From: sashiko-bot@kernel.org
To: "Dmitry Baryshkov" <dmitry.baryshkov@oss.qualcomm.com>
Cc: dri-devel@lists.freedesktop.org, wsa+renesas@sang-engineering.com
Subject: Re: [PATCH v6 2/9] drm/amd/display: use drmm allocation for writeback connector
Date: Fri, 12 Jun 2026 18:44:17 +0000 [thread overview]
Message-ID: <20260612184417.D34CC1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260612-wb-drop-encoder-v6-2-9f3a54f81310@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] Compilation error due to missing argument in drmm_kfree().
Pre-existing issues:
- [High] Use-After-Free of `aencoder` and `aconnector` on error path.
--
commit 0f53c9b8f894290640afe2ed4a23503b2ea87d24
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/amd/display: use drmm allocation for writeback connector
Currently memory used for writeback connectors isn't freed on driver
unbinding, leaking the memory. Use drm_device-memory allocation
function for the writeback connector, making sure that the memory is
freed on the driver unbinding.
Reported-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Suggested-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index 97ab1e83b3186..638335ff7d019 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
[ ... ]
> @@ -5874,7 +5875,7 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
>
> if (amdgpu_dm_wb_connector_init(dm, wbcon, i)) {
> drm_err(adev_to_drm(adev), "KMS: Failed to initialize writeback connector\n");
> - kfree(wbcon);
> + drmm_kfree(wbcon);
[Severity: Low]
Does this code fail to compile? Looking at include/drm/drm_managed.h, the
function drmm_kfree() requires both a drm_device pointer and the data pointer,
but it is being called with only the data pointer here.
[Severity: High]
This isn't a bug introduced by this patch, but can the fail block in
amdgpu_dm_initialize_drm_device() trigger a use-after-free during teardown?
If amdgpu_dm_encoder_init() succeeds, the encoder is registered to the DRM
core list. If a subsequent step fails, the code jumps to the fail block:
fail:
kfree(aencoder);
kfree(aconnector);
return -EINVAL;
Since the encoder remains registered in the DRM subsystem, will
drm_mode_config_cleanup() later traverse the list and call the destroy hook,
resulting in a double-free of the encoder?
> continue;
> }
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612-wb-drop-encoder-v6-0-9f3a54f81310@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-06-12 18:44 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 18:30 [PATCH v6 0/9] drm: writeback: clean up writeback connector initialization Dmitry Baryshkov
2026-06-12 18:30 ` [PATCH v6 1/9] drm/managed: implement managed versions of kzalloc_obj/objs() Dmitry Baryshkov
2026-06-12 18:41 ` sashiko-bot
2026-06-12 18:30 ` [PATCH v6 2/9] drm/amd/display: use drmm allocation for writeback connector Dmitry Baryshkov
2026-06-12 18:44 ` sashiko-bot [this message]
2026-06-12 18:30 ` [PATCH v6 3/9] drm/amd/display: use drmm_writeback_connector_init() Dmitry Baryshkov
2026-06-12 18:58 ` sashiko-bot
2026-06-12 18:30 ` [PATCH v6 4/9] drm/komeda: " Dmitry Baryshkov
2026-06-12 18:39 ` sashiko-bot
2026-06-12 18:30 ` [PATCH v6 5/9] drm/mali: " Dmitry Baryshkov
2026-06-12 18:40 ` sashiko-bot
2026-06-12 18:30 ` [PATCH v6 6/9] drm: renesas: rcar-du: " Dmitry Baryshkov
2026-06-12 18:30 ` [PATCH v6 7/9] drm/vc4: " Dmitry Baryshkov
2026-06-12 18:44 ` sashiko-bot
2026-06-12 18:30 ` [PATCH v6 8/9] drm: writeback: drop excess connector initialization functions Dmitry Baryshkov
2026-06-12 18:30 ` [PATCH v6 9/9] drm: writeback: rename drm_writeback_connector_init_with_encoder() Dmitry Baryshkov
2026-06-12 18:49 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612184417.D34CC1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.baryshkov@oss.qualcomm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.