From patchwork Mon May 18 18:01:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonas Karlman X-Patchwork-Id: 2323 Return-Path: X-Original-To: noreply@patchwork.local Delivered-To: noreply@patchwork.local Received: from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10]) by mxe881.netcup.net (Postfix) with ESMTPS id 8C1041C07E9 for ; Mon, 18 May 2026 20:06:23 +0200 (CEST) Authentication-Results: mxe881; dkim=pass header.d=kwiboo.se; spf=pass (sender IP is 172.234.253.10) smtp.mailfrom=linux-sunxi+bounces-23507-noreply=patchwork.local@lists.linux.dev smtp.helo=sea.lore.kernel.org Received-SPF: pass (mxe881: domain of lists.linux.dev designates 172.234.253.10 as permitted sender) client-ip=172.234.253.10; envelope-from=linux-sunxi+bounces-23507-noreply=patchwork.local@lists.linux.dev; helo=sea.lore.kernel.org; Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id B07BF307BF2E for ; Mon, 18 May 2026 18:02:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 84ADE3845DC; Mon, 18 May 2026 18:02:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kwiboo.se header.i=@kwiboo.se header.b="wFZvUq26" X-Original-To: linux-sunxi@lists.linux.dev Received: from smtp.forwardemail.net (smtp.forwardemail.net [121.127.44.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86854382394 for ; Mon, 18 May 2026 18:02:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=121.127.44.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779127359; cv=none; b=RNuw3LXtHNBTRBszpY5BuVMQczM7CwTasOpkrE8waLBqzlZ1V4/nLEkoV6eIHCqUp6J4h50AZa65BtV8vGzGJa2OexycmXkPgzgg7gSNR2zvJx9hI1lkxp121D9kEDHZhizaFHeKqWB7LP92i+nY/HM5UYNG27724I2ROnEuzLk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779127359; c=relaxed/simple; bh=09QitLERPIBz65/8xeO8cESTBv8KCG/K8BGM5+8dujs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UY6wBGw985IadI9mWPv2Gy3oN3tSmhgx5I2sGT0AZHU+BYDSiAunOhf4Lt3Efy59VDBkIXms2Yc3Lb5kJgBCjotJKeXr+5rIlcxOzUnMJICpgMp8ax7NyWgV+VuV0qMR9Z4kmNxRCjZW7g7M11t/+DKUF+QZm9mGn12xd/ELGK8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=kwiboo.se; spf=pass smtp.mailfrom=fe-bounces.kwiboo.se; dkim=pass (2048-bit key) header.d=kwiboo.se header.i=@kwiboo.se header.b=wFZvUq26; arc=none smtp.client-ip=121.127.44.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=kwiboo.se Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fe-bounces.kwiboo.se DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kwiboo.se; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-ID: Date: Subject: Cc: To: From; q=dns/txt; s=fe-e1b5cab7be; t=1779127357; bh=rHR6JQhfCZioVtWjb43UfYe+VOtInpIVxB1wWysQtG0=; b=wFZvUq265pmgZIn9bJUibLh7MbQt0NXimNi5/9kxcpnZK7pBG2jdjG7UoYr2pP+KqdbYGpgJG N9IntEIMuSXQHe5FsUUB0OVvIq9BoT1MGbk8rO0msCUV6JD5VLlAMeh5xWjMm9XdzvV2RzmD3vb 6EIvw0npPkyXQd1p8phJme7gDqvGdpvh6mOV5UieCkX/lcIIGTntXa0jtafPFVz8hZgpI+i1w2o q7w5OGXr5QA7R5T7rH6SSJ3n8J1gdIGo9aDiDeyrNR+paFZj44Q5Nl/8YASd4RE2AdViokjuAmS iPcqHAjdRovspbzahyjLF8Lj1FpymT2hqVDuwards25A== X-Forward-Email-ID: 6a0b5436b84dbc72d2274e00 X-Forward-Email-Sender: rfc822; jonas@kwiboo.se, smtp.forwardemail.net, 121.127.44.66 X-Forward-Email-Version: 2.8.12 X-Forward-Email-Website: https://forwardemail.net X-Complaints-To: abuse@forwardemail.net X-Report-Abuse: abuse@forwardemail.net X-Report-Abuse-To: abuse@forwardemail.net From: Jonas Karlman To: Andrzej Hajda , Neil Armstrong , Robert Foss , Heiko Stuebner , Laurent Pinchart , Jonas Karlman , Jernej Skrabec , Luca Ceresoli , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Cristian Ciocaltea , Louis Chauvet Cc: Liu Ying , Sandy Huang , Andy Yan , Chen-Yu Tsai , Christian Hewitt , Diederik de Haas , Nicolas Frattaroli , Dmitry Baryshkov , dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-rockchip@lists.infradead.org, linux-amlogic@lists.infradead.org, linux-sunxi@lists.linux.dev, imx@lists.linux.dev, linux-kernel@vger.kernel.org Subject: [PATCH v7 04/23] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Date: Mon, 18 May 2026 18:01:40 +0000 Message-ID: <20260518180206.2480119-5-jonas@kwiboo.se> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260518180206.2480119-1-jonas@kwiboo.se> References: <20260518180206.2480119-1-jonas@kwiboo.se> Precedence: bulk X-Mailing-List: linux-sunxi@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Rspamd-Server: rspamd-worker-8404 X-Spamd-Result: default: False [-0.66 / 