[v7,15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers
Commit Message
The commit 8b1a8f8b2002 ("drm/display: add CEC helpers code") added
generic CEC helpers to be used by HDMI drivers.
Replace the open-coded CEC notifier handling with use of the generic CEC
notifier helpers. Ensure DRM_DISPLAY_HDMI_CEC_NOTIFIER_HELPER is also
selected when DRM_DW_HDMI_CEC is enabled so that the CEC helpers is
available.
The drmm release action for the generic CEC notifier should run just
before dw_hdmi_connector_destroy(), closely matching the lifetime of
the replaced CEC notifier and the connector.
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Tested-by: Diederik de Haas <diederik@cknow-tech.com> # Rock64, RockPro64, Quartz64-B
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
v7: No change
v6: Update commit message,
Collect t-b tag
v5: Collect r-b tag
v4: New patch
---
drivers/gpu/drm/bridge/synopsys/Kconfig | 1 +
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 26 +++++------------------
2 files changed, 6 insertions(+), 21 deletions(-)
Comments
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free and memory leak due to drmm action lifetime mismatch with the connector
--
commit 7a3d2d4c9ae6107ffef88b867d73cc39dd7e8567
Author: Jonas Karlman <jonas@kwiboo.se>
drm: bridge: dw_hdmi: Use generic CEC notifier helpers
This commit replaces the open-coded CEC notifier handling with the generic
DRM HDMI CEC notifier helpers.
> The drmm release action for the generic CEC notifier should run just
> before dw_hdmi_connector_destroy(), closely matching the lifetime of
> the replaced CEC notifier and the connector.
Is this assumption accurate for all drivers using dw_hdmi?
When master drivers like sun4i or imx are unbound, drm_mode_config_cleanup()
is often called synchronously, which in turn calls dw_hdmi_connector_destroy().
If a userspace process holds the DRM file descriptor open, the drm_device
outlives the unbind. Doesn't this mean the drmm release action will run
much later than dw_hdmi_connector_destroy(), rather than just before it?
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 0e84dff724706..37406555af7bc 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
[ ... ]
> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>
> drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>
> - cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> - notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> - if (!notifier)
> - return -ENOMEM;
> -
> - hdmi->cec_notifier = notifier;
> -
> - return 0;
> + return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> + hdmi->dev);
> }
Could this cause a use-after-free when the drm_device is finally released?
Looking at dw_hdmi_connector_destroy(), it cleans up the connector state:
dw_hdmi_connector_destroy()
drm_connector_cleanup(connector)
...
memset(connector, 0, sizeof(*connector));
Since the connector is embedded in struct dw_hdmi which is managed by devres
and the bridge refcount, the memory will be freed when the platform device
unbind completes.
When the drmm action drm_connector_hdmi_cec_notifier_unregister() eventually
executes during drm_dev_release(), won't it attempt to dereference the
already freed connector pointer?
If the memory happens to still be accessible, won't it read the zeroed
connector->cec.data as a NULL pointer, silently leaking the CEC notifier?
On 18/05/2026 20:01, Jonas Karlman wrote:
> The commit 8b1a8f8b2002 ("drm/display: add CEC helpers code") added
> generic CEC helpers to be used by HDMI drivers.
>
> Replace the open-coded CEC notifier handling with use of the generic CEC
> notifier helpers. Ensure DRM_DISPLAY_HDMI_CEC_NOTIFIER_HELPER is also
> selected when DRM_DW_HDMI_CEC is enabled so that the CEC helpers is
> available.
>
> The drmm release action for the generic CEC notifier should run just
> before dw_hdmi_connector_destroy(), closely matching the lifetime of
> the replaced CEC notifier and the connector.
>
> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
> Tested-by: Diederik de Haas <diederik@cknow-tech.com> # Rock64, RockPro64, Quartz64-B
> Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Acked-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Regards,
Hans
> ---
> v7: No change
> v6: Update commit message,
> Collect t-b tag
> v5: Collect r-b tag
> v4: New patch
> ---
> drivers/gpu/drm/bridge/synopsys/Kconfig | 1 +
> drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 26 +++++------------------
> 2 files changed, 6 insertions(+), 21 deletions(-)
>
> diff --git a/drivers/gpu/drm/bridge/synopsys/Kconfig b/drivers/gpu/drm/bridge/synopsys/Kconfig
> index a46df7583bcf..e6723af03b43 100644
> --- a/drivers/gpu/drm/bridge/synopsys/Kconfig
> +++ b/drivers/gpu/drm/bridge/synopsys/Kconfig
> @@ -49,6 +49,7 @@ config DRM_DW_HDMI_CEC
> depends on DRM_DW_HDMI
> select CEC_CORE
> select CEC_NOTIFIER
> + select DRM_DISPLAY_HDMI_CEC_NOTIFIER_HELPER
> help
> Support the CE interface which is part of the Synopsys
> Designware HDMI block.
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> index 0e84dff72470..37406555af7b 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
> @@ -23,12 +23,11 @@
> #include <linux/dma-mapping.h>
> #include <linux/spinlock.h>
>
> -#include <media/cec-notifier.h>
> -
> #include <linux/media-bus-format.h>
> #include <linux/videodev2.h>
>
> #include <drm/bridge/dw_hdmi.h>
> +#include <drm/display/drm_hdmi_cec_helper.h>
> #include <drm/display/drm_hdmi_helper.h>
> #include <drm/display/drm_scdc_helper.h>
> #include <drm/drm_atomic.h>
> @@ -183,8 +182,6 @@ struct dw_hdmi {
> void (*enable_audio)(struct dw_hdmi *hdmi);
> void (*disable_audio)(struct dw_hdmi *hdmi);
>
> - struct cec_notifier *cec_notifier;
> -
> hdmi_codec_plugged_cb plugged_cb;
> struct device *codec_dev;
> enum drm_connector_status last_connector_result;
> @@ -2453,7 +2450,7 @@ dw_hdmi_connector_status_update(struct dw_hdmi *hdmi,
>
> if (status == connector_status_disconnected) {
> drm_edid_connector_update(connector, NULL);
> - cec_notifier_phys_addr_invalidate(hdmi->cec_notifier);
> + drm_connector_cec_phys_addr_invalidate(connector);
> return;
> }
>
> @@ -2462,8 +2459,7 @@ dw_hdmi_connector_status_update(struct dw_hdmi *hdmi,
> drm_edid_free(drm_edid);
>
> if (status == connector_status_connected)
> - cec_notifier_set_phys_addr(hdmi->cec_notifier,
> - connector->display_info.source_physical_address);
> + drm_connector_cec_phys_addr_set(connector);
> }
>
> static enum drm_connector_status
> @@ -2525,9 +2521,6 @@ static void dw_hdmi_connector_destroy(struct drm_connector *connector)
> {
> struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector);
>
> - cec_notifier_conn_unregister(hdmi->cec_notifier);
> - hdmi->cec_notifier = NULL;
> -
> drm_connector_cleanup(connector);
> drm_bridge_put(&hdmi->bridge);
> }
> @@ -2550,8 +2543,6 @@ static const struct drm_connector_helper_funcs dw_hdmi_connector_helper_funcs =
> static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
> {
> struct drm_connector *connector = &hdmi->connector;
> - struct cec_connector_info conn_info;
> - struct cec_notifier *notifier;
> int ret;
>
> if (hdmi->version >= 0x200a)
> @@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
>
> drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
>
> - cec_fill_conn_info_from_drm(&conn_info, connector);
> -
> - notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
> - if (!notifier)
> - return -ENOMEM;
> -
> - hdmi->cec_notifier = notifier;
> -
> - return 0;
> + return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
> + hdmi->dev);
> }
>
> /* -----------------------------------------------------------------------------
@@ -49,6 +49,7 @@ config DRM_DW_HDMI_CEC
depends on DRM_DW_HDMI
select CEC_CORE
select CEC_NOTIFIER
+ select DRM_DISPLAY_HDMI_CEC_NOTIFIER_HELPER
help
Support the CE interface which is part of the Synopsys
Designware HDMI block.
@@ -23,12 +23,11 @@
#include <linux/dma-mapping.h>
#include <linux/spinlock.h>
-#include <media/cec-notifier.h>
-
#include <linux/media-bus-format.h>
#include <linux/videodev2.h>
#include <drm/bridge/dw_hdmi.h>
+#include <drm/display/drm_hdmi_cec_helper.h>
#include <drm/display/drm_hdmi_helper.h>
#include <drm/display/drm_scdc_helper.h>
#include <drm/drm_atomic.h>
@@ -183,8 +182,6 @@ struct dw_hdmi {
void (*enable_audio)(struct dw_hdmi *hdmi);
void (*disable_audio)(struct dw_hdmi *hdmi);
- struct cec_notifier *cec_notifier;
-
hdmi_codec_plugged_cb plugged_cb;
struct device *codec_dev;
enum drm_connector_status last_connector_result;
@@ -2453,7 +2450,7 @@ dw_hdmi_connector_status_update(struct dw_hdmi *hdmi,
if (status == connector_status_disconnected) {
drm_edid_connector_update(connector, NULL);
- cec_notifier_phys_addr_invalidate(hdmi->cec_notifier);
+ drm_connector_cec_phys_addr_invalidate(connector);
return;
}
@@ -2462,8 +2459,7 @@ dw_hdmi_connector_status_update(struct dw_hdmi *hdmi,
drm_edid_free(drm_edid);
if (status == connector_status_connected)
- cec_notifier_set_phys_addr(hdmi->cec_notifier,
- connector->display_info.source_physical_address);
+ drm_connector_cec_phys_addr_set(connector);
}
static enum drm_connector_status
@@ -2525,9 +2521,6 @@ static void dw_hdmi_connector_destroy(struct drm_connector *connector)
{
struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector);
- cec_notifier_conn_unregister(hdmi->cec_notifier);
- hdmi->cec_notifier = NULL;
-
drm_connector_cleanup(connector);
drm_bridge_put(&hdmi->bridge);
}
@@ -2550,8 +2543,6 @@ static const struct drm_connector_helper_funcs dw_hdmi_connector_helper_funcs =
static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
{
struct drm_connector *connector = &hdmi->connector;
- struct cec_connector_info conn_info;
- struct cec_notifier *notifier;
int ret;
if (hdmi->version >= 0x200a)
@@ -2587,15 +2578,8 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
drm_connector_attach_encoder(connector, hdmi->bridge.encoder);
- cec_fill_conn_info_from_drm(&conn_info, connector);
-
- notifier = cec_notifier_conn_register(hdmi->dev, NULL, &conn_info);
- if (!notifier)
- return -ENOMEM;
-
- hdmi->cec_notifier = notifier;
-
- return 0;
+ return drmm_connector_hdmi_cec_notifier_register(connector, NULL,
+ hdmi->dev);
}
/* -----------------------------------------------------------------------------