From: sashiko-bot@kernel.org
To: "Sebastian Reichel" <sebastian.reichel@collabora.com>
Cc: conor+dt@kernel.org, olteanv@gmail.com,
neil.armstrong@linaro.org, linux-phy@lists.infradead.org,
vkoul@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v6 16/23] phy: rockchip: usbdp: Drop DP HPD handling
Date: Fri, 19 Jun 2026 16:00:01 +0000 [thread overview]
Message-ID: <20260619160001.9BA9F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260619-rockchip-usbdp-cleanup-v6-16-3bb1f54b3f35@collabora.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Potential Use-After-Free of the `udphy` struct when the driver is unbound, triggered by active Type-C consumers.
--
commit 709452eb1097435563d2642eb88ed81ae54361f2
Author: Sebastian Reichel <sebastian.reichel@collabora.com>
phy: rockchip: usbdp: Drop DP HPD handling
This patch drops the HPD handling logic from the USBDP PHY. The registers
involved require the display controller power domain being enabled and thus
the HPD signal should be handled by the displayport controller itself.
> diff --git a/drivers/phy/rockchip/phy-rockchip-usbdp.c b/drivers/phy/rockchip/phy-rockchip-usbdp.c
> index b75c190a4311f..383e68b245060 100644
> --- a/drivers/phy/rockchip/phy-rockchip-usbdp.c
> +++ b/drivers/phy/rockchip/phy-rockchip-usbdp.c
[ ... ]
> @@ -1333,6 +1291,14 @@ static int rk_udphy_typec_mux_set(struct typec_mux_dev *mux,
> struct rk_udphy *udphy = typec_mux_get_drvdata(mux);
> u8 mode;
>
> + /*
> + * Ignore mux events not involving DP AltMode, because
> + * the mode field is being reused, e.g. state->mode == 4
> + * could be either TYPEC_MODE_USB4 or TYPEC_DP_STATE_C.
> + */
> + if (!state->alt || state->alt->svid != USB_TYPEC_DP_SID)
> + return 0;
> +
> mutex_lock(&udphy->mutex);
[Severity: High]
This is a pre-existing issue, but could this code lead to a use-after-free
of the udphy struct when the driver is unbound?
The udphy structure is allocated using devm_kzalloc() in rk_udphy_probe(),
tying its lifetime to the device's binding lifecycle.
On driver unbind, devres calls typec_mux_unregister() and
typec_switch_unregister(), which run device_unregister(), and then frees
udphy.
However, device_unregister() only drops the core reference. If a Type-C
consumer (like the tcpm port driver) holds a reference to these Type-C
devices via fwnode_typec_mux_get(), the mux_dev and sw_dev objects stay
alive.
The consumer can still asynchronously invoke rk_udphy_typec_mux_set() or
rk_udphy_orien_sw_set() after the phy driver has been unbound.
Because udphy has already been freed by devres, does this mean any
subsequent call will dereference the freed udphy pointer when attempting to
lock udphy->mutex here, potentially resulting in memory corruption?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619-rockchip-usbdp-cleanup-v6-0-3bb1f54b3f35@collabora.com?part=16
--
linux-phy mailing list
linux-phy@lists.infradead.org
https://lists.infradead.org/mailman/listinfo/linux-phy
next prev parent reply other threads:[~2026-06-19 16:00 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 15:28 [PATCH v6 00/23] phy: rockchip: usbdp: Fixes, DP 1-lane support and cleanups Sebastian Reichel
2026-06-19 15:28 ` [PATCH v6 01/23] dt-bindings: phy: rockchip-usbdp: add improved ports scheme Sebastian Reichel
2026-06-19 15:28 ` [PATCH v6 02/23] phy: rockchip: usbdp: Update mode_change after error handling Sebastian Reichel
2026-06-19 15:49 ` sashiko-bot
2026-06-19 15:28 ` [PATCH v6 03/23] phy: rockchip: usbdp: Do not lose USB3 PHY status Sebastian Reichel
2026-06-19 15:28 ` [PATCH v6 04/23] phy: rockchip: usbdp: Fix devm_clk_bulk_get_all check Sebastian Reichel
2026-06-19 15:43 ` sashiko-bot
2026-06-19 15:28 ` [PATCH v6 05/23] phy: rockchip: usbdp: Drop seamless DP takeover Sebastian Reichel
2026-06-19 15:47 ` sashiko-bot
2026-06-19 15:28 ` [PATCH v6 06/23] phy: rockchip: usbdp: Limit DP lane count to muxed lanes Sebastian Reichel
2026-06-19 15:28 ` [PATCH v6 07/23] phy: rockchip: usbdp: Keep clocks running on PHY re-init Sebastian Reichel
2026-06-19 15:50 ` sashiko-bot
2026-06-19 15:28 ` [PATCH v6 08/23] phy: rockchip: usbdp: Amend SSC modulation deviation Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 09/23] phy: rockchip: usbdp: Fix LFPS detect threshold control Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 10/23] phy: rockchip: usbdp: Add missing mode_change update Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 11/23] phy: rockchip: usbdp: Support single-lane DP Sebastian Reichel
2026-06-19 15:48 ` sashiko-bot
2026-06-19 15:29 ` [PATCH v6 12/23] phy: rockchip: usbdp: Rename DP lane functions Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 13/23] phy: rockchip: usbdp: Use FIELD_PREP_WM16_CONST Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 14/23] phy: rockchip: usbdp: Cleanup DP lane selection function Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 15/23] phy: rockchip: usbdp: Register DP aux bridge Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 16/23] phy: rockchip: usbdp: Drop DP HPD handling Sebastian Reichel
2026-06-19 16:00 ` sashiko-bot [this message]
2026-06-19 15:29 ` [PATCH v6 17/23] phy: rockchip: usbdp: Rename mode_change to phy_needs_reinit Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 18/23] phy: rockchip: usbdp: Re-init the PHY on orientation change Sebastian Reichel
2026-06-19 15:53 ` sashiko-bot
2026-06-19 15:29 ` [PATCH v6 19/23] phy: rockchip: usbdp: Factor out lane_mux_sel setup Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 20/23] phy: rockchip: usbdp: Use guard functions for mutex Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 21/23] phy: rockchip: usbdp: Support going from DP-only mode to USB mode Sebastian Reichel
2026-06-19 15:57 ` sashiko-bot
2026-06-19 15:29 ` [PATCH v6 22/23] phy: rockchip: usbdp: Hold mutex in DP PHY configure Sebastian Reichel
2026-06-19 15:29 ` [PATCH v6 23/23] phy: rockchip: usbdp: Add some extra debug messages Sebastian Reichel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619160001.9BA9F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-phy@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=olteanv@gmail.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=sebastian.reichel@collabora.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox