From: sashiko-bot@kernel.org
To: "Jonas Karlman" <jonas@kwiboo.se>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org,
linux-amlogic@lists.infradead.org, linux-sunxi@lists.linux.dev,
neil.armstrong@linaro.org
Subject: Re: [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers
Date: Mon, 18 May 2026 18:53:00 +0000 [thread overview]
Message-ID: <20260518185300.C749CC2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260518180206.2480119-16-jonas@kwiboo.se>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free and memory leak due to drmm action lifetime mismatch with the connector
--
commit 7a3d2d4c9ae6107ffef88b867d73cc39dd7e8567
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Use generic CEC notifier helpers
This commit replaces the open-coded CEC notifier handling with the generic
DRM HDMI CEC notifier helpers.
> The drmm release action for the generic CEC notifier should run just
> before dw_hdmi_connector_destroy(), closely matching the lifetime of
> the replaced CEC notifier and the connector.
Is this assumption accurate for all drivers using dw_hdmi?
When master drivers like sun4i or imx are unbound, drm_mode_config_cleanup()
is often called synchronously, which in turn calls dw_hdmi_connector_destroy().
If a userspace process holds the DRM file descriptor open, the drm_device
outlives the unbind. Doesn't this mean the drmm release action will run
much later than dw_hdmi_connector_destroy(), rather than just before it?
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 0e84dff724706..37406555af7bc 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
[ ... ]
> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>
> drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>
> - cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> - notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> - if (!notifier)
> - return -ENOMEM;
> -
> - hdmi->cec_notifier = notifier;
> -
> - return 0;
> + return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> + hdmi->dev);
> }
Could this cause a use-after-free when the drm_device is finally released?
Looking at dw_hdmi_connector_destroy(), it cleans up the connector state:
dw_hdmi_connector_destroy()
drm_connector_cleanup(connector)
...
memset(connector, 0, sizeof(*connector));
Since the connector is embedded in struct dw_hdmi which is managed by devres
and the bridge refcount, the memory will be freed when the platform device
unbind completes.
When the drmm action drm_connector_hdmi_cec_notifier_unregister() eventually
executes during drm_dev_release(), won't it attempt to dereference the
already freed connector pointer?
If the memory happens to still be accessible, won't it read the zeroed
connector->cec.data as a NULL pointer, silently leaking the CEC notifier?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260518180206.2480119-1-jonas@kwiboo.se?part=15
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-05-18 18:53 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 18:01 [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 01/23] drm: bridge: dw_hdmi: Disable scrambler feature when not supported Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 02/23] drm: bridge: dw_hdmi: Only notify connected status on HPD interrupt Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered Jonas Karlman
2026-05-18 18:33 ` sashiko-bot
2026-05-19 6:21 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 04/23] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Jonas Karlman
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 15:18 ` Jonas Karlman
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 9:38 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 05/23] drm: bridge: dw_hdmi: Call poweron/poweroff from atomic enable/disable Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 06/23] drm: bridge: dw_hdmi: Use passed mode instead of stored previous_mode Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 07/23] drm: bridge: dw_hdmi: Fold poweron and setup functions Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 08/23] drm: bridge: dw_hdmi: Remove previous_mode and mode_set Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 09/23] drm: bridge: dw_hdmi: Unregister CEC notifier during connector cleanup Jonas Karlman
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 12:06 ` Luca Ceresoli
2026-05-18 18:01 ` [PATCH v7 10/23] drm: bridge: dw_hdmi: Invalidate CEC phys addr from connector detect Jonas Karlman
2026-05-19 6:25 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 11/23] drm: bridge: dw_hdmi: Remove cec_notifier_mutex Jonas Karlman
2026-05-19 6:28 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 12/23] drm: bridge: dw_hdmi: Extract dw_hdmi_connector_status_update() Jonas Karlman
2026-05-19 6:26 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 13/23] drm: bridge: dw_hdmi: Use dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 18:47 ` sashiko-bot
2026-05-19 6:29 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 14/23] drm: bridge: dw_hdmi: Use display_info is_hdmi and has_audio Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers Jonas Karlman
2026-05-18 18:53 ` sashiko-bot [this message]
2026-05-19 6:32 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 16/23] drm: bridge: dw_hdmi: Update EDID and CEC phys addr in bridge detect() Jonas Karlman
2026-05-20 9:17 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 17/23] drm: bridge: dw_hdmi: Declare bridge CEC notifier support Jonas Karlman
2026-05-19 6:35 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 18/23] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify() Jonas Karlman
2026-05-18 19:05 ` sashiko-bot
2026-05-18 18:01 ` [PATCH v7 19/23] drm: bridge: dw_hdmi: Use delayed_work to debounce hotplug event Jonas Karlman
2026-05-18 18:57 ` sashiko-bot
2026-05-20 9:58 ` Neil Armstrong
2026-05-21 20:13 ` Jonas Karlman
2026-05-22 12:35 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 20/23] drm: bridge: dw_hdmi: Rework HDP and RXSENSE interrupt handling Jonas Karlman
2026-05-18 19:08 ` sashiko-bot
2026-05-20 9:59 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 21/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_setup_rx_sense() Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 22/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_phy_update_hpd() Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 23/23] drm: bridge: dw_hdmi: Merge top and bottom half IRQ handlers Jonas Karlman
2026-05-18 19:10 ` sashiko-bot
2026-05-21 9:14 ` [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Heiko Stuebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518185300.C749CC2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=imx@lists.linux.dev \
--cc=jonas@kwiboo.se \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox