From: Heiko Stuebner <heiko@sntech.de>
To: Sandy Huang <hjc@rock-chips.com>,
Andy Yan <andy.yan@rock-chips.com>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>,
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>,
Dmitry Baryshkov <lumag@kernel.org>,
Andrzej Hajda <andrzej.hajda@intel.com>,
Neil Armstrong <neil.armstrong@linaro.org>,
Robert Foss <rfoss@kernel.org>,
Laurent Pinchart <Laurent.pinchart@ideasonboard.com>,
Jonas Karlman <jonas@kwiboo.se>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Cc: kernel@collabora.com, dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 7/8] drm/bridge: synopsys: dw-dp: Unregister AUX channel on bridge detach
Date: Thu, 26 Mar 2026 20:28:02 +0100 [thread overview]
Message-ID: <2053748.usQuhbGJ8B@phil> (raw)
In-Reply-To: <20260310-drm-rk-fixes-v2-7-645ecfb43f49@collabora.com>
Am Montag, 9. März 2026, 23:44:35 Mitteleuropäische Normalzeit schrieb Cristian Ciocaltea:
> The DisplayPort AUX channel gets initialized and registered during
> dw_dp_bind(), but it is never unregistered, which may lead to resource
> leaks and/or use-after-free:
>
> [ 224.661371] BUG: KASAN: slab-use-after-free in device_is_dependent+0xe0/0x2b0
> [ 224.662015] Read of size 8 at addr ffff00011aee8550 by task modprobe/658
> ...
> [ 224.662796] device_is_dependent+0xe0/0x2b0
> [ 224.662802] device_is_dependent+0x108/0x2b0
> [ 224.662808] device_link_add+0x1f8/0x10b0
> [ 224.662813] devm_of_phy_get_by_index+0x120/0x200
> [ 224.662819] dw_dp_bind+0x34c/0xb10 [dw_dp]
> [ 224.662830] dw_dp_rockchip_bind+0x194/0x250 [rockchipdrm]
> [ 224.662864] component_bind_all+0x3a8/0x720
> [ 224.662869] rockchip_drm_bind+0x120/0x390 [rockchipdrm]
> [ 224.662899] try_to_bring_up_aggregate_device+0x76c/0x838
> [ 224.662904] component_master_add_with_match+0x1f4/0x230
> [ 224.662909] rockchip_drm_platform_probe+0x420/0x538 [rockchipdrm]
> [ 224.662939] platform_probe+0xe8/0x168
> [ 224.662945] really_probe+0x340/0x828
> [ 224.662950] __driver_probe_device+0x2e0/0x350
> [ 224.662954] driver_probe_device+0x80/0x140
> [ 224.662959] __driver_attach+0x398/0x460
> [ 224.662964] bus_for_each_dev+0xe0/0x198
> [ 224.662968] driver_attach+0x50/0x68
> [ 224.662972] bus_add_driver+0x2a0/0x4c0
> [ 224.662977] driver_register+0x294/0x360
> [ 224.662982] __platform_driver_register+0x7c/0x98
> [ 224.662987] rockchip_drm_init+0xc4/0xff8 [rockchipdrm]
> ...
>
> Unregister the AUX adapter on bridge detach.
that sounds sort of asymmetrical though. drm_bridge_funcs has attach and
detach callbacks and the component-framework also has bind and unbind
callbacks.
This might cause confusion later on I guess, especially as I don't know
if there could be a bridge attach, after the detach that unregisters the
aux adapter.
Looking at the AnalogixDP for example, it does the the register and
unregister in the bind/unbind callbacks of the core driver.
So I guess the in my eyes cleaner way would be to introduce a
dw_dp_unbind() function and put the aux unregister there?
At least that way, everything would be at the same "level".
Heiko
next prev parent reply other threads:[~2026-03-26 19:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 22:44 [PATCH v2 0/8] Rockchip DRM use-after-free & null-ptr-deref fixes Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 1/8] drm/rockchip: inno-hdmi: Switch to drmm_kzalloc() Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 2/8] drm/rockchip: dw_dp: " Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 3/8] drm/rockchip: dw_dp: Fix null-ptr-deref in dw_dp_remove() Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 4/8] drm/rockchip: dw_dp: Simplify error handling Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 5/8] drm/rockchip: dw_dp: Drop unnecessary #include Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 6/8] drm/rockchip: dw_hdmi_qp: Switch to drmm_encoder_init() Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 7/8] drm/bridge: synopsys: dw-dp: Unregister AUX channel on bridge detach Cristian Ciocaltea
2026-03-26 19:28 ` Heiko Stuebner [this message]
2026-03-27 1:08 ` Cristian Ciocaltea
2026-03-09 22:44 ` [PATCH v2 8/8] drm/bridge: synopsys: dw-dp: Drop useless memory allocation Cristian Ciocaltea
2026-03-26 19:41 ` (subset) [PATCH v2 0/8] Rockchip DRM use-after-free & null-ptr-deref fixes Heiko Stuebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2053748.usQuhbGJ8B@phil \
--to=heiko@sntech.de \
--cc=Laurent.pinchart@ideasonboard.com \
--cc=airlied@gmail.com \
--cc=andrzej.hajda@intel.com \
--cc=andy.yan@rock-chips.com \
--cc=cristian.ciocaltea@collabora.com \
--cc=dmitry.baryshkov@oss.qualcomm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=hjc@rock-chips.com \
--cc=jernej.skrabec@gmail.com \
--cc=jonas@kwiboo.se \
--cc=kernel@collabora.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=lumag@kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=rfoss@kernel.org \
--cc=simona@ffwll.ch \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox