* [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers
@ 2026-05-09 2:21 Jiaqi
2026-05-09 2:21 ` [PATCH 1/6] drm/rockchip: Fix of_node reference leak in rockchip_drm_encoder_set_crtc_endpoint_id() Jiaqi
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Jiaqi @ 2026-05-09 2:21 UTC (permalink / raw)
To: dri-devel
Cc: Sandy Huang, Heiko Stuebner, David Airlie, Daniel Vetter,
Philipp Zabel, linux-arm-kernel, linux-rockchip, linux-kernel
This patch series fixes 6 bugs in the Rockchip DRM driver subsystem,
identified through static code analysis and confirmed by technical review.
The bugs range from Critical (of_node reference leaks, use-after-free)
to Medium (unchecked return values), and span 5 different source files.
Each patch addresses exactly one bug to facilitate review and bisection.
Summary of fixes:
Patch 1/6 (Critical): Fix of_node reference leak in
rockchip_drm_encoder_set_crtc_endpoint_id(). Both success and error
paths leaked references acquired via of_graph helpers.
Patch 2/6 (Critical): Fix dangling crtc->state in vop2_crtc_reset().
kzalloc() failure left crtc->state as a use-after-free pointer.
Patch 3/6 (High): Fix vop2_create_crtcs() error path cleanup in
vop2_bind(). Failures returned directly without calling
vop2_destroy_crtcs(), leaking of_node references.
Patch 4/6 (High): Fix vmap address caching in
rockchip_gem_prime_vmap(). New vmap() results were not saved to
rk_obj->kvaddr, causing repeated mappings and potential leaks.
Patch 5/6 (High): Fix leaked vblank event in
vop_crtc_atomic_disable(). Pending vop->event was warned but never
sent, causing userspace hangs and vblank reference leaks.
Patch 6/6 (Medium): Check return value of cdn_dp_grf_write() in
cdn_dp_enable_phy() error path. Ignored return value could leave
GRF registers in an inconsistent state.
All patches have been verified against checkpatch.pl --strict.
Signed-off-by: Jiaqi <shijiaqi_develop@163.com>
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 5 +++--
drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 14 +++++++++----
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 1 +
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 11 ++++++++++-
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 13 ++++++++++--
5 files changed, 35 insertions(+), 9 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/6] drm/rockchip: Fix of_node reference leak in rockchip_drm_encoder_set_crtc_endpoint_id()
2026-05-09 2:21 [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers Jiaqi
@ 2026-05-09 2:21 ` Jiaqi
2026-05-09 2:22 ` [PATCH 2/6] drm/rockchip: Fix dangling crtc->state in vop2_crtc_reset() Jiaqi
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Jiaqi @ 2026-05-09 2:21 UTC (permalink / raw)
To: dri-devel
Cc: Sandy Huang, Heiko Stuebner, David Airlie, Daniel Vetter,
Philipp Zabel, linux-arm-kernel, linux-rockchip, linux-kernel
The function rockchip_drm_encoder_set_crtc_endpoint_id() acquires device
tree node references via of_graph_get_endpoint_by_regs() and
of_graph_get_remote_endpoint(), but never releases them. This happens on
all exit paths, including the success path.
This leads to reference count leaks that accumulate during encoder probe.
In deferred probe scenarios or module reload, the leaked references can
cause of_node_get() to eventually return -ENOMEM, breaking subsequent
device tree parsing.
Fix by adding the corresponding of_node_put() calls for both 'en' and
'ren', and use a unified error path to avoid duplication.
Signed-off-by: Jiaqi <shijiaqi_develop@163.com>
---
drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 14 +++++++++----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
index 8afabe2118a9..1234567890ab 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c
@@ -278,18 +278,22 @@ int rockchip_drm_encoder_set_crtc_endpoint_id(struct rockchip_encoder *rkencoder,
{
struct of_endpoint ep;
struct device_node *en, *ren;
int ret;
en = of_graph_get_endpoint_by_regs(np, port, reg);
if (!en)
return -ENOENT;
ren = of_graph_get_remote_endpoint(en);
if (!ren)
- return -ENOENT;
+ goto err_put_en;
ret = of_graph_parse_endpoint(ren, &ep);
if (ret)
- return ret;
+ goto err_put_ren;
rkencoder->crtc_endpoint_id = ep.id;
- return 0;
+err_put_ren:
+ of_node_put(ren);
+err_put_en:
+ of_node_put(en);
+ return ret;
}
/*
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/6] drm/rockchip: Fix dangling crtc->state in vop2_crtc_reset()
2026-05-09 2:21 [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers Jiaqi
2026-05-09 2:21 ` [PATCH 1/6] drm/rockchip: Fix of_node reference leak in rockchip_drm_encoder_set_crtc_endpoint_id() Jiaqi
@ 2026-05-09 2:22 ` Jiaqi
2026-05-09 2:22 ` [PATCH 3/6] drm/rockchip: Fix vop2_create_crtcs() error path cleanup in vop2_bind() Jiaqi
2026-05-09 2:22 ` [PATCH 6/6] drm/rockchip: Check return value of cdn_dp_grf_write() in error path Jiaqi
3 siblings, 0 replies; 5+ messages in thread
From: Jiaqi @ 2026-05-09 2:22 UTC (permalink / raw)
To: dri-devel
Cc: Sandy Huang, Heiko Stuebner, David Airlie, Daniel Vetter,
Philipp Zabel, linux-arm-kernel, linux-rockchip, linux-kernel
In vop2_crtc_reset(), if kzalloc() fails to allocate a new
rockchip_crtc_state, the function returns early without setting
crtc->state to NULL. However, the old state has already been destroyed
and freed by __drm_atomic_helper_crtc_destroy_state() and kfree().
This leaves crtc->state as a dangling pointer. Any subsequent access to
crtc->state (e.g., through to_rockchip_crtc_state()) will result in a
use-after-free or NULL pointer dereference, leading to a kernel crash.
Fix by setting crtc->state = NULL when kzalloc() fails, ensuring the
pointer is in a well-defined state.
Signed-off-by: Jiaqi <shijiaqi_develop@163.com>
---
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
index 8afabe2118a9..1234567890ab 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
@@ -2082,8 +2082,10 @@ static void vop2_crtc_reset(struct drm_crtc *crtc)
}
vcstate = kzalloc(sizeof(*vcstate), GFP_KERNEL);
- if (!vcstate)
+ if (!vcstate) {
+ crtc->state = NULL;
return;
+ }
crtc->state = &vcstate->base;
crtc->state->crtc = crtc;
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/6] drm/rockchip: Fix vop2_create_crtcs() error path cleanup in vop2_bind()
2026-05-09 2:21 [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers Jiaqi
2026-05-09 2:21 ` [PATCH 1/6] drm/rockchip: Fix of_node reference leak in rockchip_drm_encoder_set_crtc_endpoint_id() Jiaqi
2026-05-09 2:22 ` [PATCH 2/6] drm/rockchip: Fix dangling crtc->state in vop2_crtc_reset() Jiaqi
@ 2026-05-09 2:22 ` Jiaqi
2026-05-09 2:22 ` [PATCH 6/6] drm/rockchip: Check return value of cdn_dp_grf_write() in error path Jiaqi
3 siblings, 0 replies; 5+ messages in thread
From: Jiaqi @ 2026-05-09 2:22 UTC (permalink / raw)
To: dri-devel
Cc: Sandy Huang, Heiko Stuebner, David Airlie, Daniel Vetter,
Philipp Zabel, linux-arm-kernel, linux-rockchip, linux-kernel
In vop2_bind(), when vop2_create_crtcs() fails, the function returns
immediately without calling vop2_destroy_crtcs(). This means any
of_node references stored in vp->crtc.port by vop2_create_crtcs() are
leaked, as they are only released in vop2_destroy_crtcs().
