In the Linux kernel, the following vulnerability has been resolved:

drm: bridge/panel: Cleanup connector on bridge detach

If we don't call drm_connector_cleanup() manually in
panel_bridge_detach(), the connector will be cleaned up with the other
DRM objects in the call to drm_mode_config_cleanup(). However, since our
drm_connector is devm-allocated, by the time drm_mode_config_cleanup()
will be called, our connector will be long gone. Therefore, the
connector must be cleaned up when the bridge is detached to avoid
use-after-free conditions.

v2: Cleanup connector only if it was created

v3: Add FIXME

v4: (Use connector->dev) directly in if() block

Linux https://git.kernel.org/stable/c/18149b420c9bd93c443e8d1f48a063d71d9f6aa1 [No types assigned]

Linux https://git.kernel.org/stable/c/4d906839d321c2efbf3fed4bc31ffd9ff55b75c0 [No types assigned]

Linux https://git.kernel.org/stable/c/98d7d76a74e48ec3ddf2e23950adff7edcab9327 [No types assigned]

Linux https://git.kernel.org/stable/c/ce450934a00cf896e648fde08d0bd1426653d7a2 [No types assigned]