[PATCH v4 0/3] Rockchip DRM use-after-free & null-ptr-deref fixes

[PATCH v4 0/3] Rockchip DRM use-after-free & null-ptr-deref fixes

[Cristian Ciocaltea]

The first three patches in the series are fixes for use-after-free &
null-ptr-deref related issues found in dw_dp and inno-hdmi Rockchip DRM
drivers.

The following three patches provide a few minor improvements to dw_dp
and dw_hdmi_qp, while the remaining two address use-after-free and
memory allocation in DW DP core library.

Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
---
Changes in v4:
- Collected R-b from Andy
- Fixed a conflict while rebasing onto latest drm-misc-next
- Added new patch: drm/rockchip: dw_dp: Add missing newline in
  dev_err_probe() message
- Link to v3: https://lore.kernel.org/r/20260327-drm-rk-fixes-v3-0-fd2e6900c08c@collabora.com

Changes in v3:
- Dropped patches 1..6,8 already applied by Heiko
- Reworked remaining patch "drm/bridge: synopsys: dw-dp: Unregister AUX
  channel on bridge detach" into:
  * drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel
  * drm/rockchip: dw_dp: Release core resources
- Link to v2: https://lore.kernel.org/r/20260310-drm-rk-fixes-v2-0-645ecfb43f49@collabora.com

Changes in v2:
- Fixed conflicts while rebasing onto latest drm-misc-next
- Added two more patches:
  * drm/bridge: synopsys: dw-dp: Unregister AUX channel on bridge detach
  * drm/bridge: synopsys: dw-dp: Drop useless memory allocation
- Link to v1: https://lore.kernel.org/r/20260122-drm-rk-fixes-v1-0-3942f185750e@collabora.com

To: Andy Yan <andy.yan@rock-chips.com>
To: Andrzej Hajda <andrzej.hajda@intel.com>
To: Neil Armstrong <neil.armstrong@linaro.org>
To: Robert Foss <rfoss@kernel.org>
To: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
To: Jonas Karlman <jonas@kwiboo.se>
To: Jernej Skrabec <jernej.skrabec@gmail.com>
To: Luca Ceresoli <luca.ceresoli@bootlin.com>
To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
To: Maxime Ripard <mripard@kernel.org>
To: Thomas Zimmermann <tzimmermann@suse.de>
To: David Airlie <airlied@gmail.com>
To: Simona Vetter <simona@ffwll.ch>
To: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
To: Sandy Huang <hjc@rock-chips.com>
To: Heiko Stübner <heiko@sntech.de>
To: Dmitry Baryshkov <lumag@kernel.org>
To: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Cc: kernel@collabora.com
Cc: dri-devel@lists.freedesktop.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-rockchip@lists.infradead.org

---
Cristian Ciocaltea (3):
      drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel
      drm/rockchip: dw_dp: Add missing newline in dev_err_probe() message
      drm/rockchip: dw_dp: Release core resources

 drivers/gpu/drm/bridge/synopsys/dw-dp.c   |  6 ++++++
 drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 15 +++++++++++++--
 include/drm/bridge/dw_dp.h                |  1 +
 3 files changed, 20 insertions(+), 2 deletions(-)
---
base-commit: e84b07e0a30b371117f9a1120a4645c213f39cd9
change-id: 20260122-drm-rk-fixes-a7622c71553e

[PATCH v4 1/3] drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel

[Cristian Ciocaltea]

The DisplayPort AUX channel gets initialized and registered during
dw_dp_bind(), but it is never unregistered, which may lead to resource
leaks and/or use-after-free.

Add the missing dw_dp_unbind() function to allow the users of the
library to handle the required cleanup, i.e. unregister the AUX adapter.

