Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Misuse of `devm_*` allocators in component bind and initialization paths leads to resource leaks and Use-After-Free on unbind/rebind cycles. -- commit 17f25cb35afad5d43662041d4b770c5036dbd7aa Author: Maxime Ripard <[email protected]> drm/bridge: dw-hdmi-qp: Switch to atomic_create_state The drm_bridge_funcs.atomic_reset callback and its drm_atomic_helper_bridge_reset() helper are deprecated. Switch to the atomic_create_state callback and its drm_atomic_helper_bridge_create_state() counterpart. > diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c > b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c > index 1c214a8e6dc2d..a5217574c77e7 100644 > --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c > +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c > @@ -1192,7 +1192,7 @@ static int dw_hdmi_qp_cec_transmit(struct drm_bridge > *bridge, u8 attempts, > static const struct drm_bridge_funcs dw_hdmi_qp_bridge_funcs = { > .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, > .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, > - .atomic_reset = drm_atomic_helper_bridge_reset, > + .atomic_create_state = drm_atomic_helper_bridge_create_state, > .atomic_enable = dw_hdmi_qp_bridge_atomic_enable, > .atomic_disable = dw_hdmi_qp_bridge_atomic_disable, > .detect = dw_hdmi_qp_bridge_detect, [Severity: High] This isn't a bug introduced by this patch, but does the component bind logic leak resources on unbind/rebind cycles? In dw_hdmi_qp_bind(), devm_drm_bridge_alloc() is tied to the platform device, which means resources are not released during unbind: hdmi = devm_drm_bridge_alloc(dev, struct dw_hdmi_qp, bridge, &dw_hdmi_qp_bridge_funcs); If the DRM master is unbound and re-bound, could this reallocate memory and lead to leaks? Additionally, in dw_hdmi_qp_cec_init(), devm_request_threaded_irq() registers the CEC interrupt handler tied to the platform device instead of the connector: return devm_request_threaded_irq(hdmi->dev, cec->irq, dw_hdmi_qp_cec_hardirq, dw_hdmi_qp_cec_thread, IRQF_SHARED, dev_name(hdmi->dev), hdmi); When the DRM master is unbound, the DRM connector is freed, but the interrupt handler remains active. If a CEC interrupt fires after unbind, will it dereference the freed connector and cause a use-after-free? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=34
