[PATCH 2/5] drm/bridge: aux: Add drm_aux_bridge_register_from_node()

sashiko-bot at kernel.org sashiko-bot at kernel.org
Wed May 20 21:53:38 PDT 2026 

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Critical] The `drm_aux_bridge_register_from_node()` function fails to acquire a reference to the provided `device_node` (`np`), leading to a reference count underflow and potential use-after-free during cleanup.
- [Low] The kernel-doc comment for `drm_aux_bridge_register_from_node()` retains the old function name, causing a documentation build warning.
--

commit a4484cec194d2731c92e629a32b7e17a725601d7
Author: Chaoyi Chen <chaoyi.chen at rock-chips.com>

drm/bridge: aux: Add drm_aux_bridge_register_from_node()

This patch adds drm_aux_bridge_register_from_node() to allow
specifying the of_node corresponding to the bridge.

> diff --git a/drivers/gpu/drm/bridge/aux-bridge.c b/drivers/gpu/drm/bridge/aux-bridge.c
> index 1ed21a8713bfd..f50283abed5f6 100644
> --- a/drivers/gpu/drm/bridge/aux-bridge.c
> +++ b/drivers/gpu/drm/bridge/aux-bridge.c
> @@ -35,6 +35,7 @@ static void drm_aux_bridge_unregister_adev(void *_adev)
>  /**
>   * drm_aux_bridge_register - Create a simple bridge device to link the chain

[Severity: Low]
This isn't a bug, but there's a mismatch between the kernel-doc identifier
and the new function name. Should this be updated to
drm_aux_bridge_register_from_node?

>   * @parent: device instance providing this bridge
> + * @np: device node pointer corresponding to this bridge instance

[ ... ]

> @@ -62,7 +63,10 @@ int drm_aux_bridge_register(struct device *parent)
>  	adev->dev.parent = parent;
>  	adev->dev.release = drm_aux_bridge_release;
>  
> -	device_set_of_node_from_dev(&adev->dev, parent);
> +	if (np)
> +		device_set_node(&adev->dev, of_fwnode_handle(np));

[Severity: Critical]
Will this cause a reference count underflow on the device node?

If np is provided, device_set_node() assigns the fwnode without incrementing
the device node's reference count.

However, both the auxiliary_device_init() error path (shown below) and the
device's release callback drm_aux_bridge_release() unconditionally call
of_node_put(adev->dev.of_node).

Since there is no matching of_node_get(), this could corrupt the reference
count and lead to a use-after-free. Should we call of_node_get(np) here?

> +	else
> +		device_set_of_node_from_dev(&adev->dev, parent);
>  
>  	ret = auxiliary_device_init(adev);
>  	if (ret) {
>  		of_node_put(adev->dev.of_node);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260521032854.103-1-kernel@airkyi.com?part=2

More information about the linux-phy mailing list