| Message ID | 20260526-drm-mode-config-init-v6-3-852346394200@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-sunxi+bounces-23659-sunxi=pue.re@lists.linux.dev> X-Original-To: noreply@patchwork.local Delivered-To: noreply@patchwork.local Received: from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74]) by mxe881.netcup.net (Postfix) with ESMTPS id 4A13B1C0808 for <noreply@patchwork.local>; Tue, 26 May 2026 18:48:09 +0200 (CEST) Authentication-Results: mxe881; dkim=pass header.d=kernel.org; spf=pass (sender IP is 172.232.135.74) smtp.mailfrom=linux-sunxi+bounces-23659-noreply=patchwork.local@lists.linux.dev smtp.helo=sto.lore.kernel.org Received-SPF: pass (mxe881: domain of lists.linux.dev designates 172.232.135.74 as permitted sender) client-ip=172.232.135.74; envelope-from=linux-sunxi+bounces-23659-noreply=patchwork.local@lists.linux.dev; helo=sto.lore.kernel.org; Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sto.lore.kernel.org (Postfix) with ESMTP id E3D543016B4A for <noreply@patchwork.local>; Tue, 26 May 2026 16:46:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CCA613FE35A; Tue, 26 May 2026 16:46:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="DVrVj7lb" X-Original-To: linux-sunxi@lists.linux.dev Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 509B63FD133; Tue, 26 May 2026 16:46:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779814000; cv=none; b=Ig0nGHuFBlv/Ag2s2T3JEP0Z5wvQAahN+X0OF4Kx/z3NyZ3NvAL26+l/Mx0Vt8MOG0oKg7xd6kiN/3V31wRRbAFsdpcmaYHNLSKgHBVGN/VXqSDA7fHaaXtZj7ztFczmC7fucygmtXC0krVeTdnV9aipD4qEK/T1Iv3KCkruHfw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779814000; c=relaxed/simple; bh=u5HTzQX3tbGR+9Qa/HlwJij4QSF7J0Dnsbadygh24+g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=c4MSKMOvjG8BKedvPC5gCPDosPyeMKr8cfbWNP9CyN26ffjzc7ZU2+yEgOZNwG0xa8ddax6YV9ckLO6VIopuQCp1gaS9HFUkXyoBfM7h6xBVamh813KHw3zINV1RfYZetC3fzQYJgniHj7n6skg4fGh7oaFHCpCeJVNLn6fudEM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=DVrVj7lb; arc=none smtp.client-ip=100.103.45.18 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0CE721F00A3A; Tue, 26 May 2026 16:46:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779813994; bh=7G0AvhnldznKjlOkg6oJndKDwtDSJwo/+5wcviSKhb0=; h=From:Date:Subject:References:In-Reply-To:To:Cc; b=DVrVj7lbOQdEd3pO6dhrQAFwfkj63ibCFZ5MR9wHykOKdFO8YY/d6iPHimL+SfFku mEZmfGzj7IHHugR73kZUmQkWhP6O4Br5xk52iR+cxTUruVtZ+5hseOHeepBpreKuGN w6ES52oWhL1z85e44LmYnqrdaZ6zmg5AqZ7iumjlR1NJcFsL8JlQDw3DT6hf6+omxL 2y9JgtWenDtqtyPcaYZAWUjnCXZJQel+5dOLKz7x8oPHNZhadWmZBJO3l23eD7zE6i rG6FYwBp2JZgMIQkYIcBPiyFv9CB98oHj2++w2BuwEVFsfRsiS00KNwKS/NSVlNSsh lN0uMT8Q6y/Vw== From: Maxime Ripard <mripard@kernel.org> Date: Tue, 26 May 2026 18:46:15 +0200 Subject: [PATCH v6 03/19] drm/atomic: Drop drm_private_obj.state assignment from create_state Precedence: bulk X-Mailing-List: linux-sunxi@lists.linux.dev List-Id: <linux-sunxi.lists.linux.dev> List-Subscribe: <mailto:linux-sunxi+subscribe@lists.linux.dev> List-Unsubscribe: <mailto:linux-sunxi+unsubscribe@lists.linux.dev> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260526-drm-mode-config-init-v6-3-852346394200@kernel.org> References: <20260526-drm-mode-config-init-v6-0-852346394200@kernel.org> In-Reply-To: <20260526-drm-mode-config-init-v6-0-852346394200@kernel.org> To: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>, Jonathan Corbet <corbet@lwn.net>, Shuah Khan <skhan@linuxfoundation.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Jyri Sarha <jyri.sarha@iki.fi>, Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>, Andrzej Hajda <andrzej.hajda@intel.com>, Neil Armstrong <neil.armstrong@linaro.org>, Robert Foss <rfoss@kernel.org>, Laurent Pinchart <Laurent.pinchart@ideasonboard.com>, Jonas Karlman <jonas@kwiboo.se>, Jernej Skrabec <jernej.skrabec@gmail.com>, Simon Ser <contact@emersion.fr>, Harry Wentland <harry.wentland@amd.com>, Melissa Wen <mwen@igalia.com>, Sebastian Wick <sebastian.wick@redhat.com>, Alex Hung <alex.hung@amd.com>, Jani Nikula <jani.nikula@linux.intel.com>, Rodrigo Vivi <rodrigo.vivi@intel.com>, Joonas Lahtinen <joonas.lahtinen@linux.intel.com>, Tvrtko Ursulin <tursulin@ursulin.net>, Chen-Yu Tsai <wens@kernel.org>, Samuel Holland <samuel@sholland.org>, Dave Stevenson <dave.stevenson@raspberrypi.com>, =?utf-8?q?Ma=C3=ADra_Canal?= <mcanal@igalia.com>, Raspberry Pi Kernel Maintenance <kernel-list@raspberrypi.com> Cc: dri-devel@lists.freedesktop.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Daniel Stone <daniels@collabora.com>, intel-gfx@lists.freedesktop.org, intel-xe@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-sunxi@lists.linux.dev, Maxime Ripard <mripard@kernel.org>, Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com> X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=1675; i=mripard@kernel.org; h=from:subject:message-id; bh=u5HTzQX3tbGR+9Qa/HlwJij4QSF7J0Dnsbadygh24+g=; b=owGbwMvMwCmsHn9OcpHtvjLG02pJDFmi58Lfzo24yJ29TJ5t2QSWQ4vkPGe/V/hwrcs8N+zqv iurco77dExlYRDmZJAVU2R5IhN2enn74ioH+5U/YOawMoEMYeDiFICJlEsxNmxpXMwz/7fl+7On 1718fcJtx2Rfj5kHNyd0LLHlmuJw0+xH2PluRoEM9qf/7jVHHdS+N5+x4cn6HZZMtbLaRp0PAzi upCxkrZGZrd8/ocruEof355WvVINyPqW5lHpV/zVjO/J8/iZ9AA== X-Developer-Key: i=mripard@kernel.org; a=openpgp; fpr=BE5675C37E818C8B5764241C254BCFC56BF6CE8D X-Rspamd-Server: rspamd-worker-8404 X-Spamd-Result: default: False [-2.16 / 15.00]; BAYES_HAM(-5.50)[100.00%]; RBL_SENDERSCORE(2.00)[172.232.135.74:from]; SUSPICIOUS_RECIPS(1.50)[]; MAILLIST(-0.15)[generic]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; HAS_LIST_UNSUB(-0.01)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[sto.lore.kernel.org:rdns,sto.lore.kernel.org:helo,ideasonboard.com:email,suse.de:email]; TAGGED_RCPT(0.00)[renesas]; PRECEDENCE_BULK(0.00)[]; RCPT_COUNT_TWELVE(0.00)[39]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; R_DKIM_ALLOW(0.00)[kernel.org:s=k20260515]; FROM_NEQ_ENVFROM(0.00)[mripard@kernel.org,linux-sunxi@lists.linux.dev]; DMARC_POLICY_ALLOW(0.00)[kernel.org,quarantine]; FREEMAIL_TO(0.00)[linux.intel.com,suse.de,gmail.com,ffwll.ch,lwn.net,linuxfoundation.org,oss.qualcomm.com,iki.fi,ideasonboard.com,intel.com,linaro.org,kernel.org,kwiboo.se,emersion.fr,amd.com,igalia.com,redhat.com,ursulin.net,sholland.org,raspberrypi.com]; DKIM_TRACE(0.00)[kernel.org:+]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:172.232.135.74]; FORGED_SENDER_MAILLIST(0.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_ALLOW(0.00)[subspace.kernel.org:s=arc-20240116:i=1]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[bounces-23659-noreply=patchwork.local]; ASN(0.00)[asn:63949, ipnet:172.232.128.0/19, country:SG]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4A13B1C0808 X-MORS-Enabled: yes X-MORS-DOMAIN: patchwork.local X-MORS-HOSTING: hosting172546 X-MORS-USER: hosting172546 X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= |
| Series |
drm/atomic: Rework initial state allocation
|
|
Commit Message
Maxime Ripard
May 26, 2026, 4:46 p.m. UTC
The initial intent of the atomic_create_state hook was to simply
allocate a proper drm_private_state and return it, without any side
effect.
However, __drm_atomic_helper_private_obj_create_state(), which most
atomic_create_state implementations call, introduces a side effect by
setting drm_private_obj.state to the newly allocated state.
This assignment defeats the purpose, but is also redundant since
drm_atomic_private_obj_init(), the only call site for the
atomic_create_state hook, will also set this pointer to the newly
allocated state.
Drop the assignment in __drm_atomic_helper_private_obj_create_state().
Fixes: e7be39ed1716 ("drm/atomic-helper: Add private_obj atomic_create_state helper")
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Maxime Ripard <mripard@kernel.org>
---
drivers/gpu/drm/drm_atomic_state_helper.c | 2 --
1 file changed, 2 deletions(-)
Comments
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: Pre-existing issues: - [High] Improper error handling in `drm_atomic_private_obj_init()` leaves partially initialized objects on the global list, leading to a NULL pointer dereference. -- commit ec1f21a958898ad786de645ae441f9fe381d3fe4 Author: Maxime Ripard <mripard@kernel.org> drm/atomic: Drop drm_private_obj.state assignment from create_state This commit removes the assignment of the newly allocated state to drm_private_obj.state inside __drm_atomic_helper_private_obj_create_state(). This assignment is redundant because drm_atomic_private_obj_init() already sets this pointer after calling the atomic_create_state hook. > diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c > index cc70508d4fdba..a82568d87e4f7 100644 > --- a/drivers/gpu/drm/drm_atomic_state_helper.c > +++ b/drivers/gpu/drm/drm_atomic_state_helper.c > @@ -731,8 +731,6 @@ void __drm_atomic_helper_private_obj_create_state(struct drm_private_obj *obj, > { > if (state) > state->obj = obj; > - > - obj->state = state; [Severity: High] This isn't a bug introduced by this patch, but since we are discussing the obj->state assignment here and deferring it to drm_atomic_private_obj_init(), could this lead to a NULL pointer dereference if drm_atomic_private_obj_init() fails? Looking at drivers/gpu/drm/drm_atomic.c:drm_atomic_private_obj_init(): list_add_tail(&obj->head, &dev->mode_config.privobj_list); state = obj->funcs->atomic_create_state(obj); if (IS_ERR(state)) return PTR_ERR(state); obj->state = state; If atomic_create_state() fails, the function returns the error immediately without removing obj->head from the list. This leaves obj->state as NULL. Multiple drivers (such as drm_dp_mst_topology_mgr_init() or vc4_ctm_obj_init()) ignore the return value of drm_atomic_private_obj_init() and continue initialization, meaning the device successfully registers despite the failure. Once registered, reading /sys/kernel/debug/dri/X/state triggers drm_state_dump(), which iterates over privobj_list and calls drm_atomic_private_obj_print_state(p, obj->state). Because obj->state is NULL, drm_atomic_private_obj_print_state() will immediately dereference it (struct drm_private_obj *obj = state->obj;), causing a kernel oops that can be triggered by userspace from a diagnostic read. > } > EXPORT_SYMBOL(__drm_atomic_helper_private_obj_create_state);
diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c index cc70508d4fdb..a82568d87e4f 100644 --- a/drivers/gpu/drm/drm_atomic_state_helper.c +++ b/drivers/gpu/drm/drm_atomic_state_helper.c @@ -729,12 +729,10 @@ EXPORT_SYMBOL(drm_atomic_helper_connector_destroy_state); void __drm_atomic_helper_private_obj_create_state(struct drm_private_obj *obj, struct drm_private_state *state) { if (state) state->obj = obj; - - obj->state = state; } EXPORT_SYMBOL(__drm_atomic_helper_private_obj_create_state); /** * __drm_atomic_helper_private_obj_duplicate_state - copy atomic private state