Fixes: 86eecc3a9c2e ("drm/bridge: synopsys: Add DW DPTX Controller support library")
Reviewed-by: Andy Yan <andy.yan@rock-chips.com>
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
---
 drivers/gpu/drm/bridge/synopsys/dw-dp.c | 6 ++++++
 include/drm/bridge/dw_dp.h              | 1 +
 2 files changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/bridge/synopsys/dw-dp.c b/drivers/gpu/drm/bridge/synopsys/dw-dp.c
index 21541be094c4..36ee6e027af5 100644
--- a/drivers/gpu/drm/bridge/synopsys/dw-dp.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-dp.c
@@ -2093,6 +2093,12 @@ struct dw_dp *dw_dp_bind(struct device *dev, struct drm_encoder *encoder,
 }
 EXPORT_SYMBOL_GPL(dw_dp_bind);
 
+void dw_dp_unbind(struct dw_dp *dp)
+{
+	drm_dp_aux_unregister(&dp->aux);
+}
+EXPORT_SYMBOL_GPL(dw_dp_unbind);
+
 MODULE_AUTHOR("Andy Yan <andyshrk@163.com>");
 MODULE_DESCRIPTION("DW DP Core Library");
 MODULE_LICENSE("GPL");
diff --git a/include/drm/bridge/dw_dp.h b/include/drm/bridge/dw_dp.h
index 25363541e69d..22105c3e8e4d 100644
--- a/include/drm/bridge/dw_dp.h
+++ b/include/drm/bridge/dw_dp.h
@@ -24,4 +24,5 @@ struct dw_dp_plat_data {
 
 struct dw_dp *dw_dp_bind(struct device *dev, struct drm_encoder *encoder,
 			 const struct dw_dp_plat_data *plat_data);
+void dw_dp_unbind(struct dw_dp *dp);
 #endif /* __DW_DP__ */

-- 
2.54.0

Claude review: drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The new `dw_dp_unbind()` function correctly calls `drm_dp_aux_unregister(&dp->aux)`, which is the counterpart to the `drm_dp_aux_register(&dp->aux)` at line 2051 of the existing code. The function takes `struct dw_dp *dp` which is the opaque type returned by `dw_dp_bind()`, so the API is consistent.

```c
+void dw_dp_unbind(struct dw_dp *dp)
+{
+	drm_dp_aux_unregister(&dp->aux);
+}
+EXPORT_SYMBOL_GPL(dw_dp_unbind);
```

**Minor design observation:** The existing `dw_dp_bind()` already uses `devm_add_action_or_reset()` for the PHY exit cleanup (line 2071). The AUX unregister could similarly be wrapped in a devres action right after `drm_dp_aux_register()` succeeds, which would eliminate the need for callers to call `dw_dp_unbind()` at all and would be more in line with the function's existing resource management pattern. That said, the explicit unbind approach works correctly and gives callers control over ordering, which is a reasonable design choice.

**Header change is correct** — adds the declaration to `include/drm/bridge/dw_dp.h` next to the existing `dw_dp_bind()` declaration.

**Fixes tag is correct** — references the commit that introduced `dw_dp_bind()` without a matching unbind.

No issues.

---
Generated by Claude Code Patch Reviewer

[PATCH v4 2/3] drm/rockchip: dw_dp: Add missing newline in dev_err_probe() message

[Cristian Ciocaltea]

Add the missing trailing newline to dev_err_probe() call in
dw_dp_rockchip_bind().

Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
Fixes: 26cb3e26efa7 ("drm/rockchip: dw_dp: Simplify error handling")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
---
 drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
index 32bc73a1d5e4..f137f699737c 100644
--- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
@@ -109,7 +109,7 @@ static int dw_dp_rockchip_bind(struct device *dev, struct device *master, void *
 	connector = drm_bridge_connector_init(drm_dev, encoder);
 	if (IS_ERR(connector))
 		return dev_err_probe(dev, PTR_ERR(connector),
-				     "Failed to init bridge connector");
+				     "Failed to init bridge connector\n");
 
 	return 0;
 }

-- 
2.54.0

Re:[PATCH v4 2/3] drm/rockchip: dw_dp: Add missing newline in dev_err_probe() message

[Andy Yan]

Hello Cristian，

At 2026-06-02 00:13:45, "Cristian Ciocaltea" <cristian.ciocaltea@collabora.com> wrote:
>Add the missing trailing newline to dev_err_probe() call in
>dw_dp_rockchip_bind().
>
>Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
>Fixes: 26cb3e26efa7 ("drm/rockchip: dw_dp: Simplify error handling")


Just one Fixes tag？


>Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
>---
> drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>index 32bc73a1d5e4..f137f699737c 100644
>--- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>+++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>@@ -109,7 +109,7 @@ static int dw_dp_rockchip_bind(struct device *dev, struct device *master, void *
> 	connector = drm_bridge_connector_init(drm_dev, encoder);
> 	if (IS_ERR(connector))
> 		return dev_err_probe(dev, PTR_ERR(connector),
>-				     "Failed to init bridge connector");
>+				     "Failed to init bridge connector\n");
> 
> 	return 0;
> }
>
>-- 
>2.54.0

Claude review: drm/rockchip: dw_dp: Add missing newline in dev_err_probe() message

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** Trivial fix adding `\n` to the `dev_err_probe()` format string:

```c
-				     "Failed to init bridge connector");
+				     "Failed to init bridge connector\n");
```

This is correct — `dev_err_probe()` uses `dev_err()` internally which does not append a newline, so the caller must provide it.

**Has two Fixes tags**, one for the original code and one for a simplification commit that touched this line. Both are reasonable.

No issues.

---
Generated by Claude Code Patch Reviewer

[PATCH v4 3/3] drm/rockchip: dw_dp: Release core resources

[Cristian Ciocaltea]

Core resources such as the DisplayPort AUX channel get initialized and
registered during dw_dp_bind(), but are never unregistered, which may
lead to memory leaks and/or use-after-free:

[  224.661371] BUG: KASAN: slab-use-after-free in device_is_dependent+0xe0/0x2b0
[  224.662015] Read of size 8 at addr ffff00011aee8550 by task modprobe/658
[  224.662612]
[  224.662752] CPU: 7 UID: 0 PID: 658 Comm: modprobe Not tainted 7.0.0-rc2-next-20260305 #14 PREEMPT
[  224.662759] Hardware name: Radxa ROCK 5B (DT)
[  224.662762] Call trace:
[  224.662764]  show_stack+0x20/0x38 (C)
[  224.662772]  dump_stack_lvl+0x6c/0x98
[  224.662777]  print_report+0x160/0x4b8
[  224.662783]  kasan_report+0xb4/0xe0
[  224.662790]  __asan_report_load8_noabort+0x20/0x30
[  224.662796]  device_is_dependent+0xe0/0x2b0
[  224.662802]  device_is_dependent+0x108/0x2b0
[  224.662808]  device_link_add+0x1f8/0x10b0
[  224.662813]  devm_of_phy_get_by_index+0x120/0x200
[  224.662819]  dw_dp_bind+0x34c/0xb10 [dw_dp]
[  224.662830]  dw_dp_rockchip_bind+0x194/0x250 [rockchipdrm]
[  224.662864]  component_bind_all+0x3a8/0x720
[  224.662869]  rockchip_drm_bind+0x120/0x390 [rockchipdrm]
[  224.662899]  try_to_bring_up_aggregate_device+0x76c/0x838
[  224.662904]  component_master_add_with_match+0x1f4/0x230
[  224.662909]  rockchip_drm_platform_probe+0x420/0x538 [rockchipdrm]
[  224.662939]  platform_probe+0xe8/0x168
[  224.662945]  really_probe+0x340/0x828
[  224.662950]  __driver_probe_device+0x2e0/0x350
[  224.662954]  driver_probe_device+0x80/0x140
[  224.662959]  __driver_attach+0x398/0x460
[  224.662964]  bus_for_each_dev+0xe0/0x198
[  224.662968]  driver_attach+0x50/0x68
[  224.662972]  bus_add_driver+0x2a0/0x4c0
[  224.662977]  driver_register+0x294/0x360
[  224.662982]  __platform_driver_register+0x7c/0x98
[  224.662987]  rockchip_drm_init+0xc4/0xff8 [rockchipdrm]

