Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues: - [High] The `reset_work` work item is never cancelled on driver unbind, resulting in a potential Use-After-Free. - [High] The return value of `devm_add_action()` is ignored in `sn65dsi83_atomic_pre_enable()`, risking resource leaks and Use-After-Free. -- commit 89a74ef02922861d8761592a3b63cea7724d9fa1 Author: Maxime Ripard <[email protected]> drm/bridge: ti-sn65dsi83: Switch to atomic_create_state The drm_bridge_funcs.atomic_reset callback and its drm_atomic_helper_bridge_reset() helper are deprecated. Switch to the atomic_create_state callback and its drm_atomic_helper_bridge_create_state() counterpart. > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c > b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > index 42b451432bbb6..ec6390ee9943c 100644 > --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > @@ -801,7 +801,7 @@ static const struct drm_bridge_funcs sn65dsi83_funcs = { > > .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, > .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, > - .atomic_reset = drm_atomic_helper_bridge_reset, > + .atomic_create_state = drm_atomic_helper_bridge_create_state, > .atomic_get_input_bus_fmts = sn65dsi83_atomic_get_input_bus_fmts, > }; [Severity: High] This isn't a bug introduced by this patch, but I noticed a potential use-after-free related to the reset_work item. Does this code need a cancel_work_sync() in the driver removal path? In sn65dsi83_remove(): static void sn65dsi83_remove(struct i2c_client *client) { struct sn65dsi83 *ctx = i2c_get_clientdata(client); drm_bridge_unplug(&ctx->bridge); } If the reset_work remains pending when sn65dsi83_remove() is called, the devres cleanup will free the ctx memory. Could this cause a use-after-free when sn65dsi83_reset_work() subsequently executes and accesses the freed ctx pointer? [Severity: High] This is a pre-existing issue, but the return value of devm_add_action() appears to be ignored in sn65dsi83_atomic_pre_enable(): err_add_action: devm_add_action(ctx->dev, sn65dsi83_release_resources, ctx); err_exit: drm_bridge_exit(idx); If devm_add_action() fails, the cleanup action won't be registered. When disabled, devm_release_action() would skip executing sn65dsi83_release_resources(). Could this bypass cancel_delayed_work_sync(&ctx->monitor_work) and leak the regulator and GPIO states, potentially leading to a use-after-free of ctx when devres frees it? -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=43
