From: sashiko-bot@kernel.org
To: "Jonas Karlman" <jonas@kwiboo.se>
Cc: linux-amlogic@lists.infradead.org, Frank.Li@kernel.org,
imx@lists.linux.dev, linux-sunxi@lists.linux.dev,
neil.armstrong@linaro.org
Subject: Re: [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
Date: Mon, 18 May 2026 18:33:27 +0000 [thread overview]
Message-ID: <20260518183328.13424C2BCF6@smtp.kernel.org> (raw)
In-Reply-To: <20260518180206.2480119-4-jonas@kwiboo.se>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Freeing the shared IRQ before masking the hardware interrupt source creates a race condition that can lead to an unhandled interrupt storm, permanently disabling the shared IRQ line.
--
commit 860a0518c5583dda606c670b609794b60e6bc07b
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
This commit explicitly frees the IRQ before the CEC adapter is unregistered
to prevent a use-after-free issue. This addresses a KASAN slab-use-after-free
report triggered during device unbind when the devres release action frees
the IRQ.
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> index 9549dabde941c..67a2a242d3ca9 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> @@ -309,6 +309,7 @@ static void dw_hdmi_cec_remove(struct platform_device *pdev)
> struct dw_hdmi_cec *cec = platform_get_drvdata(pdev);
>
> cec_notifier_cec_adap_unregister(cec->notify, cec->adap);
> + devm_free_irq(&pdev->dev, cec->irq, cec->adap);
Does this sequence create a race condition that could result in an unhandled
interrupt storm?
The dw-hdmi-cec driver shares this IRQ line with the main dw-hdmi driver.
By freeing the IRQ handler before calling cec_unregister_adapter(), the
hardware CEC interrupts might still be unmasked and active.
If the CEC hardware asserts an interrupt during this window, the shared IRQ
line will go high. The remaining handlers on that line won't clear the CEC
interrupt, returning IRQ_NONE.
This could lead to an interrupt storm, causing the kernel to permanently
disable the shared IRQ line and break the main dw-hdmi driver's functionality.
Should the CEC hardware interrupts be explicitly masked before
devm_free_irq() is called?
> cec_unregister_adapter(cec->adap);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=3
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: "Jonas Karlman" <jonas@kwiboo.se>
Cc: linux-amlogic@lists.infradead.org, Frank.Li@kernel.org,
imx@lists.linux.dev, linux-sunxi@lists.linux.dev,
neil.armstrong@linaro.org
Subject: Re: [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
Date: Mon, 18 May 2026 18:33:27 +0000 [thread overview]
Message-ID: <20260518183328.13424C2BCF6@smtp.kernel.org> (raw)
In-Reply-To: <20260518180206.2480119-4-jonas@kwiboo.se>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Freeing the shared IRQ before masking the hardware interrupt source creates a race condition that can lead to an unhandled interrupt storm, permanently disabling the shared IRQ line.
--
commit 860a0518c5583dda606c670b609794b60e6bc07b
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
This commit explicitly frees the IRQ before the CEC adapter is unregistered
to prevent a use-after-free issue. This addresses a KASAN slab-use-after-free
report triggered during device unbind when the devres release action frees
the IRQ.
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> index 9549dabde941c..67a2a242d3ca9 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> @@ -309,6 +309,7 @@ static void dw_hdmi_cec_remove(struct platform_device *pdev)
> struct dw_hdmi_cec *cec = platform_get_drvdata(pdev);
>
> cec_notifier_cec_adap_unregister(cec->notify, cec->adap);
> + devm_free_irq(&pdev->dev, cec->irq, cec->adap);
Does this sequence create a race condition that could result in an unhandled
interrupt storm?
The dw-hdmi-cec driver shares this IRQ line with the main dw-hdmi driver.
By freeing the IRQ handler before calling cec_unregister_adapter(), the
hardware CEC interrupts might still be unmasked and active.
If the CEC hardware asserts an interrupt during this window, the shared IRQ
line will go high. The remaining handlers on that line won't clear the CEC
interrupt, returning IRQ_NONE.
This could lead to an interrupt storm, causing the kernel to permanently
disable the shared IRQ line and break the main dw-hdmi driver's functionality.
Should the CEC hardware interrupts be explicitly masked before
devm_free_irq() is called?
> cec_unregister_adapter(cec->adap);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=3
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-05-18 18:33 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 18:01 [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 01/23] drm: bridge: dw_hdmi: Disable scrambler feature when not supported Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 02/23] drm: bridge: dw_hdmi: Only notify connected status on HPD interrupt Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:33 ` sashiko-bot [this message]
2026-05-18 18:33 ` sashiko-bot
2026-05-19 6:21 ` Hans Verkuil
2026-05-19 6:21 ` Hans Verkuil
2026-05-19 6:21 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 04/23] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 15:18 ` Jonas Karlman
2026-05-19 15:18 ` Jonas Karlman
2026-05-19 15:18 ` Jonas Karlman
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 9:38 ` Jonas Karlman
2026-05-20 9:38 ` Jonas Karlman
2026-05-20 9:38 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 05/23] drm: bridge: dw_hdmi: Call poweron/poweroff from atomic enable/disable Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 06/23] drm: bridge: dw_hdmi: Use passed mode instead of stored previous_mode Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 07/23] drm: bridge: dw_hdmi: Fold poweron and setup functions Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 08/23] drm: bridge: dw_hdmi: Remove previous_mode and mode_set Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 09/23] drm: bridge: dw_hdmi: Unregister CEC notifier during connector cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-18 18:01 ` [PATCH v7 10/23] drm: bridge: dw_hdmi: Invalidate CEC phys addr from connector detect Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:25 ` Hans Verkuil
2026-05-19 6:25 ` Hans Verkuil
2026-05-19 6:25 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 11/23] drm: bridge: dw_hdmi: Remove cec_notifier_mutex Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:28 ` Hans Verkuil
2026-05-19 6:28 ` Hans Verkuil
2026-05-19 6:28 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 12/23] drm: bridge: dw_hdmi: Extract dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:26 ` Hans Verkuil
2026-05-19 6:26 ` Hans Verkuil
2026-05-19 6:26 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 13/23] drm: bridge: dw_hdmi: Use dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:47 ` sashiko-bot
2026-05-18 18:47 ` sashiko-bot
2026-05-19 6:29 ` Hans Verkuil
2026-05-19 6:29 ` Hans Verkuil
2026-05-19 6:29 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 14/23] drm: bridge: dw_hdmi: Use display_info is_hdmi and has_audio Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:53 ` sashiko-bot
2026-05-18 18:53 ` sashiko-bot
2026-05-19 6:32 ` Hans Verkuil
2026-05-19 6:32 ` Hans Verkuil
2026-05-19 6:32 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 16/23] drm: bridge: dw_hdmi: Update EDID and CEC phys addr in bridge detect() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-20 9:17 ` Neil Armstrong
2026-05-20 9:17 ` Neil Armstrong
2026-05-20 9:17 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 17/23] drm: bridge: dw_hdmi: Declare bridge CEC notifier support Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:35 ` Hans Verkuil
2026-05-19 6:35 ` Hans Verkuil
2026-05-19 6:35 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 18/23] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:05 ` sashiko-bot
2026-05-18 19:05 ` sashiko-bot
2026-05-18 18:01 ` [PATCH v7 19/23] drm: bridge: dw_hdmi: Use delayed_work to debounce hotplug event Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:57 ` sashiko-bot
2026-05-18 18:57 ` sashiko-bot
2026-05-20 9:58 ` Neil Armstrong
2026-05-20 9:58 ` Neil Armstrong
2026-05-20 9:58 ` Neil Armstrong
2026-05-21 20:13 ` Jonas Karlman
2026-05-21 20:13 ` Jonas Karlman
2026-05-21 20:13 ` Jonas Karlman
2026-05-22 12:35 ` Neil Armstrong
2026-05-22 12:35 ` Neil Armstrong
2026-05-22 12:35 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 20/23] drm: bridge: dw_hdmi: Rework HDP and RXSENSE interrupt handling Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:08 ` sashiko-bot
2026-05-18 19:08 ` sashiko-bot
2026-05-20 9:59 ` Neil Armstrong
2026-05-20 9:59 ` Neil Armstrong
2026-05-20 9:59 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 21/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_setup_rx_sense() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 22/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_phy_update_hpd() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 23/23] drm: bridge: dw_hdmi: Merge top and bottom half IRQ handlers Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:10 ` sashiko-bot
2026-05-18 19:10 ` sashiko-bot
2026-05-21 9:14 ` [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Heiko Stuebner
2026-05-21 9:14 ` Heiko Stuebner
2026-05-21 9:14 ` Heiko Stuebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518183328.13424C2BCF6@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=jonas@kwiboo.se \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.