Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] Calling drm_connector_cleanup() directly in panel_bridge_detach() zeroes the connector structure while userspace references may still exist, leading to a NULL pointer dereference. -- commit 0c93dfe69dc6bce062c0a90960ed927307c7202d Author: Maxime Ripard <[email protected]> drm/bridge: panel: Switch to atomic_create_state This commit updates the panel bridge driver to use the atomic_create_state callback instead of the deprecated atomic_reset callback. It switches to the corresponding drm_atomic_helper_bridge_create_state() helper. > diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c > index 4978ec98a0828..62af499f1f5cc 100644 > --- a/drivers/gpu/drm/bridge/panel.c > +++ b/drivers/gpu/drm/bridge/panel.c [ ... ] > static void panel_bridge_detach(struct drm_bridge *bridge) > { > struct panel_bridge *panel_bridge = drm_bridge_to_panel_bridge(bridge); > struct drm_connector *connector = &panel_bridge->connector; > > if (connector->dev) > drm_connector_cleanup(connector); [Severity: High] This isn't a bug introduced by this patch, but I noticed a pre-existing issue in panel_bridge_detach() here. Calling drm_connector_cleanup() directly zeroes the connector structure while userspace references may still exist. If userspace or another kernel thread still holds an active reference to this connector (refcount > 0), dropping the final reference later will invoke drm_connector_free(). Since drm_connector_cleanup() uses memset to zero the structure, connector->funcs becomes NULL. When drm_connector_free() attempts to call connector->funcs->destroy(connector), it will cause a fatal NULL pointer dereference. Can this connector cleanup be deferred until the final reference is dropped rather than cleaning it up synchronously during detach? [ ... ] > @@ -213,7 +213,7 @@ static const struct drm_bridge_funcs > panel_bridge_bridge_funcs = { > .atomic_disable = panel_bridge_atomic_disable, > .atomic_post_disable = panel_bridge_atomic_post_disable, > .get_modes = panel_bridge_get_modes, > - .atomic_reset = drm_atomic_helper_bridge_reset, > + .atomic_create_state = drm_atomic_helper_bridge_create_state, > .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, > .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, > .atomic_get_input_bus_fmts = drm_atomic_helper_bridge_propagate_bus_fmt, -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=28