Since a previous commit exported dw_dp_unbind() function in DW DP core
library to take care of the necessary cleanup, use this in the
component's unbind() callback, as well as in its bind() error path.

Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
---
 drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
index f137f699737c..0de822360c8d 100644
--- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
@@ -107,15 +107,26 @@ static int dw_dp_rockchip_bind(struct device *dev, struct device *master, void *
 		return PTR_ERR(dp->base);
 
 	connector = drm_bridge_connector_init(drm_dev, encoder);
-	if (IS_ERR(connector))
+	if (IS_ERR(connector)) {
+		dw_dp_unbind(dp->base);
 		return dev_err_probe(dev, PTR_ERR(connector),
 				     "Failed to init bridge connector\n");
+	}
 
 	return 0;
 }
 
+static void dw_dp_rockchip_unbind(struct device *dev, struct device *master,
+				  void *data)
+{
+	struct rockchip_dw_dp *dp = dev_get_drvdata(dev);
+
+	dw_dp_unbind(dp->base);
+}
+
 static const struct component_ops dw_dp_rockchip_component_ops = {
 	.bind = dw_dp_rockchip_bind,
+	.unbind = dw_dp_rockchip_unbind,
 };
 
 static int dw_dp_probe(struct platform_device *pdev)

-- 
2.54.0

Re:[PATCH v4 3/3] drm/rockchip: dw_dp: Release core resources

[Andy Yan]

Hello Cristian，

At 2026-06-02 00:13:46, "Cristian Ciocaltea" <cristian.ciocaltea@collabora.com> wrote:
>Core resources such as the DisplayPort AUX channel get initialized and
>registered during dw_dp_bind(), but are never unregistered, which may
>lead to memory leaks and/or use-after-free:
>
>[  224.661371] BUG: KASAN: slab-use-after-free in device_is_dependent+0xe0/0x2b0
>[  224.662015] Read of size 8 at addr ffff00011aee8550 by task modprobe/658
>[  224.662612]
>[  224.662752] CPU: 7 UID: 0 PID: 658 Comm: modprobe Not tainted 7.0.0-rc2-next-20260305 #14 PREEMPT
>[  224.662759] Hardware name: Radxa ROCK 5B (DT)
>[  224.662762] Call trace:
>[  224.662764]  show_stack+0x20/0x38 (C)
>[  224.662772]  dump_stack_lvl+0x6c/0x98
>[  224.662777]  print_report+0x160/0x4b8
>[  224.662783]  kasan_report+0xb4/0xe0
>[  224.662790]  __asan_report_load8_noabort+0x20/0x30
>[  224.662796]  device_is_dependent+0xe0/0x2b0
>[  224.662802]  device_is_dependent+0x108/0x2b0
>[  224.662808]  device_link_add+0x1f8/0x10b0
>[  224.662813]  devm_of_phy_get_by_index+0x120/0x200
>[  224.662819]  dw_dp_bind+0x34c/0xb10 [dw_dp]
>[  224.662830]  dw_dp_rockchip_bind+0x194/0x250 [rockchipdrm]
>[  224.662864]  component_bind_all+0x3a8/0x720
>[  224.662869]  rockchip_drm_bind+0x120/0x390 [rockchipdrm]
>[  224.662899]  try_to_bring_up_aggregate_device+0x76c/0x838
>[  224.662904]  component_master_add_with_match+0x1f4/0x230
>[  224.662909]  rockchip_drm_platform_probe+0x420/0x538 [rockchipdrm]
>[  224.662939]  platform_probe+0xe8/0x168
>[  224.662945]  really_probe+0x340/0x828
>[  224.662950]  __driver_probe_device+0x2e0/0x350
>[  224.662954]  driver_probe_device+0x80/0x140
>[  224.662959]  __driver_attach+0x398/0x460
>[  224.662964]  bus_for_each_dev+0xe0/0x198
>[  224.662968]  driver_attach+0x50/0x68
>[  224.662972]  bus_add_driver+0x2a0/0x4c0
>[  224.662977]  driver_register+0x294/0x360
>[  224.662982]  __platform_driver_register+0x7c/0x98
>[  224.662987]  rockchip_drm_init+0xc4/0xff8 [rockchipdrm]
>
>Since a previous commit exported dw_dp_unbind() function in DW DP core
>library to take care of the necessary cleanup, use this in the
>component's unbind() callback, as well as in its bind() error path.
>
>Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
>Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>

   Reviewed-by: Andy Yan <andy.yan@rock-chips.com>

Thanks

>---
> drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>index f137f699737c..0de822360c8d 100644
>--- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>+++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
>@@ -107,15 +107,26 @@ static int dw_dp_rockchip_bind(struct device *dev, struct device *master, void *
> 		return PTR_ERR(dp->base);
> 
> 	connector = drm_bridge_connector_init(drm_dev, encoder);
>-	if (IS_ERR(connector))
>+	if (IS_ERR(connector)) {
>+		dw_dp_unbind(dp->base);
> 		return dev_err_probe(dev, PTR_ERR(connector),
> 				     "Failed to init bridge connector\n");
>+	}
> 
> 	return 0;
> }
> 
>+static void dw_dp_rockchip_unbind(struct device *dev, struct device *master,
>+				  void *data)
>+{
>+	struct rockchip_dw_dp *dp = dev_get_drvdata(dev);
>+
>+	dw_dp_unbind(dp->base);
>+}
>+
> static const struct component_ops dw_dp_rockchip_component_ops = {
> 	.bind = dw_dp_rockchip_bind,
>+	.unbind = dw_dp_rockchip_unbind,
> };
> 
> static int dw_dp_probe(struct platform_device *pdev)
>
>-- 
>2.54.0

Claude review: drm/rockchip: dw_dp: Release core resources

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** This is the key patch that actually fixes the use-after-free.

**Bind error path cleanup:**
```c
-	if (IS_ERR(connector))
+	if (IS_ERR(connector)) {
+		dw_dp_unbind(dp->base);
 		return dev_err_probe(dev, PTR_ERR(connector),
 				     "Failed to init bridge connector\n");
+	}
```

This correctly calls `dw_dp_unbind(dp->base)` when `drm_bridge_connector_init()` fails after `dw_dp_bind()` has already succeeded. The `dp->base` field holds the `struct dw_dp *` returned by `dw_dp_bind()`, so this is the right pointer to pass.

**Unbind callback:**
```c
+static void dw_dp_rockchip_unbind(struct device *dev, struct device *master,
+				  void *data)
+{
+	struct rockchip_dw_dp *dp = dev_get_drvdata(dev);
+
+	dw_dp_unbind(dp->base);
+}
```

This correctly retrieves the driver data and calls `dw_dp_unbind()`. The component framework's `.unbind` callback signature is correctly followed.

```c
 static const struct component_ops dw_dp_rockchip_component_ops = {
 	.bind = dw_dp_rockchip_bind,
+	.unbind = dw_dp_rockchip_unbind,
 };
```

**One thing to verify:** the unbind only unregisters the AUX channel. All other resources allocated in `dw_dp_bind()` are devres-managed (`devm_drm_bridge_alloc`, `devm_regmap_init_mmio`, `devm_of_phy_get`, `devm_clk_get_enabled`, `devm_reset_control_get`, `devm_drm_bridge_add`, `devm_request_threaded_irq`, `devm_add_action_or_reset`). The devres cleanup runs automatically when the device is unbound, so only the non-devres `drm_dp_aux_register()` needs explicit cleanup. This is correct — the AUX channel registration at line 2051 is the only non-devres resource.

**Ordering concern (not a bug):** `dw_dp_unbind()` unregisters the AUX channel, then devres tears down everything else. Since `drm_dp_aux_unregister()` just removes the I2C adapter and doesn't depend on the other resources being live, this ordering is safe.

No issues.

---
Generated by Claude Code Patch Reviewer

Re: [PATCH v4 0/3] Rockchip DRM use-after-free & null-ptr-deref fixes

[Heiko Stuebner]

On Mon, 01 Jun 2026 19:13:43 +0300, Cristian Ciocaltea wrote:
> The first three patches in the series are fixes for use-after-free &
> null-ptr-deref related issues found in dw_dp and inno-hdmi Rockchip DRM
> drivers.
> 
> The following three patches provide a few minor improvements to dw_dp
> and dw_hdmi_qp, while the remaining two address use-after-free and
> memory allocation in DW DP core library.
> 
> [...]

Applied, thanks!

[1/3] drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel
      commit: ed04e8e2307f35b3d8d49a554faf5e72d3d224e6
[2/3] drm/rockchip: dw_dp: Add missing newline in dev_err_probe() message
      commit: 0a01412178047bf3ff351c7e75d373e411072a87
[3/3] drm/rockchip: dw_dp: Release core resources
      commit: cc6d7aca2f37a1525a94ef97eb3ce361732c876c

Best regards,
-- 
Heiko Stuebner <heiko@sntech.de>

Claude review: Rockchip DRM use-after-free & null-ptr-deref fixes

[Claude Code Review Bot]

Overall Series Review

Subject: Rockchip DRM use-after-free & null-ptr-deref fixes
Author: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Patches: 7
Reviewed: 2026-06-04T13:55:04.889679

---

This is a clean 3-patch fix series addressing a real use-after-free bug in the Rockchip DW DP driver. The KASAN splat in patch 3's commit message confirms the issue is reproducible. The approach is sound: patch 1 adds the cleanup primitive to the core library, patch 2 is a trivial cosmetic fix, and patch 3 wires up the cleanup in the platform driver's bind error path and unbind callback. The series is well-structured with correct ordering of dependencies between patches.

The core issue is that `drm_dp_aux_register()` in `dw_dp_bind()` (line 2051 of `dw-dp.c`) is the only resource allocation in that function that is **not** managed by devres — all other resources use `devm_*` variants. Without an explicit unregister, the AUX adapter leaks or triggers use-after-free on module unload/reload.

One question worth considering: could `dw_dp_bind()` use `devm_add_action_or_reset()` to register `drm_dp_aux_unregister` as a devres action instead, eliminating the need for a separate `dw_dp_unbind()` entirely? That would follow the pattern already used for `phy_exit()` at line 2071. However, the current approach is also valid and gives the caller explicit control over cleanup ordering.

The series looks correct and ready to merge. No bugs found.

---
Generated by Claude Code Patch Reviewer

[PATCH v2 00/12] Synopsys DisplayPort Controller improvements for Rockchip platforms

[Sebastian Reichel]

This patch series updates the Synopsys Designware DisplayPort bridge
together with the only existing user: The Rockchip RK3576/RK3588:

 1. follow-up bridges (PHY, USB-C connector)
    this is needed to get USB-C DP AltMode working; I've followed the
    Qualcomm driver as reference

 2. runtime PM
    the initial driver has been upstreamed without RPM; add it to
    avoid wasting power when nothing is plugged

 3. audio
    the initial driver has been upstreamed without audio support;
    this adds all missing bits for audio with single stream transport

To properly make use of the bridge code the following USBDP PHY series
is also needed:

https://lore.kernel.org/linux-phy/20260428-rockchip-usbdp-cleanup-v4-0-7775671ece22@collabora.com/

There are two parts, which possibly need some discussion:

 1. I added a dedicated bridge callback for out-of-band hotplug events,
    which is separate from the hotplug_notify. I have a feeling, that
    there might be a better solution, but haven't found it.

 2. The DT binding for audio support - explicitly marked as RFC - works
    perfectly fine, but is not ready for MST. I don't intend to
    implement that right now, but the binding should obviously take it
    into consideration to avoid breaking it in the future. I've put
    some points for discussion into the relevant patch.

P.S.: I will be out of office in May, so please do not expect speedy
      response from me :)

Changes since PATCHv1:
 * https://lore.kernel.org/r/20260326-synopsys-dw-dp-improvements-v1-0-501849162290@collabora.com
 * rebased to latest drm-misc-next
 * prepended the Patches from Cristian's cleanup series, as they also
   needed a rebase and should be merged first
   https://lore.kernel.org/dri-devel/20260327-drm-rk-fixes-v3-0-fd2e6900c08c@collabora.com/
 * fix issue with the audio stream (un)prepare handling in last patch

Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
---
Cristian Ciocaltea (2):
      drm/bridge: synopsys: dw-dp: Support unregistering the AUX channel
      drm/rockchip: dw_dp: Release core resources

Sebastian Reichel (10):
      drm/bridge: synopsys: dw-dp: Simplify driver data setting
      drm/bridge: synopsys: dw-dp: Support MEDIA_BUS_FMT_FIXED
      drm/bridge: synopsys: dw-dp: Add follow-up bridge support
      drm/bridge: Add out-of-band HPD notify handler
      drm/rockchip: dw_dp: Implement out-of-band HPD handling
      drm/bridge: synopsys: dw-dp: Support software triggered OOB HPD
      drm/bridge: synopsys: dw-dp: Add Runtime PM support
      drm/rockchip: dw_dp: Add runtime PM support
      [RFC] dt-bindings: display: rockchip: dw-dp: fix sound DAI cells
      drm/bridge: synopsys: dw-dp: Add audio support

 .../bindings/display/rockchip/rockchip,dw-dp.yaml  |   5 +-
 drivers/gpu/drm/bridge/synopsys/dw-dp.c            | 314 ++++++++++++++++++++-
 drivers/gpu/drm/display/drm_bridge_connector.c     |   6 +
 drivers/gpu/drm/rockchip/dw_dp-rockchip.c          | 180 +++++++++++-
 include/drm/bridge/dw_dp.h                         |   7 +
 include/drm/drm_bridge.h                           |  14 +
 6 files changed, 512 insertions(+), 14 deletions(-)
---
base-commit: 3221890f4e14f17ab46224798e89fbe099904edc
change-id: 20260325-synopsys-dw-dp-improvements-7da2e98df1dd

Best regards,
-- 
Sebastian Reichel <sebastian.reichel@collabora.com>

[PATCH v2 02/12] drm/rockchip: dw_dp: Release core resources

[Sebastian Reichel]

From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>

Core resources such as the DisplayPort AUX channel get initialized and
registered during dw_dp_bind(), but are never unregistered, which may
lead to memory leaks and/or use-after-free:

[  224.661371] BUG: KASAN: slab-use-after-free in device_is_dependent+0xe0/0x2b0
[  224.662015] Read of size 8 at addr ffff00011aee8550 by task modprobe/658
[  224.662612]
[  224.662752] CPU: 7 UID: 0 PID: 658 Comm: modprobe Not tainted 7.0.0-rc2-next-20260305 #14 PREEMPT
[  224.662759] Hardware name: Radxa ROCK 5B (DT)
[  224.662762] Call trace:
[  224.662764]  show_stack+0x20/0x38 (C)
[  224.662772]  dump_stack_lvl+0x6c/0x98
[  224.662777]  print_report+0x160/0x4b8
[  224.662783]  kasan_report+0xb4/0xe0
[  224.662790]  __asan_report_load8_noabort+0x20/0x30
[  224.662796]  device_is_dependent+0xe0/0x2b0
[  224.662802]  device_is_dependent+0x108/0x2b0
[  224.662808]  device_link_add+0x1f8/0x10b0
[  224.662813]  devm_of_phy_get_by_index+0x120/0x200
[  224.662819]  dw_dp_bind+0x34c/0xb10 [dw_dp]
[  224.662830]  dw_dp_rockchip_bind+0x194/0x250 [rockchipdrm]
[  224.662864]  component_bind_all+0x3a8/0x720
[  224.662869]  rockchip_drm_bind+0x120/0x390 [rockchipdrm]
[  224.662899]  try_to_bring_up_aggregate_device+0x76c/0x838
[  224.662904]  component_master_add_with_match+0x1f4/0x230
[  224.662909]  rockchip_drm_platform_probe+0x420/0x538 [rockchipdrm]
[  224.662939]  platform_probe+0xe8/0x168
[  224.662945]  really_probe+0x340/0x828
[  224.662950]  __driver_probe_device+0x2e0/0x350
[  224.662954]  driver_probe_device+0x80/0x140
[  224.662959]  __driver_attach+0x398/0x460
[  224.662964]  bus_for_each_dev+0xe0/0x198
[  224.662968]  driver_attach+0x50/0x68
[  224.662972]  bus_add_driver+0x2a0/0x4c0
[  224.662977]  driver_register+0x294/0x360
[  224.662982]  __platform_driver_register+0x7c/0x98
[  224.662987]  rockchip_drm_init+0xc4/0xff8 [rockchipdrm]

Since a previous commit exported dw_dp_unbind() function in DW DP core
library to take care of the necessary cleanup, use this in the
component's unbind() callback, as well as in its bind() error path.

Fixes: d68ba7bac955 ("drm/rockchip: Add RK3588 DPTX output support")
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
---
 drivers/gpu/drm/rockchip/dw_dp-rockchip.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
index a9a8bf43aa1d..150c2da8fee5 100644
--- a/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_dp-rockchip.c
@@ -107,15 +107,26 @@ static int dw_dp_rockchip_bind(struct device *dev, struct device *master, void *
 		return PTR_ERR(dp->base);
 
 	connector = drm_bridge_connector_init(drm_dev, encoder);
-	if (IS_ERR(connector))
+	if (IS_ERR(connector)) {
+		dw_dp_unbind(dp->base);
 		return dev_err_probe(dev, PTR_ERR(connector),
 				     "Failed to init bridge connector");
+	}
 
 	return 0;
 }
 
+static void dw_dp_rockchip_unbind(struct device *dev, struct device *master,
+				  void *data)
+{
+	struct rockchip_dw_dp *dp = dev_get_drvdata(dev);
+
+	dw_dp_unbind(dp->base);
+}
+
 static const struct component_ops dw_dp_rockchip_component_ops = {
 	.bind = dw_dp_rockchip_bind,
+	.unbind = dw_dp_rockchip_unbind,
 };
 
 static int dw_dp_probe(struct platform_device *pdev)

-- 
2.53.0

Claude review: drm/rockchip: dw_dp: Release core resources

[Claude Code Review Bot]

Patch Review

**Author:** Cristian Ciocaltea

Adds the `dw_dp_rockchip_unbind()` component callback using the new `dw_dp_unbind()`, and also adds cleanup in the `bind()` error path after `drm_bridge_connector_init()` fails.

No issues. Good KASAN trace in the commit message that demonstrates the real problem.

---
Generated by Claude Code Patch Reviewer