Hi Andy,
On 5/31/26 1:29 PM, Andy Yan wrote:
> Hello,
>
> On 3/27/26 08:55, Cristian Ciocaltea wrote:
>> Core resources such as the DisplayPort AUX channel get initialized and
>> registered during dw_dp_bind(), but are never unregistered, which may
>> lead to memory leaks and/or use-after-free:
>>
>> [ 224.661371] BUG: KASAN: slab-use-after-free in
>> device_is_dependent+0xe0/0x2b0
>> [ 224.662015] Read of size 8 at addr ffff00011aee8550 by task modprobe/658
>> [ 224.662612]
>> [ 224.662752] CPU: 7 UID: 0 PID: 658 Comm: modprobe Not tainted
>> 7.0.0-rc2-next-20260305 #14 PREEMPT
>> [ 224.662759] Hardware name: Radxa ROCK 5B (DT)
>> [ 224.662762] Call trace:
>> [ 224.662764] show_stack+0x20/0x38 (C)
>> [ 224.662772] dump_stack_lvl+0x6c/0x98
>> [ 224.662777] print_report+0x160/0x4b8
>> [ 224.662783] kasan_report+0xb4/0xe0
>> [ 224.662790] __asan_report_load8_noabort+0x20/0x30
>> [ 224.662796] device_is_dependent+0xe0/0x2b0
>> [ 224.662802] device_is_dependent+0x108/0x2b0
>> [ 224.662808] device_link_add+0x1f8/0x10b0
>> [ 224.662813] devm_of_phy_get_by_index+0x120/0x200
>> [ 224.662819] dw_dp_bind+0x34c/0xb10 [dw_dp]
>> [ 224.662830] dw_dp_rockchip_bind+0x194/0x250 [rockchipdrm]
>> [ 224.662864] component_bind_all+0x3a8/0x720
>> [ 224.662869] rockchip_drm_bind+0x120/0x390 [rockchipdrm]
>> [ 224.662899] try_to_bring_up_aggregate_device+0x76c/0x838
>> [ 224.662904] component_master_add_with_match+0x1f4/0x230
>> [ 224.662909] rockchip_drm_platform_probe+0x420/0x538 [rockchipdrm]
>> [ 224.662939] platform_probe+0xe8/0x168
>> [ 224.662945] really_probe+0x340/0x828
>> [ 224.662950] __driver_probe_device+0x2e0/0x350
>> [ 224.662954] driver_probe_device+0x80/0x140
>> [ 224.662959] __driver_attach+0x398/0x460
>> [ 224.662964] bus_for_each_dev+0xe0/0x198
>> [ 224.662968] driver_attach+0x50/0x68
>> [ 224.662972] bus_add_driver+0x2a0/0x4c0
>> [ 224.662977] driver_register+0x294/0x360
>> [ 224.662982] __platform_driver_register+0x7c/0x98
>> [ 224.662987] rockchip_drm_init+0xc4/0xff8 [rockchipdrm]
>>
>> Since a previous commit exported dw_dp_unbind() function in DW DP core
>> library to take care of the necessary cleanup, use this in the
>> component's unbind() callback, as well as in its bind() error path.
>>
>> Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
>> Signed-off-by: Cristian Ciocaltea <[email protected]>
>> ---
>> drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 20 +++++++++++++++++---
>> 1 file changed, 17 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>> b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>> index 22c0911f1896..8cba90d2dd56 100644
>> --- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>> +++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>> @@ -108,14 +108,28 @@ static int dw_dp_rockchip_bind(struct device *dev,
>> struct device *master, void *
>> connector = drm_bridge_connector_init(drm_dev, encoder);
>> if (IS_ERR(connector))
>> - return dev_err_probe(dev, PTR_ERR(connector),
>> - "Failed to init bridge connector");
>> + ret = dev_err_probe(dev, PTR_ERR(connector),
>> + "Failed to init bridge connector");
>> + else
>> + ret = drm_connector_attach_encoder(connector, encoder);
>> - return drm_connector_attach_encoder(connector, encoder);
>
> This line has already been removed in the latest code.
Indeed, handled now in v4 [1] by rebasing onto latest drm-misc.
Also added a new patch to fix a missing "\n".
Thanks for reviewing!
Regards,
Cristian
[1]
https://lore.kernel.org/all/[email protected]/