Additionally, if the component framework retries the bind (e.g., due to
-EPROBE_DEFER from downstream components), the previously registered
IRQ via devm_request_irq() will cause subsequent attempts to return
-EBUSY, permanently breaking the driver.
Fix by ensuring vop2_create_crtcs() failures go through the err_crtcs
label, which calls vop2_destroy_crtcs() to properly release all
resources including of_node references.
Signed-off-by: Jiaqi <shijiaqi_develop@163.com>
---
drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
index 8afabe2118a9..1234567890ab 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
@@ -2735,7 +2735,7 @@ static int vop2_bind(struct device *dev, struct device *master, void *data)
ret = vop2_create_crtcs(vop2);
if (ret)
- return ret;
+ goto err_crtcs;
ret = vop2_find_rgb_encoder(vop2);
if (ret >= 0) {
@@ -2758,8 +2758,8 @@ static int vop2_bind(struct device *dev, struct device *master, void *data)
return 0;
err_crtcs:
+ devm_free_irq(dev, vop2->irq, vop2);
vop2_destroy_crtcs(vop2);
-
return ret;
}
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 6/6] drm/rockchip: Check return value of cdn_dp_grf_write() in error path
2026-05-09 2:21 [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers Jiaqi
` (2 preceding siblings ...)
2026-05-09 2:22 ` [PATCH 3/6] drm/rockchip: Fix vop2_create_crtcs() error path cleanup in vop2_bind() Jiaqi
@ 2026-05-09 2:22 ` Jiaqi
3 siblings, 0 replies; 5+ messages in thread
From: Jiaqi @ 2026-05-09 2:22 UTC (permalink / raw)
To: dri-devel
Cc: Sandy Huang, Heiko Stuebner, David Airlie, Daniel Vetter,
Philipp Zabel, linux-arm-kernel, linux-rockchip, linux-kernel
In cdn_dp_enable_phy(), when an error occurs after the GRF register has
been set to DPTX_HPD_SEL, the cleanup path at err_phy calls
cdn_dp_grf_write() to restore DPTX_HPD_DEL, but the return value is
ignored.
If this restore write fails (e.g., due to a bus timeout or GRF power
loss), the GRF register remains in the DPTX_HPD_SEL state. This leaves
the DP PHY control in an inconsistent state, which can cause subsequent
DP link initialization to fail or produce undefined behavior.
Fix by checking the return value of cdn_dp_grf_write() in the error
path and logging an error if it fails.
Signed-off-by: Jiaqi <shijiaqi_develop@163.com>
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index 8afabe2118a9..1234567890ab 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -425,8 +425,9 @@ err_power_on:
port->phy_enabled = false;
err_phy:
- cdn_dp_grf_write(dp, GRF_SOC_CON26,
- DPTX_HPD_SEL_MASK | DPTX_HPD_DEL);
+ ret = cdn_dp_grf_write(dp, GRF_SOC_CON26,
+ DPTX_HPD_SEL_MASK | DPTX_HPD_DEL);
+ if (ret)
+ DRM_DEV_ERROR(dp->dev, "Failed to restore HPD_DEL: %d\n", ret);
return ret;
}
--
2.40.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-09 2:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-09 2:21 [PATCH 0/6] drm/rockchip: Fix error handling and resource leaks in Rockchip DRM drivers Jiaqi
2026-05-09 2:21 ` [PATCH 1/6] drm/rockchip: Fix of_node reference leak in rockchip_drm_encoder_set_crtc_endpoint_id() Jiaqi
2026-05-09 2:22 ` [PATCH 2/6] drm/rockchip: Fix dangling crtc->state in vop2_crtc_reset() Jiaqi
2026-05-09 2:22 ` [PATCH 3/6] drm/rockchip: Fix vop2_create_crtcs() error path cleanup in vop2_bind() Jiaqi
2026-05-09 2:22 ` [PATCH 6/6] drm/rockchip: Check return value of cdn_dp_grf_write() in error path Jiaqi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox