From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup
Date: Sat, 16 May 2026 16:21:43 +1000
Message-ID: <review-patch7-20260510124111.1226584-8-jonas@kwiboo.se>
In-Reply-To: <20260510124111.1226584-8-jonas@kwiboo.se>
References: <20260510124111.1226584-1-jonas@kwiboo.se> <20260510124111.1226584-8-jonas@kwiboo.se>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

Fixes a real use-after-free: `struct dw_hdmi` (which embeds the connector) was freed during `dw_hdmi_bridge_destroy()` via devres, but `drm_connector_cleanup()` ran *later* during drmres release, accessing freed memory.

The fix takes a `drm_bridge_get()` when creating the connector and drops it in a new `dw_hdmi_connector_destroy()`:

```c
+static void dw_hdmi_connector_destroy(struct drm_connector *connector)
+{
+	struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector);
+
+	drm_connector_cleanup(connector);
+	drm_bridge_put(&hdmi->bridge);
+}
```

The ordering is important: cleanup first, then release the ref. Also good that `drm_connector_init_with_ddc()` return value is now properly checked. This could warrant a Fixes tag since the UAF could happen without this series too, though the conditions may be different.

---
Generated by Claude Code Patch Reviewer