* [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid
@ 2026-04-10 7:32 Dan Carpenter
2026-04-10 12:00 ` Joshua Peisach
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2026-04-10 7:32 UTC (permalink / raw)
To: Joshua Peisach; +Cc: amd-gfx, SHANMUGAM, SRINIVASAN
Hello Joshua Peisach,
Commit 71036457ad85 ("drm/amdgpu/amdgpu_connectors: remove
amdgpu_connector_free_edid") from Mar 3, 2026 (linux-next), leads to
the following Smatch static checker warning:
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c:1058 amdgpu_connector_dvi_detect()
warn: passing freed memory 'amdgpu_connector->edid' (line 1048)
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
1032 /* Sometimes the pins required for the DDC probe on DVI
1033 * connectors don't make contact at the same time that the ones
1034 * for HPD do. If the DDC probe fails even though we had an HPD
1035 * signal, try again later
1036 */
1037 if (!dret && !force &&
1038 amdgpu_display_hpd_sense(adev, amdgpu_connector->hpd.hpd)) {
1039 DRM_DEBUG_KMS("hpd detected without ddc, retrying in 1 second\n");
1040 amdgpu_connector->detected_hpd_without_ddc = true;
1041 schedule_delayed_work(&adev->hotplug_work,
1042 msecs_to_jiffies(1000));
1043 goto exit;
1044 }
1045 }
1046 if (dret) {
1047 amdgpu_connector->detected_by_load = false;
1048 drm_edid_free(amdgpu_connector->edid);
^^^^^^^^^^^^^^^^^^^^^^
This frees ->edid. The old code used to set amdgpu_connector->edid = NULL
after freeing it.
1049 amdgpu_connector_get_edid(connector);
^^^^^^^^^
This function call is supposed to re-assign ->edid but because it's no
longer NULL then it's just a no-op. (It's so annoying that the naming
switches between amdgpu_connector which and connector which are basically
castings of each other).
1050
1051 if (!amdgpu_connector->edid) {
1052 drm_err(adev_to_drm(adev), "%s: probed a monitor but no|invalid EDID\n",
1053 connector->name);
1054 ret = connector_status_connected;
1055 broken_edid = true; /* defer use_digital to later */
1056 } else {
1057 amdgpu_connector->use_digital =
--> 1058 drm_edid_is_digital(amdgpu_connector->edid);
^^^^^^^^^^^^^^^^^^^^^^
Use after free.
1059
1060 /* some oems have boards with separate digital and analog connectors
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid
2026-04-10 7:32 [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid Dan Carpenter
@ 2026-04-10 12:00 ` Joshua Peisach
2026-04-11 5:30 ` SHANMUGAM, SRINIVASAN
0 siblings, 1 reply; 4+ messages in thread
From: Joshua Peisach @ 2026-04-10 12:00 UTC (permalink / raw)
To: Dan Carpenter, Joshua Peisach, Alex Deucher
Cc: amd-gfx, SHANMUGAM, SRINIVASAN
On Fri Apr 10, 2026 at 3:32 AM EDT, Dan Carpenter wrote:
>
> 1057 amdgpu_connector->use_digital =
> --> 1058 drm_edid_is_digital(amdgpu_connector->edid);
> ^^^^^^^^^^^^^^^^^^^^^^
> Use after free.
>
Lovely. I was wondering if that Claude review[1] was accurate. I also
asked in IRC if it was something to be considered about but I didn't
get a response[2]. I'll be more pressing next time, sorry.
This morning I'm unable to test, but I think reverting the commit that
removed amdgpu_connector_free_edid[3] should fix it.
What do you think?
Thanks again for the report.
[1]: https://lore.gitlab.freedesktop.org/drm-ai-reviews/review-overall-20260303211823.76631-1-jpeisach@ubuntu.com/
[2]: https://people.freedesktop.org/~cbrill/dri-log/?channel=radeon&highlight_names=&date=2026-03-17&show_html=true
[3]: https://gitlab.freedesktop.org/agd5f/linux/-/commit/289479173fb538f3ec7aac5206f49e39367ee75c
-Josh
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid
2026-04-10 12:00 ` Joshua Peisach
@ 2026-04-11 5:30 ` SHANMUGAM, SRINIVASAN
2026-04-11 11:45 ` Joshua Peisach
0 siblings, 1 reply; 4+ messages in thread
From: SHANMUGAM, SRINIVASAN @ 2026-04-11 5:30 UTC (permalink / raw)
To: Joshua Peisach, Dan Carpenter, Deucher, Alexander
Cc: amd-gfx@lists.freedesktop.org, Wentland, Harry, Li, Roman,
Hung, Alex, Chung, ChiaHsuan (Tom), Pillai, Aurabindo
[Public]
> -----Original Message-----
> From: Joshua Peisach <jpeisach@ubuntu.com>
> Sent: Friday, April 10, 2026 5:30 PM
> To: Dan Carpenter <error27@gmail.com>; Joshua Peisach
> <jpeisach@ubuntu.com>; Deucher, Alexander <Alexander.Deucher@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@amd.com>
> Subject: Re: [bug report] drm/amdgpu/amdgpu_connectors: remove
> amdgpu_connector_free_edid
>
> On Fri Apr 10, 2026 at 3:32 AM EDT, Dan Carpenter wrote:
> >
> > 1057 amdgpu_connector->use_digital =
> > --> 1058 drm_edid_is_digital(amdgpu_connector->edid);
> >
> > ^^^^^^^^^^^^^^^^^^^^^^ Use after free.
> >
>
> Lovely. I was wondering if that Claude review[1] was accurate. I also asked in IRC if
> it was something to be considered about but I didn't get a response[2]. I'll be more
> pressing next time, sorry.
>
> This morning I'm unable to test, but I think reverting the commit that removed
> amdgpu_connector_free_edid[3] should fix it.
>
> What do you think?
I went through the code path, and the warning looks valid:
In amdgpu_connector_dvi_detect(), we do:
drm_edid_free(amdgpu_connector->edid);
After that, we call:
amdgpu_connector_get_edid(connector);
But inside amdgpu_connector_get_edid():
It immediately returns if amdgpu_connector->edid is non-NULL
Since we did not set amdgpu_connector->edid = NULL after freeing:
The pointer is still non-NULL (but already freed)
So amdgpu_connector_get_edid() becomes a no-op
No new EDID is read
Then later we do:
drm_edid_is_digital(amdgpu_connector->edid);
At this point:
amdgpu_connector->edid still points to freed memory
So this becomes a real use-after-free
So the issue is not just the removal of amdgpu_connector_free_edid(),
but that we lost the behavior of clearing the cached EDID pointer after free.
Because of this, the EDID cache logic breaks.
About reverting:
Reverting the commit would fix it indirectly
But I think a minimal fix is better:
Set amdgpu_connector->edid = NULL after drm_edid_free()
This keeps the current design intact and fixes the bug cleanly.
Also, I noticed similar patterns in VGA and shared DDC paths,
so we may want to fix those as well for consistency.
I also checked amdgpu_connector_vga_detect() and amdgpu_connector_shared_ddc(). They show the same stale cached EDID pattern: amdgpu_connector->edid is freed without being cleared. In vga_detect(), this is the same functional bug as DVI because the code then calls amdgpu_connector_get_edid() and later uses amdgpu_connector->edid. In shared_ddc(), it may not trigger an immediate use-after-free in that function, but leaving the freed EDID cached is still unsafe and should be fixed for consistency.
Does this approach look good?
Happy to hear thoughts from others
I can send a patch if this makes sense.
Thanks!
Srini
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid
2026-04-11 5:30 ` SHANMUGAM, SRINIVASAN
@ 2026-04-11 11:45 ` Joshua Peisach
0 siblings, 0 replies; 4+ messages in thread
From: Joshua Peisach @ 2026-04-11 11:45 UTC (permalink / raw)
To: SHANMUGAM, SRINIVASAN, Dan Carpenter, Deucher, Alexander
Cc: amd-gfx@lists.freedesktop.org, Wentland, Harry, Li, Roman,
Hung, Alex, Chung, ChiaHsuan (Tom), Pillai, Aurabindo
On Sat Apr 11, 2026 at 1:30 AM EDT, SRINIVASAN SHANMUGAM wrote:
> I went through the code path, and the warning looks valid:
>
> In amdgpu_connector_dvi_detect(), we do:
> drm_edid_free(amdgpu_connector->edid);
> After that, we call:
> amdgpu_connector_get_edid(connector);
> But inside amdgpu_connector_get_edid():
> It immediately returns if amdgpu_connector->edid is non-NULL
> Since we did not set amdgpu_connector->edid = NULL after freeing:
> The pointer is still non-NULL (but already freed)
> So amdgpu_connector_get_edid() becomes a no-op
> No new EDID is read
> Then later we do:
> drm_edid_is_digital(amdgpu_connector->edid);
> At this point:
> amdgpu_connector->edid still points to freed memory
> So this becomes a real use-after-free
>
> So the issue is not just the removal of amdgpu_connector_free_edid(),
> but that we lost the behavior of clearing the cached EDID pointer after free.
>
> Because of this, the EDID cache logic breaks.
>
> About reverting:
>
> Reverting the commit would fix it indirectly
> But I think a minimal fix is better:
> Set amdgpu_connector->edid = NULL after drm_edid_free()
>
> This keeps the current design intact and fixes the bug cleanly.
>
I like it - less is more :) and it also makes it clear that the
pointer is set to NULL, instead of being hidden behind a function.
-Josh
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-13 8:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-10 7:32 [bug report] drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid Dan Carpenter
2026-04-10 12:00 ` Joshua Peisach
2026-04-11 5:30 ` SHANMUGAM, SRINIVASAN
2026-04-11 11:45 ` Joshua Peisach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.