From: sashiko-bot@kernel.org
To: "Myeonghun Pak" <mhun512@gmail.com>
Cc: linux-amlogic@lists.infradead.org, neil.armstrong@linaro.org
Subject: Re: [PATCH] drm/meson: clean up KMS polling on register failure
Date: Sun, 24 May 2026 16:25:33 +0000 [thread overview]
Message-ID: <20260524162533.A98601F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260524160657.17802-1-mhun512@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-after-free of the `drm` pointer in the `free_drm` error path of `meson_drv_bind_master()`.
- [High] Memory leak of `devm_*` allocated resources during component bind failures or unbind operations.
--
commit 0a1b882dff3689e80c5546f7c0bf38c6930a1652
Author: Myeonghun Pak <mhun512@gmail.com>
drm/meson: clean up KMS polling on register failure
This commit fixes an issue in meson_drv_bind_master() where the KMS
polling helper is left running if drm_dev_register() fails. It introduces
a new uninstall_poll error path to call drm_kms_helper_poll_fini() before
freeing the IRQ.
> diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
> index 49ff9f1f16d32..e49de5df73867 100644
> --- a/drivers/gpu/drm/meson/meson_drv.c
> +++ b/drivers/gpu/drm/meson/meson_drv.c
> @@ -352,12 +352,14 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
>
> ret = drm_dev_register(drm, 0);
> if (ret)
> - goto uninstall_irq;
> + goto uninstall_poll;
>
> drm_client_setup(drm, NULL);
>
> return 0;
>
> +uninstall_poll:
> + drm_kms_helper_poll_fini(drm);
> uninstall_irq:
> free_irq(priv->vsync_irq, drm);
> exit_afbcd:
[Severity: High]
This isn't a bug introduced by this patch, but does the error unwinding path
have a use-after-free?
Looking further down in this function at the free_drm label:
free_drm:
drm_dev_put(drm);
meson_encoder_dsi_remove(priv);
meson_encoder_hdmi_remove(priv);
meson_encoder_cvbs_remove(priv);
if (has_components)
component_unbind_all(dev, drm);
Since drm_dev_put() drops the final reference and frees the drm structure,
won't component_unbind_all() trigger a use-after-free when unbind callbacks
dereference the freed pointer?
[Severity: High]
This is also a pre-existing issue, but are we leaking devm_* resources
during component bind failures or unbind operations?
Because devm allocations are scoped to the device probe lifecycle, they
are not implicitly released during bind failure paths or unbind calls.
Could this result in permanent memory leaks across retries if component
binding fails and is later retried?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260524160657.17802-1-mhun512@gmail.com?part=1
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-05-24 16:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 16:01 [PATCH] drm/meson: clean up KMS polling on register failure Myeonghun Pak
2026-05-24 16:25 ` sashiko-bot [this message]
2026-05-24 16:35 ` Myeonghun Pak
2026-05-26 7:16 ` Neil Armstrong
2026-05-27 2:17 ` kernel test robot
2026-05-27 3:22 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260524162533.A98601F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=mhun512@gmail.com \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox