* [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs
@ 2025-10-24 16:14 Ludovic Desroches
2025-10-24 16:14 ` [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback Ludovic Desroches
2025-10-24 16:14 ` [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Ludovic Desroches
0 siblings, 2 replies; 3+ messages in thread
From: Ludovic Desroches @ 2025-10-24 16:14 UTC (permalink / raw)
To: Manikandan Muralidharan, Dharma Balasubiramani, Maarten Lankhorst,
Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter,
Nicolas Ferre, Alexandre Belloni, Claudiu Beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel, Ludovic Desroches
These two patches fix a memory leak and a use after free bugs.
The memory leak bug had been reported by several users. There were some
attempts to fix it in the past, but the resolutions proposed caused
other breakages.
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
---
Ludovic Desroches (2):
drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
---
base-commit: 72fb0170ef1f45addf726319c52a0562b6913707
change-id: 20251024-lcd_fixes_mainlining-a1234d81a768
Best regards,
--
Ludovic Desroches <ludovic.desroches@microchip.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
@ 2025-10-24 16:14 ` Ludovic Desroches
2025-10-24 16:14 ` [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Ludovic Desroches
1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Desroches @ 2025-10-24 16:14 UTC (permalink / raw)
To: Manikandan Muralidharan, Dharma Balasubiramani, Maarten Lankhorst,
Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter,
Nicolas Ferre, Alexandre Belloni, Claudiu Beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel, Ludovic Desroches
After several commits, the slab memory increases. Some drm_crtc_commit
objects are not freed. The atomic_destroy_state callback only put the
framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function
to put all the objects that are no longer needed.
It has been seen after hours of usage of a graphics application or using
kmemleak:
unreferenced object 0xc63a6580 (size 64):
comm "egt_basic", pid 171, jiffies 4294940784
hex dump (first 32 bytes):
40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.
8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.
backtrace (crc c25aa925):
kmemleak_alloc+0x34/0x3c
__kmalloc_cache_noprof+0x150/0x1a4
drm_atomic_helper_setup_commit+0x1e8/0x7bc
drm_atomic_helper_commit+0x3c/0x15c
drm_atomic_commit+0xc0/0xf4
drm_atomic_helper_set_config+0x84/0xb8
drm_mode_setcrtc+0x32c/0x810
drm_ioctl+0x20c/0x488
sys_ioctl+0x14c/0xc20
ret_fast_syscall+0x0/0x54
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Reviewed-by: Manikandan Muralidharan <manikandan.m@microchip.com>
---
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
index 38f60befd7d759a52d66211c2e7d49c9be235ad4..0e38587b868d5b5375fcaa5c0508e8e5690d8ff8 100644
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -1215,8 +1215,7 @@ static void atmel_hlcdc_plane_atomic_destroy_state(struct drm_plane *p,
state->dscrs[i]->self);
}
- if (s->fb)
- drm_framebuffer_put(s->fb);
+ __drm_atomic_helper_plane_destroy_state(s);
kfree(state);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
2025-10-24 16:14 ` [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback Ludovic Desroches
@ 2025-10-24 16:14 ` Ludovic Desroches
1 sibling, 0 replies; 3+ messages in thread
From: Ludovic Desroches @ 2025-10-24 16:14 UTC (permalink / raw)
To: Manikandan Muralidharan, Dharma Balasubiramani, Maarten Lankhorst,
Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter,
Nicolas Ferre, Alexandre Belloni, Claudiu Beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel, Ludovic Desroches
The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying
the atmel_hlcdc_plane state structure without properly duplicating the
drm_plane_state. In particular, state->commit remained set to the old
state commit, which can lead to a use-after-free in the next
drm_atomic_commit() call.
Fix this by calling
__drm_atomic_helper_duplicate_plane_state(), which correctly clones
the base drm_plane_state (including the ->commit pointer).
It has been seen when closing and re-opening the device node while
another DRM client (e.g. fbdev) is still attached:
=============================================================================
BUG kmalloc-64 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------
0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b
FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b
Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0
pid=29
drm_atomic_helper_setup_commit+0x1e8/0x7bc
drm_atomic_helper_commit+0x3c/0x15c
drm_atomic_commit+0xc0/0xf4
drm_framebuffer_remove+0x4cc/0x5a8
drm_mode_rmfb_work_fn+0x6c/0x80
process_one_work+0x12c/0x2cc
worker_thread+0x2a8/0x400
kthread+0xc0/0xdc
ret_from_fork+0x14/0x28
Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0
pid=169
drm_atomic_helper_commit_hw_done+0x100/0x150
drm_atomic_helper_commit_tail+0x64/0x8c
commit_tail+0x168/0x18c
drm_atomic_helper_commit+0x138/0x15c
drm_atomic_commit+0xc0/0xf4
drm_atomic_helper_set_config+0x84/0xb8
drm_mode_setcrtc+0x32c/0x810
drm_ioctl+0x20c/0x488
sys_ioctl+0x14c/0xc20
ret_fast_syscall+0x0/0x54
Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0
flags=0x200(workingset|zone=0)
Object 0xc611b340 @offset=832 fp=0xc611b7c0
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Reviewed-by: Manikandan Muralidharan <manikandan.m@microchip.com>
---
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
index 0e38587b868d5b5375fcaa5c0508e8e5690d8ff8..91df1273eac71512109a822000448d7641171dca 100644
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -1196,8 +1196,7 @@ atmel_hlcdc_plane_atomic_duplicate_state(struct drm_plane *p)
return NULL;
}
- if (copy->base.fb)
- drm_framebuffer_get(copy->base.fb);
+ __drm_atomic_helper_plane_duplicate_state(p, ©->base);
return ©->base;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-10-24 16:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
2025-10-24 16:14 ` [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback Ludovic Desroches
2025-10-24 16:14 ` [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Ludovic Desroches
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).