Re: [PATCH v10 05/11] drm/rockchip: analogix_dp: Enable hclk for RK3588

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Damon Ding" <damon.ding@rock-chips.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v10 05/11] drm/rockchip: analogix_dp: Enable hclk for RK3588
Date: Mon, 01 Jun 2026 07:12:45 +0000	[thread overview]
Message-ID: <20260601071246.04B5F1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260601065100.1103873-6-damon.ding@rock-chips.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing analogix_dp_unbind() on error path in rockchip_dp_bind() causes resource leak and Use-After-Free risk.
- [High] Use-after-free risk via unreferenced device node pointer `endpoint.local_node`.
--

commit 9a213026e9dc13c601798dee6df75e3fbf1fabb3
Author: Damon Ding <damon.ding@rock-chips.com>

drm/rockchip: analogix_dp: Enable hclk for RK3588

Acquire and enable the HCLK_VO1 bus clock explicitly for RK3588
eDP controller to guarantee register and datapath access.

> diff --git a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
> index 06072efd7fca3..d2af5eb29dbb5 100644
> --- a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c
> +++ b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c

[ ... ]

[Severity: High]
This is a pre-existing issue, but does rockchip_dp_bind() leak the AUX device
registration on this error path?

drivers/gpu/drm/rockchip/analogix_dp-rockchip.c:rockchip_dp_bind() {
...
err_cleanup_encoder:
	dp->encoder.encoder.funcs->destroy(&dp->encoder.encoder);
	return ret;
}

If analogix_dp_bind() succeeds but the subsequent drm_bridge_connector_init()
fails, the code jumps to err_cleanup_encoder. This path destroys the encoder
but fails to call analogix_dp_unbind(dp->adp).

Because analogix_dp_bind() successfully registered the DRM DP AUX device,
failing to unregister it leaves the adapter active in the I2C subsystem. If
the driver is unbound, devm will free the memory containing the drm_dp_aux
structure, potentially leading to a use-after-free crash in the I2C subsystem
during any subsequent access.

[Severity: High]
This isn't a bug introduced by this patch, but is there a use-after-free risk
when accessing endpoint.local_node?

drivers/gpu/drm/rockchip/analogix_dp-rockchip.c:rockchip_dp_drm_encoder_enable() {
...
	ret = drm_of_encoder_active_endpoint(dp->dev->of_node, encoder, &endpoint);
	if (ret < 0)
		return;

	remote_port_parent = of_graph_get_remote_port_parent(endpoint.local_node);
...
}

Inside drm_of_encoder_active_endpoint(), of_node_put() drops the reference
on the local endpoint node before returning.

Since the reference is already dropped, could passing endpoint.local_node to
of_graph_get_remote_port_parent() result in a use-after-free if a device tree
overlay containing the node is removed concurrently?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260601065100.1103873-1-damon.ding@rock-chips.com?part=5

next prev parent reply	other threads:[~2026-06-01  7:12 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-01  6:50 [PATCH v10 00/11] Add eDP support for RK3576 Damon Ding
2026-06-01  6:50 ` [PATCH v10 01/11] dt-bindings: display: rockchip: analogix-dp: Fix hclk as third clock for RK3588 Damon Ding
2026-06-01  6:50 ` [PATCH v10 02/11] dt-bindings: display: rockchip: analogix-dp: Add per-clock descriptions Damon Ding
2026-06-01  6:50 ` [PATCH v10 03/11] arm64: dts: rockchip: Add missing hclk for RK3588 eDP0 Damon Ding
2026-06-01  6:50 ` [PATCH v10 04/11] arm64: dts: rockchip: Add missing hclk for RK3588 eDP1 Damon Ding
2026-06-01  6:50 ` [PATCH v10 05/11] drm/rockchip: analogix_dp: Enable hclk for RK3588 Damon Ding
2026-06-01  7:12   ` sashiko-bot [this message]
2026-06-01  6:50 ` [PATCH v10 06/11] drm/rockchip: analogix_dp: Fix OF node reference leak via auto cleanup Damon Ding
2026-06-01  7:11   ` sashiko-bot
2026-06-01  6:50 ` [PATCH v10 07/11] dt-bindings: display: rockchip: analogix-dp: Add support for RK3576 Damon Ding
2026-06-01  6:50 ` [PATCH v10 08/11] arm64: dts: rockchip: Add eDP node " Damon Ding
2026-06-01  6:50 ` [PATCH v10 09/11] drm/bridge: analogix_dp: Rename and simplify is_rockchip() Damon Ding
2026-06-01  6:50 ` [PATCH v10 10/11] drm/bridge: analogix_dp: Add support for RK3576 Damon Ding
2026-06-01  6:51 ` [PATCH v10 11/11] drm/rockchip: " Damon Ding
2026-06-01  7:16   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260601071246.04B5F1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=damon.ding@rock-chips.com \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox