Switch to atomic_create_state
The drm_bridge_funcs.atomic_reset callback and its
drm_atomic_helper_bridge_reset() helper are deprecated.
Switch to the atomic_create_state callback and its
drm_atomic_helper_bridge_create_state() counterpart.
> diff --git a/drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c b/drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c
> index 7d5fda7173e5f..a31d4fc76f35b 100644
> --- a/drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c
> +++ b/drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c
> @@ -131,7 +131,7 @@ static const struct drm_bridge_funcs imx_hdmi_pvi_bridge_funcs = {
> .atomic_get_input_bus_fmts = imx8mp_hdmi_pvi_bridge_get_input_bus_fmts,
> .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state,
> - .atomic_reset = drm_atomic_helper_bridge_reset,
> + .atomic_create_state = drm_atomic_helper_bridge_create_state,
> };
>
> static int imx8mp_hdmi_pvi_probe(struct platform_device *pdev)
[Severity: High]
This isn't a bug introduced by this patch, but does the error handling in
imx8mp_hdmi_pvi_bridge_enable() leave the bridge in a state that could
trigger a regression later?
If pm_runtime_resume_and_get() fails in the enable path, it returns without
setting a flag:
drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c:imx8mp_hdmi_pvi_bridge_enable() {
...
if (WARN_ON(pm_runtime_resume_and_get(pvi->dev)))
return;
...
}
Later, imx8mp_hdmi_pvi_bridge_disable() unconditionally writes to the registers
and decrements the usage counter:
drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c:imx8mp_hdmi_pvi_bridge_disable() {
...
writel(0x0, pvi->regs + HTX_PVI_CTRL);
pm_runtime_put(pvi->dev);
}
Could this unconditional write to an unclocked IP block cause a synchronous
data abort, and lead to a PM usage counter underflow?
[Severity: High]
This is a pre-existing issue, but could this resource allocation pattern
cause a regression during device unbind?
The bridge structure and I/O registers are allocated using devres in the
probe function:
drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c:imx8mp_hdmi_pvi_probe() {
...
pvi = devm_drm_bridge_alloc(&pdev->dev, struct imx8mp_hdmi_pvi,
bridge, &imx_hdmi_pvi_bridge_funcs);
...
pvi->regs = devm_platform_ioremap_resource(pdev, 0);
...
}
If the driver is unbound, these devm-managed resources will be freed and
unmapped. However, since drm_bridge_remove() does not synchronize with active
display pipelines, the DRM core might still hold references to the bridge.
If the pipeline is torn down after unbind, imx8mp_hdmi_pvi_bridge_disable()
would be called:
drivers/gpu/drm/bridge/imx/imx8mp-hdmi-pvi.c:imx8mp_hdmi_pvi_bridge_disable() {
...
writel(0x0, pvi->regs + HTX_PVI_CTRL);
...
}
Would this result in accessing unmapped registers and the freed bridge
structure during pipeline teardown?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-drm-no-more-bridge-reset-v2-0-0a91018bf886@kernel.org?part=14
next prev parent reply other threads:[~2026-06-08 15:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 14:35 [PATCH v2 00/78] drm/bridge: Convert all reset users to create_state Maxime Ripard
2026-06-08 14:35 ` [PATCH v2 14/78] drm/bridge: imx8mp-hdmi-pvi: Switch to atomic_create_state Maxime Ripard
2026-06-08 15:45 ` sashiko-bot [this message]
2026-06-09 6:47 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 15/78] drm/bridge: imx8qm-ldb: " Maxime Ripard
2026-06-09 6:51 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 16/78] drm/bridge: imx8qxp-ldb: " Maxime Ripard
2026-06-09 6:52 ` Liu Ying
2026-06-08 14:35 ` [PATCH v2 17/78] drm/bridge: imx8qxp-pixel-combiner: " Maxime Ripard
2026-06-08 15:55 ` sashiko-bot
2026-06-09 6:53 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 18/78] drm/bridge: imx8qxp-pixel-link: " Maxime Ripard
2026-06-09 6:54 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 19/78] drm/bridge: imx8qxp-pxl2dpi: " Maxime Ripard
2026-06-08 16:00 ` sashiko-bot
2026-06-09 6:54 ` Liu Ying
2026-06-08 14:36 ` [PATCH v2 47/78] drm/imx: parallel-display: " Maxime Ripard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608154529.3A7E11F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=imx@lists.linux.dev \
--cc=mripard@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox