Re: [PATCH v5 21/21] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Removing `drm_bridge_hpd_notify()` violates the DRM bridge API contract, breaks hotplug for non-polling setups, and causes inefficient global polling.
- [High] Teardown asymmetry allows the interrupt handler to re-arm canceled delayed work, leading to a Use-After-Free.
- [High] TOCTOU race condition in asynchronous workqueue leads to Use-After-Free on DRM device teardown.
--

commit ad165e8e6d6f42026d4a0bad754838b6429517bd
Author: Jonas Karlman <jonas@kwiboo.se>

drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify()

This commit drops the call to drm_bridge_hpd_notify() in the HDMI hotplug
delayed work to prevent duplicate hotplug uevents and modesets, relying
solely on drm_helper_hpd_irq_event().

> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 2ea8ce5eca367..d9c9d03f8eff2 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> @@ -3019,14 +3019,28 @@ static irqreturn_t dw_hdmi_hardirq(int irq, void *dev_id)
>  static void dw_hdmi_hpd_work(struct work_struct *work)
>  {
>  	struct dw_hdmi *hdmi = container_of(work, struct dw_hdmi, hpd_work.work);

This is an existing issue not introduced by this patch, but does the
delayed work lifecycle have a use-after-free vulnerability during teardown?

If cancel_delayed_work_sync(&hdmi->hpd_work) is called in dw_hdmi_remove()
before hardware interrupts are muted, can dw_hdmi_hardirq() silently
re-arm the workqueue? If the hdmi structure is then freed by devres,
execution of this work function later would cause a use-after-free.

> -	enum drm_connector_status status;
>  
>  	if (WARN_ON(!hdmi->bridge.dev))

This is another pre-existing issue, but is there a time-of-check to
time-of-use race condition here?

Since dw_hdmi is an external bridge, its lifetime is independent of the
master DRM device. If the master DRM driver unbinds concurrently, it
could set hdmi->bridge.dev to NULL and free the DRM device.

Could this workqueue evaluate hdmi->bridge.dev as non-NULL, get interrupted,
and then pass a freed DRM device pointer to drm_helper_hpd_irq_event()
below?

>  		return;

[ ... ]

>  	drm_helper_hpd_irq_event(hdmi->bridge.dev);
> -	status = dw_hdmi_phy_read_hpd(hdmi, hdmi->phy.data);
> -	drm_bridge_hpd_notify(&hdmi->bridge, status);
>  }

Does removing drm_bridge_hpd_notify() violate the DRM_BRIDGE_OP_HPD
contract and break hotplug functionality for non-polling setups?

Looking at drm_helper_hpd_irq_event(), it immediately returns false if
dev->mode_config.poll_enabled is false. For setups relying strictly on
interrupt-driven bridge hotplug notifications without enabling polling,
would this leave hotplug completely broken?

Additionally, instead of handling just the HDMI port, will
drm_helper_hpd_irq_event() force a synchronous detect() cycle on all
connectors on the DRM device that have the DRM_CONNECTOR_POLL_HPD flag set,
causing an inefficient system-wide poll?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260510124111.1226584-1-jonas@kwiboo.se?part=21