Re: [PATCH v5 14/21] drm: bridge: dw_hdmi: Use generic CEC notifier helpers

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free and Memory Leak due to lifecycle mismatch with drmm-managed CEC notifier registration
--

commit f25787cb94e7936f6b23599ef90d85d636679290
Author: Jonas Karlman <jonas@kwiboo.se>

drm: bridge: dw_hdmi: Use generic CEC notifier helpers

This commit replaces the open-coded CEC notifier handling with generic CEC
notifier helpers, specifically utilizing drmm_connector_hdmi_cec_notifier_register.
It also selects DRM_DISPLAY_HDMI_CEC_NOTIFIER_HELPER when DRM_DW_HDMI_CEC
is enabled.

> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 6fb21399f1370..bf893c754539b 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c

[ ... ]

> @@ -2525,9 +2521,6 @@ static void dw_hdmi_connector_destroy(struct drm_connector *connector)
>  {
>  	struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector);
>  
> -	cec_notifier_conn_unregister(hdmi->cec_notifier);
> -	hdmi->cec_notifier = NULL;
> -
>  	drm_connector_cleanup(connector);
>  	drm_bridge_put(&hdmi->bridge);
>  }

Since drm_connector_cleanup() clears the connector memory with a memset, could
this cause a memory leak of the cec_notifier?

Because drmm_connector_hdmi_cec_notifier_register() ties the notifier cleanup
to the drm_device release, the delayed drmm action will eventually run. But by
that time, connector->cec.data will be NULL due to the memset in
drm_connector_cleanup(). Will cec_notifier_conn_unregister(NULL) then
silently return and leave the notifier allocated?

> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>  
>  	drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>  
> -	cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> -	notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> -	if (!notifier)
> -		return -ENOMEM;
> -
> -	hdmi->cec_notifier = notifier;
> -
> -	return 0;
> +	return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> +							 hdmi->dev);
>  }

Could tying the CEC registration to the drmm lifecycle lead to a use-after-free
if the bridge unbinds while the DRM device is kept open by userspace?

The dw_hdmi structure (which embeds the connector) is typically allocated via
devm and tied to the bridge platform device. If the bridge unbinds, the
connector memory is freed. However, the drmm cleanup action remains queued on
the DRM device. When the DRM device is finally released, will the drmm
cleanup action dereference the already freed connector pointer?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260510124111.1226584-1-jonas@kwiboo.se?part=14