* [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
@ 2025-10-24 16:14 ` Ludovic Desroches
2025-10-24 16:14 ` [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Ludovic Desroches
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Ludovic Desroches @ 2025-10-24 16:14 UTC (permalink / raw)
To: Manikandan Muralidharan, Dharma Balasubiramani, Maarten Lankhorst,
Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter,
Nicolas Ferre, Alexandre Belloni, Claudiu Beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel, Ludovic Desroches
After several commits, the slab memory increases. Some drm_crtc_commit
objects are not freed. The atomic_destroy_state callback only put the
framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function
to put all the objects that are no longer needed.
It has been seen after hours of usage of a graphics application or using
kmemleak:
unreferenced object 0xc63a6580 (size 64):
comm "egt_basic", pid 171, jiffies 4294940784
hex dump (first 32 bytes):
40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:.
8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:.
backtrace (crc c25aa925):
kmemleak_alloc+0x34/0x3c
__kmalloc_cache_noprof+0x150/0x1a4
drm_atomic_helper_setup_commit+0x1e8/0x7bc
drm_atomic_helper_commit+0x3c/0x15c
drm_atomic_commit+0xc0/0xf4
drm_atomic_helper_set_config+0x84/0xb8
drm_mode_setcrtc+0x32c/0x810
drm_ioctl+0x20c/0x488
sys_ioctl+0x14c/0xc20
ret_fast_syscall+0x0/0x54
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Reviewed-by: Manikandan Muralidharan <manikandan.m@microchip.com>
---
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
index 38f60befd7d759a52d66211c2e7d49c9be235ad4..0e38587b868d5b5375fcaa5c0508e8e5690d8ff8 100644
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -1215,8 +1215,7 @@ static void atmel_hlcdc_plane_atomic_destroy_state(struct drm_plane *p,
state->dscrs[i]->self);
}
- if (s->fb)
- drm_framebuffer_put(s->fb);
+ __drm_atomic_helper_plane_destroy_state(s);
kfree(state);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
2025-10-24 16:14 ` [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback Ludovic Desroches
@ 2025-10-24 16:14 ` Ludovic Desroches
2026-01-05 6:31 ` [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Manikandan.M
2026-01-21 3:56 ` Manikandan.M
3 siblings, 0 replies; 5+ messages in thread
From: Ludovic Desroches @ 2025-10-24 16:14 UTC (permalink / raw)
To: Manikandan Muralidharan, Dharma Balasubiramani, Maarten Lankhorst,
Maxime Ripard, Thomas Zimmermann, David Airlie, Simona Vetter,
Nicolas Ferre, Alexandre Belloni, Claudiu Beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel, Ludovic Desroches
The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying
the atmel_hlcdc_plane state structure without properly duplicating the
drm_plane_state. In particular, state->commit remained set to the old
state commit, which can lead to a use-after-free in the next
drm_atomic_commit() call.
Fix this by calling
__drm_atomic_helper_duplicate_plane_state(), which correctly clones
the base drm_plane_state (including the ->commit pointer).
It has been seen when closing and re-opening the device node while
another DRM client (e.g. fbdev) is still attached:
=============================================================================
BUG kmalloc-64 (Not tainted): Poison overwritten
-----------------------------------------------------------------------------
0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b
FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b
Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0
pid=29
drm_atomic_helper_setup_commit+0x1e8/0x7bc
drm_atomic_helper_commit+0x3c/0x15c
drm_atomic_commit+0xc0/0xf4
drm_framebuffer_remove+0x4cc/0x5a8
drm_mode_rmfb_work_fn+0x6c/0x80
process_one_work+0x12c/0x2cc
worker_thread+0x2a8/0x400
kthread+0xc0/0xdc
ret_from_fork+0x14/0x28
Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0
pid=169
drm_atomic_helper_commit_hw_done+0x100/0x150
drm_atomic_helper_commit_tail+0x64/0x8c
commit_tail+0x168/0x18c
drm_atomic_helper_commit+0x138/0x15c
drm_atomic_commit+0xc0/0xf4
drm_atomic_helper_set_config+0x84/0xb8
drm_mode_setcrtc+0x32c/0x810
drm_ioctl+0x20c/0x488
sys_ioctl+0x14c/0xc20
ret_fast_syscall+0x0/0x54
Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0
flags=0x200(workingset|zone=0)
Object 0xc611b340 @offset=832 fp=0xc611b7c0
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Reviewed-by: Manikandan Muralidharan <manikandan.m@microchip.com>
---
drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
index 0e38587b868d5b5375fcaa5c0508e8e5690d8ff8..91df1273eac71512109a822000448d7641171dca 100644
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -1196,8 +1196,7 @@ atmel_hlcdc_plane_atomic_duplicate_state(struct drm_plane *p)
return NULL;
}
- if (copy->base.fb)
- drm_framebuffer_get(copy->base.fb);
+ __drm_atomic_helper_plane_duplicate_state(p, ©->base);
return ©->base;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
2025-10-24 16:14 ` [PATCH 1/2] drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback Ludovic Desroches
2025-10-24 16:14 ` [PATCH 2/2] drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release Ludovic Desroches
@ 2026-01-05 6:31 ` Manikandan.M
2026-01-21 3:56 ` Manikandan.M
3 siblings, 0 replies; 5+ messages in thread
From: Manikandan.M @ 2026-01-05 6:31 UTC (permalink / raw)
To: Ludovic.Desroches, Dharma.B, maarten.lankhorst, mripard,
tzimmermann, airlied, simona, Nicolas.Ferre, alexandre.belloni,
claudiu.beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel
On 24/10/25 9:44 pm, Ludovic Desroches wrote:
> These two patches fix a memory leak and a use after free bugs.
>
> The memory leak bug had been reported by several users. There were some
> attempts to fix it in the past, but the resolutions proposed caused
> other breakages.
>
> Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
> ---
> Ludovic Desroches (2):
> drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
> drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
>
> drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
> ---
For the Entire series,
Reviewed-by: Manikandan Muralidharan <manikandan.m@microchip.com>
Thanks Ludovic.
> base-commit: 72fb0170ef1f45addf726319c52a0562b6913707
> change-id: 20251024-lcd_fixes_mainlining-a1234d81a768
>
> Best regards,
--
Thanks and Regards,
Manikandan M.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs
2025-10-24 16:14 [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Ludovic Desroches
` (2 preceding siblings ...)
2026-01-05 6:31 ` [PATCH 0/2] drm/atmel-hlcdc: fix memory bugs Manikandan.M
@ 2026-01-21 3:56 ` Manikandan.M
3 siblings, 0 replies; 5+ messages in thread
From: Manikandan.M @ 2026-01-21 3:56 UTC (permalink / raw)
To: Ludovic.Desroches, Dharma.B, maarten.lankhorst, mripard,
tzimmermann, airlied, simona, Nicolas.Ferre, alexandre.belloni,
claudiu.beznea
Cc: dri-devel, linux-arm-kernel, linux-kernel
On 24/10/25 9:44 pm, Ludovic Desroches wrote:
> These two patches fix a memory leak and a use after free bugs.
>
> The memory leak bug had been reported by several users. There were some
> attempts to fix it in the past, but the resolutions proposed caused
> other breakages.
>
> Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Applied to drm-misc-next.
Thanks!
> ---
> Ludovic Desroches (2):
> drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
> drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
>
> drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
> ---
> base-commit: 72fb0170ef1f45addf726319c52a0562b6913707
> change-id: 20251024-lcd_fixes_mainlining-a1234d81a768
>
> Best regards,
--
Thanks and Regards,
Manikandan M.
^ permalink raw reply [flat|nested] 5+ messages in thread