From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/bridge: samsung-dsim: fix TE GPIO ownership Date: Fri, 05 Jun 2026 06:32:40 +1000 Message-ID: In-Reply-To: <20260604114604.1422184-1-lgs201920130244@gmail.com> References: <20260604114604.1422184-1-lgs201920130244@gmail.com> <20260604114604.1422184-1-lgs201920130244@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **The bug is real and well-described.** The original code at line 1865 used= `devm_gpiod_get_optional()`, but both error and teardown paths manually ca= ll `gpiod_put()`. On device detach, devres would fire and double-free the d= escriptor. **The fix is correct:** 1. **`devm_gpiod_get_optional()` =E2=86=92 `gpiod_get_optional()`** (line 1= 865): This removes the devres registration, making the manual `gpiod_put()`= calls the sole cleanup mechanism. Correct. 2. **`dsi->te_gpio =3D NULL` after `gpiod_put()` in the error path** (line = 1878): Good. Without this, if `samsung_dsim_register_te_irq()` fails and th= e caller (or a later re-attach) checks `dsi->te_gpio`, it would see a dangl= ing pointer. This is especially relevant since `samsung_dsim_unregister_te_= irq()` is called unconditionally in `samsung_dsim_host_detach()` (line 2012= ) =E2=80=94 with a stale pointer that would trigger a use-after-free. 3. **`dsi->te_gpio =3D NULL` after `gpiod_put()` in the unregister path** (= line 1890): Good defensive practice. Protects against double-unregister if = `samsung_dsim_host_detach()` were ever called twice, and makes re-attach sa= fe. **One minor pre-existing nit (not introduced by this patch):** In the `IS_E= RR()` path (line 1868-1869), the function returns an error but leaves `dsi-= >te_gpio` set to an error pointer. If `samsung_dsim_enable_irq()` or `samsu= ng_dsim_disable_irq()` were called after a failed `register_te_irq()`, the = `if (dsi->te_gpio)` check at lines 1606/1612 would be true (error pointers = are non-NULL), leading to `gpiod_to_irq()` on an invalid descriptor. In the= current call flow this doesn't happen because `register_te_irq` failure ca= uses `samsung_dsim_host_attach` to bail out at `err_remove_bridge` before t= he bridge is usable, but it's still a latent hazard. A `dsi->te_gpio =3D NU= LL` or wrapping the return in a local variable would tighten it up. But tha= t's pre-existing and out of scope for this patch. **Reviewed-by worthy.** The commit message is clear, the Fixes tag is appro= priate, the change is minimal and correct. --- Generated by Claude Code Patch Reviewer