From: sashiko-bot@kernel.org
To: "Jernej Skrabec" <jernej.skrabec@gmail.com>
Cc: krzk+dt@kernel.org, devicetree@vger.kernel.org,
conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 8/8] drm/sun4i: switch DE33 to new bindings
Date: Sat, 09 May 2026 22:00:44 +0000 [thread overview]
Message-ID: <20260509220045.9044CC2BCB2@smtp.kernel.org> (raw)
In-Reply-To: <20260509190015.79086-9-jernej.skrabec@siol.net>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Uninitialized blender mode registers for DE33 due to zero plane_cnt.
- [High] Missing device link to the planes device creates a Use-After-Free vulnerability.
--
commit c691a21629b6216c482f2beb09752658d71b6425
Author: Jernej Skrabec <jernej.skrabec@gmail.com>
drm/sun4i: switch DE33 to new bindings
Now that everything is in place, switch DE33 to new bindings.
> diff --git a/drivers/gpu/drm/sun4i/sun8i_mixer.c b/drivers/gpu/drm/sun4i/sun8i_mixer.c
> index 4071ab38b4ae5..957db09384552 100644
> --- a/drivers/gpu/drm/sun4i/sun8i_mixer.c
> +++ b/drivers/gpu/drm/sun4i/sun8i_mixer.c
[ ... ]
> @@ -638,6 +624,34 @@ static int sun8i_mixer_bind(struct device *dev, struct device *master,
>
> clk_prepare_enable(mixer->mod_clk);
>
> + if (mixer->cfg->de_type == SUN8I_MIXER_DE33) {
> + struct platform_device *pdev;
> + struct device_node *np;
> + void *data;
> +
> + np = of_parse_phandle(dev->of_node, "allwinner,planes", 0);
> + if (!np) {
> + ret = -ENODEV;
> + goto err_disable_mod_clk;
> + }
> +
> + pdev = of_find_device_by_node(np);
> + of_node_put(np);
> + if (!pdev) {
> + ret = -EPROBE_DEFER;
> + goto err_disable_mod_clk;
> + }
> +
> + data = platform_get_drvdata(pdev);
> + if (!data) {
> + put_device(&pdev->dev);
> + ret = -EPROBE_DEFER;
> + goto err_disable_mod_clk;
> + }
> +
> + mixer->planes_dev = &pdev->dev;
Does this code need a device link (e.g., using device_link_add()) to the
planes device?
Without a device link, unbinding the planes driver via sysfs could free
its devres-managed memory.
Later, sun50i_planes_setup() extracts the planes driver's regmap
(planes->regs) and stores it directly in the DRM layer structures.
If the planes driver is unbound, wouldn't subsequent atomic commits
dereference the dangling layer->regs pointer and cause a use-after-free
regression?
> + }
> +
> list_add_tail(&mixer->engine.list, &drv->engine_list);
>
> /* Reset registers and disable unused sub-engines */
[ ... ]
> @@ -867,16 +886,8 @@ static const struct sun8i_mixer_cfg sun50i_h6_mixer0_cfg = {
> };
>
> static const struct sun8i_mixer_cfg sun50i_h616_mixer0_cfg = {
> - .lay_cfg = {
> - .de_type = SUN8I_MIXER_DE33,
> - .scaler_mask = 0xf,
> - .scanline_yuv = 4096,
> - },
> .de_type = SUN8I_MIXER_DE33,
> .mod_rate = 600000000,
> - .ui_num = 3,
> - .vi_num = 1,
With ui_num and vi_num removed, they will default to 0.
In sun8i_mixer_init(), we compute the total planes:
plane_cnt = mixer->cfg->vi_num + mixer->cfg->ui_num;
And then initialize the blending modes:
for (i = 0; i < plane_cnt; i++)
regmap_write(mixer->engine.regs,
SUN8I_MIXER_BLEND_MODE(base, i),
SUN8I_MIXER_BLEND_MODE_DEF);
Because plane_cnt will be 0, wouldn't this skip the blender initialization
loop entirely for DE33 hardware?
Could this regression break display composition and alpha blending by leaving
the blender pipes without their default modes?
> - .map = {0, 6, 7, 8},
> };
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260509190015.79086-1-jernej.skrabec@siol.net?part=8
prev parent reply other threads:[~2026-05-09 22:00 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 19:00 [PATCH v2 0/8] drm/sun4i: update DE33 support Jernej Skrabec
2026-05-09 19:00 ` [PATCH v2 1/8] clk: sunxi-ng: de2: Fix Display Engine 3.3 definitions Jernej Skrabec
2026-05-09 19:44 ` sashiko-bot
2026-05-10 19:11 ` Jernej Škrabec
2026-05-09 19:00 ` [PATCH v2 2/8] clk: sunxi-ng: de2: Export register regmap for DE33 Jernej Skrabec
2026-05-09 20:05 ` sashiko-bot
2026-05-09 19:00 ` [PATCH v2 3/8] drm/sun4i: Add support for DE33 CSC Jernej Skrabec
2026-05-09 19:00 ` [PATCH v2 4/8] drm/sun4i: vi_layer: Limit formats for DE33 Jernej Skrabec
2026-05-09 20:58 ` sashiko-bot
2026-05-09 19:00 ` [PATCH v2 5/8] dt-bindings: display: allwinner: Add DE33 planes Jernej Skrabec
2026-05-09 21:12 ` sashiko-bot
2026-05-09 19:00 ` [PATCH v2 6/8] drm/sun4i: Add planes driver Jernej Skrabec
2026-05-09 21:31 ` sashiko-bot
2026-05-09 19:00 ` [PATCH v2 7/8] dt-bindings: display: allwinner: Split H616 DE33 layer reg space Jernej Skrabec
2026-05-09 19:00 ` [PATCH v2 8/8] drm/sun4i: switch DE33 to new bindings Jernej Skrabec
2026-05-09 22:00 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260509220045.9044CC2BCB2@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=jernej.skrabec@gmail.com \
--cc=krzk+dt@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox