Use drmm_plain_encoder_alloc() to allocate simple encoder and
drmm_writeback_connector_init() in order to initialize writeback
connector instance.
Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Reviewed-by: Jessica Zhang <jessica.zhang@oss.qualcomm.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
@@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
static const struct drm_connector_funcs dpu_wb_conn_funcs = {
.reset = drm_atomic_helper_connector_reset,
.fill_modes = drm_helper_probe_single_connector_modes,
- .destroy = drm_connector_cleanup,
.atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
};
@@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
- /* DPU initializes the encoder and sets it up completely for writeback
- * cases and hence should use the new API drm_writeback_connector_init_with_encoder
- * to initialize the writeback connector
- */
- rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
- &dpu_wb_conn_funcs, format_list, num_formats);
+ rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
+ &dpu_wb_conn_funcs, enc,
+ format_list, num_formats);
if (!rc)
dpu_wb_conn->wb_enc = enc;
--
2.47.2Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
> Use drmm_plain_encoder_alloc() to allocate simple encoder and
> drmm_writeback_connector_init() in order to initialize writeback
> connector instance.
>
> Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ@public.gmane.org>
> Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw@public.gmane.org>
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw@public.gmane.org>
> ---
> drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
> 1 file changed, 3 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
> static const struct drm_connector_funcs dpu_wb_conn_funcs = {
> .reset = drm_atomic_helper_connector_reset,
> .fill_modes = drm_helper_probe_single_connector_modes,
> - .destroy = drm_connector_cleanup,
> .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
> .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
> };
> @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
>
> drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
>
> - /* DPU initializes the encoder and sets it up completely for writeback
> - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
> - * to initialize the writeback connector
> - */
> - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
> - &dpu_wb_conn_funcs, format_list, num_formats);
> + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
> + &dpu_wb_conn_funcs, enc,
> + format_list, num_formats);
>
> if (!rc)
> dpu_wb_conn->wb_enc = enc;
>
dpu_wb_conn is allocated a few lines above using devm_kzalloc().
Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
Is it correct here?
If the explanation at [1] is correct, then &dpu_wb_conn->base would
point to some released memory, IIUC.
just my 2c.
CJ
[1]:
https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
> Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
> > Use drmm_plain_encoder_alloc() to allocate simple encoder and
> > drmm_writeback_connector_init() in order to initialize writeback
> > connector instance.
> >
> > Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ@public.gmane.org>
> > Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> > Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw@public.gmane.org>
> > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw@public.gmane.org>
> > ---
> > drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
> > 1 file changed, 3 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
> > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
> > static const struct drm_connector_funcs dpu_wb_conn_funcs = {
> > .reset = drm_atomic_helper_connector_reset,
> > .fill_modes = drm_helper_probe_single_connector_modes,
> > - .destroy = drm_connector_cleanup,
> > .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
> > .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
> > };
> > @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
> > drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
> > - /* DPU initializes the encoder and sets it up completely for writeback
> > - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
> > - * to initialize the writeback connector
> > - */
> > - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
> > - &dpu_wb_conn_funcs, format_list, num_formats);
> > + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
> > + &dpu_wb_conn_funcs, enc,
> > + format_list, num_formats);
> > if (!rc)
> > dpu_wb_conn->wb_enc = enc;
> >
>
> dpu_wb_conn is allocated a few lines above using devm_kzalloc().
That's a valid point, thanks!
>
> Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
>
> Is it correct here?
> If the explanation at [1] is correct, then &dpu_wb_conn->base would point to
> some released memory, IIUC.
>
>
> just my 2c.
>
> CJ
>
> [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
--
With best wishes
Dmitry
Le 08/09/2025 à 23:26, Dmitry Baryshkov a écrit :
> On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
>> Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
>>> Use drmm_plain_encoder_alloc() to allocate simple encoder and
>>> drmm_writeback_connector_init() in order to initialize writeback
>>> connector instance.
>>>
>>> Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>> Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>> Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>> ---
>>> drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
>>> 1 file changed, 3 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>> index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
>>> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>> @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
>>> static const struct drm_connector_funcs dpu_wb_conn_funcs = {
>>> .reset = drm_atomic_helper_connector_reset,
>>> .fill_modes = drm_helper_probe_single_connector_modes,
>>> - .destroy = drm_connector_cleanup,
>>> .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
>>> .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
>>> };
>>> @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
>>> drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
>>> - /* DPU initializes the encoder and sets it up completely for writeback
>>> - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
>>> - * to initialize the writeback connector
>>> - */
>>> - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
>>> - &dpu_wb_conn_funcs, format_list, num_formats);
>>> + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
>>> + &dpu_wb_conn_funcs, enc,
>>> + format_list, num_formats);
>>> if (!rc)
>>> dpu_wb_conn->wb_enc = enc;
>>>
>>
>> dpu_wb_conn is allocated a few lines above using devm_kzalloc().
>
> That's a valid point, thanks!
I've not analyzed in details all the patches of the serie, but at least
patch 2/8 and 6/8 seems to have the same pattern.
CJ
>
>>
>> Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
>>
>> Is it correct here?
>> If the explanation at [1] is correct, then &dpu_wb_conn->base would point to
>> some released memory, IIUC.
>>
>>
>> just my 2c.
>>
>> CJ
>>
>> [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
>
On Mon, Sep 08, 2025 at 11:38:44PM +0200, Christophe JAILLET wrote:
> Le 08/09/2025 à 23:26, Dmitry Baryshkov a écrit :
> > On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
> > > Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
> > > > Use drmm_plain_encoder_alloc() to allocate simple encoder and
> > > > drmm_writeback_connector_init() in order to initialize writeback
> > > > connector instance.
> > > >
> > > > Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > ---
> > > > drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
> > > > 1 file changed, 3 insertions(+), 7 deletions(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
> > > > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
> > > > static const struct drm_connector_funcs dpu_wb_conn_funcs = {
> > > > .reset = drm_atomic_helper_connector_reset,
> > > > .fill_modes = drm_helper_probe_single_connector_modes,
> > > > - .destroy = drm_connector_cleanup,
> > > > .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
> > > > .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
> > > > };
> > > > @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
> > > > drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
> > > > - /* DPU initializes the encoder and sets it up completely for writeback
> > > > - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
> > > > - * to initialize the writeback connector
> > > > - */
> > > > - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
> > > > - &dpu_wb_conn_funcs, format_list, num_formats);
> > > > + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
> > > > + &dpu_wb_conn_funcs, enc,
> > > > + format_list, num_formats);
> > > > if (!rc)
> > > > dpu_wb_conn->wb_enc = enc;
> > > >
> > >
> > > dpu_wb_conn is allocated a few lines above using devm_kzalloc().
> >
> > That's a valid point, thanks!
>
> I've not analyzed in details all the patches of the serie, but at least
> patch 2/8 and 6/8 seems to have the same pattern.
Not quite, 2/8 and 6/8 use drmm_kzalloc(), it is fine to be used with
drmm_writeback_connector_init(). This one is indeed incorrect.
>
> CJ
>
> >
> > >
> > > Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
> > >
> > > Is it correct here?
> > > If the explanation at [1] is correct, then &dpu_wb_conn->base would point to
> > > some released memory, IIUC.
> > >
> > >
> > > just my 2c.
> > >
> > > CJ
> > >
> > > [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
> >
>
--
With best wishes
Dmitry
Le 10/09/2025 à 05:47, Dmitry Baryshkov a écrit :
> On Mon, Sep 08, 2025 at 11:38:44PM +0200, Christophe JAILLET wrote:
>> Le 08/09/2025 à 23:26, Dmitry Baryshkov a écrit :
>>> On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
>>>> Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
>>>>> Use drmm_plain_encoder_alloc() to allocate simple encoder and
>>>>> drmm_writeback_connector_init() in order to initialize writeback
>>>>> connector instance.
>>>>>
>>>>> Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>>>> Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>>>> Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>>>> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
>>>>> ---
>>>>> drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
>>>>> 1 file changed, 3 insertions(+), 7 deletions(-)
>>>>>
>>>>> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>>>> index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
>>>>> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>>>> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
>>>>> @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
>>>>> static const struct drm_connector_funcs dpu_wb_conn_funcs = {
>>>>> .reset = drm_atomic_helper_connector_reset,
>>>>> .fill_modes = drm_helper_probe_single_connector_modes,
>>>>> - .destroy = drm_connector_cleanup,
>>>>> .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
>>>>> .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
>>>>> };
>>>>> @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
>>>>> drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
>>>>> - /* DPU initializes the encoder and sets it up completely for writeback
>>>>> - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
>>>>> - * to initialize the writeback connector
>>>>> - */
>>>>> - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
>>>>> - &dpu_wb_conn_funcs, format_list, num_formats);
>>>>> + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
>>>>> + &dpu_wb_conn_funcs, enc,
>>>>> + format_list, num_formats);
>>>>> if (!rc)
>>>>> dpu_wb_conn->wb_enc = enc;
>>>>>
>>>>
>>>> dpu_wb_conn is allocated a few lines above using devm_kzalloc().
>>>
>>> That's a valid point, thanks!
>>
>> I've not analyzed in details all the patches of the serie, but at least
>> patch 2/8 and 6/8 seems to have the same pattern.
>
> Not quite, 2/8 and 6/8 use drmm_kzalloc(), it is fine to be used with
> drmm_writeback_connector_init(). This one is indeed incorrect.
>
Hmm, for patch 2/8, I looked at the source, not what was changes by your
patch... Sorry. :(
For 6/8, I agree with you.
For patch 1/8, I think there is a issue too, becasue of [1], IIUC.
CJ
[1]:
https://elixir.bootlin.com/linux/v6.17-rc5/source/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c#L5257
>>
>> CJ
>>
>>>
>>>>
>>>> Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
>>>>
>>>> Is it correct here?
>>>> If the explanation at [1] is correct, then &dpu_wb_conn->base would point to
>>>> some released memory, IIUC.
>>>>
>>>>
>>>> just my 2c.
>>>>
>>>> CJ
>>>>
>>>> [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
>>>
>>
>
On Wed, Sep 10, 2025 at 07:32:51AM +0200, Christophe JAILLET wrote:
> Le 10/09/2025 à 05:47, Dmitry Baryshkov a écrit :
> > On Mon, Sep 08, 2025 at 11:38:44PM +0200, Christophe JAILLET wrote:
> > > Le 08/09/2025 à 23:26, Dmitry Baryshkov a écrit :
> > > > On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
> > > > > Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
> > > > > > Use drmm_plain_encoder_alloc() to allocate simple encoder and
> > > > > > drmm_writeback_connector_init() in order to initialize writeback
> > > > > > connector instance.
> > > > > >
> > > > > > Reviewed-by: Louis Chauvet <louis.chauvet-LDxbnhwyfcJBDgjK7y7TUQ-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > > > Reviewed-by: Suraj Kandpal <suraj.kandpal-ral2JQCrhuEAvxtiuMwx3w-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > > > Reviewed-by: Jessica Zhang <jessica.zhang-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > > > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov-5oFBVzJwu8Ry9aJCnZT0Uw-XMD5yJDbdMReXY1tMh2IBg-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org>
> > > > > > ---
> > > > > > drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
> > > > > > 1 file changed, 3 insertions(+), 7 deletions(-)
> > > > > >
> > > > > > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > > > index 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1 100644
> > > > > > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > > > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > > > @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct drm_connector *connector,
> > > > > > static const struct drm_connector_funcs dpu_wb_conn_funcs = {
> > > > > > .reset = drm_atomic_helper_connector_reset,
> > > > > > .fill_modes = drm_helper_probe_single_connector_modes,
> > > > > > - .destroy = drm_connector_cleanup,
> > > > > > .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
> > > > > > .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
> > > > > > };
> > > > > > @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
> > > > > > drm_connector_helper_add(&dpu_wb_conn->base.base, &dpu_wb_conn_helper_funcs);
> > > > > > - /* DPU initializes the encoder and sets it up completely for writeback
> > > > > > - * cases and hence should use the new API drm_writeback_connector_init_with_encoder
> > > > > > - * to initialize the writeback connector
> > > > > > - */
> > > > > > - rc = drm_writeback_connector_init_with_encoder(dev, &dpu_wb_conn->base, enc,
> > > > > > - &dpu_wb_conn_funcs, format_list, num_formats);
> > > > > > + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
> > > > > > + &dpu_wb_conn_funcs, enc,
> > > > > > + format_list, num_formats);
> > > > > > if (!rc)
> > > > > > dpu_wb_conn->wb_enc = enc;
> > > > > >
> > > > >
> > > > > dpu_wb_conn is allocated a few lines above using devm_kzalloc().
> > > >
> > > > That's a valid point, thanks!
> > >
> > > I've not analyzed in details all the patches of the serie, but at least
> > > patch 2/8 and 6/8 seems to have the same pattern.
> >
> > Not quite, 2/8 and 6/8 use drmm_kzalloc(), it is fine to be used with
> > drmm_writeback_connector_init(). This one is indeed incorrect.
> >
>
> Hmm, for patch 2/8, I looked at the source, not what was changes by your
> patch... Sorry. :(
>
> For 6/8, I agree with you.
>
> For patch 1/8, I think there is a issue too, becasue of [1], IIUC.
There is a different issue then. It's a memory leak inside the AMD
driver (since the memory for WB connector will not be kfree()'d by
anything).
>
> CJ
>
>
> [1]: https://elixir.bootlin.com/linux/v6.17-rc5/source/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c#L5257
>
> > >
> > > CJ
> > >
> > > >
> > > > >
> > > > > Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
> > > > >
> > > > > Is it correct here?
> > > > > If the explanation at [1] is correct, then &dpu_wb_conn->base would point to
> > > > > some released memory, IIUC.
> > > > >
> > > > >
> > > > > just my 2c.
> > > > >
> > > > > CJ
> > > > >
> > > > > [1]: https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
> > > >
> > >
> >
>
--
With best wishes
Dmitry
© 2016 - 2026 Red Hat, Inc.