From: sashiko-bot@kernel.org
To: syyang@lontium.com
Cc: devicetree@vger.kernel.org, conor+dt@kernel.org, robh@kernel.org
Subject: Re: [PATCH v11 2/2] drm/bridge: Add Lontium LT7911EXC eDP to MIPI DSI bridge
Date: Fri, 22 May 2026 02:32:07 +0000 [thread overview]
Message-ID: <20260522023208.31DCA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260522015735.2833-3-syyang@lontium.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing drm_panel_bridge_remove() in lt7911exc_dsi_host_detach() causes bridge list corruption and Use-After-Free.
- [Medium] The fast `ocm_lock` is held during a 420ms hardware reset sequence, causing severe latency stalls for concurrent DRM and DSI operations.
--
commit 7a7cfdfb50c450205bc811aedab79e9db1683754
Author: Sunyun Yang <syyang@lontium.com>
drm/bridge: Add Lontium LT7911EXC eDP to MIPI DSI bridge
Add support for the Lontium LT7911EXC bridge chip, which converts
eDP input to MIPI DSI output using an internal firmware-controlled
pipeline.
> diff --git a/drivers/gpu/drm/bridge/lontium-lt7911exc.c b/drivers/gpu/drm/bridge/lontium-lt7911exc.c
> new file mode 100644
> index 0000000000000..1aec60f02f913
> --- /dev/null
> +++ b/drivers/gpu/drm/bridge/lontium-lt7911exc.c
[ ... ]
> +static void lt7911exc_firmware_upgrade_work(struct work_struct *work)
> +{
> + struct lt7911exc *lt7911exc = container_of(work, struct lt7911exc, work);
> + struct device *dev = lt7911exc->dev;
[ ... ]
> + mutex_lock(<7911exc->upgrade_lock);
> +
> + mutex_lock(<7911exc->ocm_lock);
> + lt7911exc_reset(lt7911exc);
[Severity: Medium]
Since lt7911exc_reset() sleeps for 420ms (due to msleep calls), does holding
the fast ocm_lock here unnecessarily stall concurrent DRM and DSI operations?
It looks like the upgrade_lock already serializes firmware upgrades. Can the
ocm_lock be acquired after the reset sequence?
> + lt7911exc_hw_mcu_halt(lt7911exc);
> + mutex_unlock(<7911exc->ocm_lock);
> +
> + ret = lt7911exc_block_erase(lt7911exc);
[ ... ]
> + ret = lt7911exc_write_crc(lt7911exc, crc32, FW_SIZE - 4);
> + if (ret < 0) {
> + dev_err(dev, "failed to write firmware crc\n");
> + goto out_unlock;
> + }
> +
> + mutex_lock(<7911exc->ocm_lock);
> + lt7911exc_reset(lt7911exc);
[Severity: Medium]
Similarly, does holding the ocm_lock during this second reset sequence cause
severe latency stalls for other display operations?
> + mutex_unlock(<7911exc->ocm_lock);
> +
> + ret = lt7911exc_upgrade_result(lt7911exc, crc32);
[ ... ]
> +static int lt7911exc_dsi_host_detach(struct mipi_dsi_host *host, struct mipi_dsi_device *dev)
> +{
> + struct lt7911exc *lt7911exc = dsi_host_to_lt7911exc(host);
> +
> + if (!lt7911exc->output.dev)
> + return 0;
> +
> + lt7911exc->output.dev = NULL;
[Severity: High]
Should drm_panel_bridge_remove() be called here?
When the panel is unbound, its device is destroyed and the devres cleanup
frees the bridge memory. If the bridge isn't properly removed here, the freed
bridge remains linked in the global DRM bridge_list, potentially causing a
use-after-free on subsequent list traversals.
> +
> + return 0;
> +}
[ ... ]
> +static void lt7911exc_remove(struct i2c_client *client)
> +{
> + struct lt7911exc *lt7911exc = i2c_get_clientdata(client);
[ ... ]
> + mipi_dsi_host_unregister(<7911exc->dsi_host);
> + drm_bridge_remove(<7911exc->bridge);
> +
> + if (lt7911exc->output.panel && lt7911exc->output.bridge)
> + drm_panel_bridge_remove(lt7911exc->output.bridge);
[Severity: High]
Can this dereference a freed pointer?
Since mipi_dsi_host_unregister() triggers panel detachment, and
lt7911exc_dsi_host_detach() doesn't remove the panel bridge, the bridge memory
could be freed during the detachment. Calling drm_panel_bridge_remove() here
would then lead to a use-after-free.
> +
> + gpiod_set_value_cansleep(lt7911exc->reset_gpio, 1);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260522015735.2833-1-syyang@lontium.com?part=2
prev parent reply other threads:[~2026-05-22 2:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 1:57 [PATCH v11 0/2] Add Lontium LT7911EXC eDP to MIPI DSI bridge syyang
2026-05-22 1:57 ` [PATCH v11 1/2] dt-bindings: bridge: " syyang
2026-05-22 1:57 ` [PATCH v11 2/2] drm/bridge: " syyang
2026-05-22 2:32 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260522023208.31DCA1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=syyang@lontium.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox