Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] Missing lock synchronization when accessing `msm_dp_panel->drm_edid` leads to a Use-After-Free on concurrent hotplug disconnect. --
commit d30d48ee804f1c86b388754ae5b3b946f40f16b7 Author: Jens Glathe <[email protected]> drm/msm/dp: add missing drm_edid_connector_update() before add_modes on cached EDID This commit adds a missing call to drm_edid_connector_update() in the fast path of msm_dp_panel_get_modes(). This associates the cached EDID with the connector before calling drm_edid_connector_add_modes(). > diff --git a/drivers/gpu/drm/msm/dp/dp_panel.c > b/drivers/gpu/drm/msm/dp/dp_panel.c > index 6bb021820d7c5..5b4954e7cb748 100644 > --- a/drivers/gpu/drm/msm/dp/dp_panel.c > +++ b/drivers/gpu/drm/msm/dp/dp_panel.c > @@ -332,8 +332,10 @@ int msm_dp_panel_get_modes(struct msm_dp_panel > *msm_dp_panel, > return -EINVAL; > } > > - if (msm_dp_panel->drm_edid) > + if (msm_dp_panel->drm_edid) { > + drm_edid_connector_update(connector, msm_dp_panel->drm_edid); [Severity: High] Can msm_dp_panel->drm_edid be freed concurrently while being accessed here? It appears msm_dp_panel_get_modes() doesn't hold dp->plugged_lock. If a hotplug disconnect event occurs at the same time, the HPD handler thread can take this path: msm_dp_bridge_hpd_notify() -> msm_dp_hpd_unplug_handle() (acquires dp->plugged_lock) -> msm_dp_panel_unplugged() -> drm_edid_free(msm_dp_panel->drm_edid); If the EDID memory is freed by the disconnect event just after the if (msm_dp_panel->drm_edid) check succeeds, could passing this pointer into drm_edid_connector_update() lead to a use-after-free when the function dereferences it? > + return drm_edid_connector_add_modes(connector); > + } > > return 0; > } -- Sashiko AI review ยท https://sashiko.dev/#/patchset/20260608-drm_plug_flaky_edid-v3-1-1ca632938...@oldschoolsolutions.biz?part=1
