…
Specifically, the dp-hpd bridge is currently registered before all resources have been acquired which means that it can also be deregistered on probe deferrals.
In the meantime there is a race window where the new aux bridge driver (or PHY driver previously) may have looked up the dp-hpd bridge and stored a (non-reference-counted) pointer to the bridge which is about to be deallocated.
…
+++ b/drivers/soc/qcom/pmic_glink_altmode.c
…
@@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev, alt_port->index = port; INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
…
The function call “fwnode_handle_put(fwnode)” is used in multiple if branches. https://elixir.bootlin.com/linux/v6.8-rc5/source/drivers/soc/qcom/pmic_glink...
I suggest to add a jump target so that a bit of exception handling can be better reused at the end of this function implementation.
Regards, Markus