From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid Date: Wed, 04 Mar 2026 08:35:54 +1000 Message-ID: In-Reply-To: <20260303211823.76631-3-jpeisach@ubuntu.com> References: <20260303211823.76631-1-jpeisach@ubuntu.com> <20260303211823.76631-3-jpeisach@ubuntu.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **This patch has a critical bug.** The removed function was: ```c static void amdgpu_connector_free_edid(struct drm_connector *connector) { struct amdgpu_connector *amdgpu_connector =3D to_amdgpu_connector(connecto= r); kfree(amdgpu_connector->edid); amdgpu_connector->edid =3D NULL; // <-- THIS IS IMPORTANT } ``` `drm_edid_free()` only frees the memory =E2=80=94 it **does not** and **can= not** set the caller's pointer to NULL. Every replacement site leaves `amdg= pu_connector->edid` as a dangling pointer. **Specific use-after-free sites:** 1. **`amdgpu_connector_vga_detect()` line 868:** ```c drm_edid_free(amdgpu_connector->edid); amdgpu_connector_get_edid(connector); ``` `amdgpu_connector_get_edid()` starts with `if (amdgpu_connector->edid) r= eturn;` =E2=80=94 the dangling non-NULL pointer causes it to return immedia= tely without reading a new EDID. The subsequent `if (!amdgpu_connector->edi= d)` check at line 871 then sees a non-NULL freed pointer and proceeds to ca= ll `drm_edid_is_digital()` on freed memory. 2. **`amdgpu_connector_vga_detect()` line 884** (shared DDC disconnect path= ): `drm_edid_free()` without NULL leaves a dangling pointer that persists i= n the struct for future accesses. 3. **`amdgpu_connector_shared_ddc()` line 979:** Same dangling pointer issu= e. 4. **`amdgpu_connector_dvi_detect()` line 1048:** Same bug as site 1 =E2=80= =94 `amdgpu_connector_get_edid()` will see the dangling pointer and skip th= e EDID read. 5. **`amdgpu_connector_dvi_detect()` line 1064** (shared DDC disconnect): S= ame dangling pointer. 6. **`amdgpu_connector_dp_detect()` line 1412:** Dangling pointer left afte= r free. 7. **`amdgpu_connector_destroy()` line 749:** This is the **only** safe cal= l site =E2=80=94 the connector struct is `kfree()`d at line 753, so the dan= gling pointer is irrelevant. **Fix:** Every `drm_edid_free(amdgpu_connector->edid)` call (except in `_de= stroy`) must be followed by `amdgpu_connector->edid =3D NULL`. Alternativel= y, keep a helper function: ```c static void amdgpu_connector_free_edid(struct drm_connector *connector) { struct amdgpu_connector *amdgpu_connector =3D to_amdgpu_connector(connecto= r); drm_edid_free(amdgpu_connector->edid); amdgpu_connector->edid =3D NULL; } ``` This would preserve the original behavior while still removing the old `kfr= ee()` call. The commit message claim that "we can just call drm_edid_free d= irectly" is incorrect because the semantics differ =E2=80=94 the wrapper pr= ovided NULL-clearing that `drm_edid_free()` does not. **Verdict: Patch 2 must be reworked. It introduces use-after-free bugs at 6= call sites.** --- Generated by Claude Code Patch Reviewer