From: sashiko-bot@kernel.org
To: "Jonas Karlman" <jonas@kwiboo.se>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org,
linux-amlogic@lists.infradead.org, linux-sunxi@lists.linux.dev,
neil.armstrong@linaro.org
Subject: Re: [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers
Date: Mon, 18 May 2026 18:53:00 +0000 [thread overview]
Message-ID: <20260518185300.C749CC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518180206.2480119-16-jonas@kwiboo.se>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free and memory leak due to drmm action lifetime mismatch with the connector
--
commit 7a3d2d4c9ae6107ffef88b867d73cc39dd7e8567
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Use generic CEC notifier helpers
This commit replaces the open-coded CEC notifier handling with the generic
DRM HDMI CEC notifier helpers.
> The drmm release action for the generic CEC notifier should run just
> before dw_hdmi_connector_destroy(), closely matching the lifetime of
> the replaced CEC notifier and the connector.
Is this assumption accurate for all drivers using dw_hdmi?
When master drivers like sun4i or imx are unbound, drm_mode_config_cleanup()
is often called synchronously, which in turn calls dw_hdmi_connector_destroy().
If a userspace process holds the DRM file descriptor open, the drm_device
outlives the unbind. Doesn't this mean the drmm release action will run
much later than dw_hdmi_connector_destroy(), rather than just before it?
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 0e84dff724706..37406555af7bc 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
[ ... ]
> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>
> drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>
> - cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> - notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> - if (!notifier)
> - return -ENOMEM;
> -
> - hdmi->cec_notifier = notifier;
> -
> - return 0;
> + return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> + hdmi->dev);
> }
Could this cause a use-after-free when the drm_device is finally released?
Looking at dw_hdmi_connector_destroy(), it cleans up the connector state:
dw_hdmi_connector_destroy()
drm_connector_cleanup(connector)
...
memset(connector, 0, sizeof(*connector));
Since the connector is embedded in struct dw_hdmi which is managed by devres
and the bridge refcount, the memory will be freed when the platform device
unbind completes.
When the drmm action drm_connector_hdmi_cec_notifier_unregister() eventually
executes during drm_dev_release(), won't it attempt to dereference the
already freed connector pointer?
If the memory happens to still be accessible, won't it read the zeroed
connector->cec.data as a NULL pointer, silently leaking the CEC notifier?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=15
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: "Jonas Karlman" <jonas@kwiboo.se>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org,
linux-amlogic@lists.infradead.org, linux-sunxi@lists.linux.dev,
neil.armstrong@linaro.org
Subject: Re: [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers
Date: Mon, 18 May 2026 18:53:00 +0000 [thread overview]
Message-ID: <20260518185300.C749CC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518180206.2480119-16-jonas@kwiboo.se>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free and memory leak due to drmm action lifetime mismatch with the connector
--
commit 7a3d2d4c9ae6107ffef88b867d73cc39dd7e8567
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Use generic CEC notifier helpers
This commit replaces the open-coded CEC notifier handling with the generic
DRM HDMI CEC notifier helpers.
> The drmm release action for the generic CEC notifier should run just
> before dw_hdmi_connector_destroy(), closely matching the lifetime of
> the replaced CEC notifier and the connector.
Is this assumption accurate for all drivers using dw_hdmi?
When master drivers like sun4i or imx are unbound, drm_mode_config_cleanup()
is often called synchronously, which in turn calls dw_hdmi_connector_destroy().
If a userspace process holds the DRM file descriptor open, the drm_device
outlives the unbind. Doesn't this mean the drmm release action will run
much later than dw_hdmi_connector_destroy(), rather than just before it?
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 0e84dff724706..37406555af7bc 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
[ ... ]
> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>
> drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>
> - cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> - notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> - if (!notifier)
> - return -ENOMEM;
> -
> - hdmi->cec_notifier = notifier;
> -
> - return 0;
> + return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> + hdmi->dev);
> }
Could this cause a use-after-free when the drm_device is finally released?
Looking at dw_hdmi_connector_destroy(), it cleans up the connector state:
dw_hdmi_connector_destroy()
drm_connector_cleanup(connector)
...
memset(connector, 0, sizeof(*connector));
Since the connector is embedded in struct dw_hdmi which is managed by devres
and the bridge refcount, the memory will be freed when the platform device
unbind completes.
When the drmm action drm_connector_hdmi_cec_notifier_unregister() eventually
executes during drm_dev_release(), won't it attempt to dereference the
already freed connector pointer?
If the memory happens to still be accessible, won't it read the zeroed
connector->cec.data as a NULL pointer, silently leaking the CEC notifier?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=15
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-05-18 18:53 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 18:01 [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 01/23] drm: bridge: dw_hdmi: Disable scrambler feature when not supported Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 02/23] drm: bridge: dw_hdmi: Only notify connected status on HPD interrupt Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:33 ` sashiko-bot
2026-05-18 18:33 ` sashiko-bot
2026-05-19 6:21 ` Hans Verkuil
2026-05-19 6:21 ` Hans Verkuil
2026-05-19 6:21 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 04/23] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 15:18 ` Jonas Karlman
2026-05-19 15:18 ` Jonas Karlman
2026-05-19 15:18 ` Jonas Karlman
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 9:38 ` Jonas Karlman
2026-05-20 9:38 ` Jonas Karlman
2026-05-20 9:38 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 05/23] drm: bridge: dw_hdmi: Call poweron/poweroff from atomic enable/disable Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 06/23] drm: bridge: dw_hdmi: Use passed mode instead of stored previous_mode Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 07/23] drm: bridge: dw_hdmi: Fold poweron and setup functions Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 08/23] drm: bridge: dw_hdmi: Remove previous_mode and mode_set Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 09/23] drm: bridge: dw_hdmi: Unregister CEC notifier during connector cleanup Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 12:06 ` Luca Ceresoli
2026-05-18 18:01 ` [PATCH v7 10/23] drm: bridge: dw_hdmi: Invalidate CEC phys addr from connector detect Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:25 ` Hans Verkuil
2026-05-19 6:25 ` Hans Verkuil
2026-05-19 6:25 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 11/23] drm: bridge: dw_hdmi: Remove cec_notifier_mutex Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:28 ` Hans Verkuil
2026-05-19 6:28 ` Hans Verkuil
2026-05-19 6:28 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 12/23] drm: bridge: dw_hdmi: Extract dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:26 ` Hans Verkuil
2026-05-19 6:26 ` Hans Verkuil
2026-05-19 6:26 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 13/23] drm: bridge: dw_hdmi: Use dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:47 ` sashiko-bot
2026-05-18 18:47 ` sashiko-bot
2026-05-19 6:29 ` Hans Verkuil
2026-05-19 6:29 ` Hans Verkuil
2026-05-19 6:29 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 14/23] drm: bridge: dw_hdmi: Use display_info is_hdmi and has_audio Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:53 ` sashiko-bot [this message]
2026-05-18 18:53 ` sashiko-bot
2026-05-19 6:32 ` Hans Verkuil
2026-05-19 6:32 ` Hans Verkuil
2026-05-19 6:32 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 16/23] drm: bridge: dw_hdmi: Update EDID and CEC phys addr in bridge detect() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-20 9:17 ` Neil Armstrong
2026-05-20 9:17 ` Neil Armstrong
2026-05-20 9:17 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 17/23] drm: bridge: dw_hdmi: Declare bridge CEC notifier support Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-19 6:35 ` Hans Verkuil
2026-05-19 6:35 ` Hans Verkuil
2026-05-19 6:35 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 18/23] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:05 ` sashiko-bot
2026-05-18 19:05 ` sashiko-bot
2026-05-18 18:01 ` [PATCH v7 19/23] drm: bridge: dw_hdmi: Use delayed_work to debounce hotplug event Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:57 ` sashiko-bot
2026-05-18 18:57 ` sashiko-bot
2026-05-20 9:58 ` Neil Armstrong
2026-05-20 9:58 ` Neil Armstrong
2026-05-20 9:58 ` Neil Armstrong
2026-05-21 20:13 ` Jonas Karlman
2026-05-21 20:13 ` Jonas Karlman
2026-05-21 20:13 ` Jonas Karlman
2026-05-22 12:35 ` Neil Armstrong
2026-05-22 12:35 ` Neil Armstrong
2026-05-22 12:35 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 20/23] drm: bridge: dw_hdmi: Rework HDP and RXSENSE interrupt handling Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:08 ` sashiko-bot
2026-05-18 19:08 ` sashiko-bot
2026-05-20 9:59 ` Neil Armstrong
2026-05-20 9:59 ` Neil Armstrong
2026-05-20 9:59 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 21/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_setup_rx_sense() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 22/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_phy_update_hpd() Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 23/23] drm: bridge: dw_hdmi: Merge top and bottom half IRQ handlers Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman
2026-05-18 19:10 ` sashiko-bot
2026-05-18 19:10 ` sashiko-bot
2026-05-21 9:14 ` [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Heiko Stuebner
2026-05-21 9:14 ` Heiko Stuebner
2026-05-21 9:14 ` Heiko Stuebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518185300.C749CC2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=jonas@kwiboo.se \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.