15.00]; BAYES_HAM(-5.50)[100.00%]; RBL_SENDERSCORE(2.00)[172.234.253.10:from]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; MAILLIST(-0.15)[generic]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_TWELVE(0.00)[30]; PRECEDENCE_BULK(0.00)[]; TAGGED_RCPT(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; DBL_BLOCKED_OPENRESOLVER(0.00)[kwiboo.se:email,kwiboo.se:dkim,sea.lore.kernel.org:rdns,sea.lore.kernel.org:helo,cknow-tech.com:email]; FROM_HAS_DN(0.00)[]; FREEMAIL_CC(0.00)[nxp.com,rock-chips.com,kernel.org,gmail.com,cknow-tech.com,collabora.com,oss.qualcomm.com,lists.freedesktop.org,lists.infradead.org,lists.linux.dev,vger.kernel.org]; R_DKIM_ALLOW(0.00)[kwiboo.se:s=fe-e1b5cab7be]; FROM_NEQ_ENVFROM(0.00)[jonas@kwiboo.se,linux-sunxi@lists.linux.dev]; DMARC_POLICY_ALLOW(0.00)[kwiboo.se,quarantine]; FREEMAIL_TO(0.00)[intel.com,linaro.org,kernel.org,sntech.de,ideasonboard.com,kwiboo.se,gmail.com,bootlin.com,linux.intel.com,suse.de,ffwll.ch,collabora.com]; DKIM_TRACE(0.00)[kwiboo.se:+]; R_SPF_ALLOW(0.00)[+ip4:172.234.253.10:c]; RCVD_COUNT_THREE(0.00)[4]; FORGED_SENDER_MAILLIST(0.00)[]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_ALLOW(0.00)[subspace.kernel.org:s=arc-20240116:i=1]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[bounces-23507-noreply=patchwork.local]; ASN(0.00)[asn:63949, ipnet:172.234.224.0/19, country:SG]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 8C1041C07E9 X-MORS-Enabled: yes X-MORS-DOMAIN: patchwork.local X-MORS-HOSTING: hosting172546 X-MORS-USER: hosting172546 X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= drmres connector cleanup typically run after devres has released the last dw-hdmi bridge reference. Since struct dw_hdmi, where the connector lives, is freed when the last bridge reference is released, connector cleanup can end up accessing freed memory. Call trace without a bridge reference held until connector cleanup: - dw_hdmi_bridge_detach() - dw_hdmi_bridge_destroy() <<-- struct dw_hdmi is free() - [drm:drm_managed_release] drmres release begin - [drm:drm_managed_release] REL (...) drm_mode_config_init_release (0 bytes) - dw_hdmi_connector_destroy() - drm_connector_cleanup() <<-- drm_connector is use-after-free [...] - [drm:drm_managed_release] drmres release end Hold a bridge reference for as long as the connector exists and drop it after drm_connector_cleanup() has completed to keep struct dw_hdmi alive until connector teardown is finished and avoids the use-after-free. Call trace with a bridge reference held until connector cleanup: - dw_hdmi_bridge_detach() - [drm:drm_managed_release] drmres release begin - [drm:drm_managed_release] REL (...) drm_mode_config_init_release (0 bytes) - dw_hdmi_connector_destroy() - drm_connector_cleanup() <<-- drm_connector is destroy() - drm_bridge_put() - dw_hdmi_bridge_destroy() <<-- struct dw_hdmi is free() [...] - [drm:drm_managed_release] drmres release end Fixes: ed6987b67418 ("drm/bridge: dw-hdmi: convert to devm_drm_bridge_alloc() API") Tested-by: Diederik de Haas # Rock64, RockPro64, Quartz64-B Signed-off-by: Jonas Karlman Reviewed-by: Luca Ceresoli --- v7: Add fixes tag, re-order patch v6: Collect t-b tag v5: New patch This use-after-free issue likely existed before commit ed6987b67418 when devm_kzalloc() was used instead of devm_drm_bridge_alloc(). However, v6.16-rc1 first introduced bridge refcount and drm_bridge_put(), parts that are used to help fix the use-after-free issue. KASAN report a slab-use-after-free in __refcount_add_not_zero when, echo fe0a0000.hdmi > /sys/bus/platform/drivers/dwhdmi-rockchip/unbind on a Rockchip RK3566 device prior to this fix. --- drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c index b7bfc0e9a6b2..9d795c550f8a 100644 --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c @@ -2568,10 +2568,18 @@ static void dw_hdmi_connector_force(struct drm_connector *connector) mutex_unlock(&hdmi->mutex); } +static void dw_hdmi_connector_destroy(struct drm_connector *connector) +{ + struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector); + + drm_connector_cleanup(connector); + drm_bridge_put(&hdmi->bridge); +} + static const struct drm_connector_funcs dw_hdmi_connector_funcs = { .fill_modes = drm_helper_probe_single_connector_modes, .detect = dw_hdmi_connector_detect, - .destroy = drm_connector_cleanup, + .destroy = dw_hdmi_connector_destroy, .force = dw_hdmi_connector_force, .reset = drm_atomic_helper_connector_reset, .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state, @@ -2588,6 +2596,7 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi) struct drm_connector *connector = &hdmi->connector; struct cec_connector_info conn_info; struct cec_notifier *notifier; + int ret; if (hdmi->version >= 0x200a) connector->ycbcr_420_allowed = @@ -2600,10 +2609,14 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi) drm_connector_helper_add(connector, &dw_hdmi_connector_helper_funcs); - drm_connector_init_with_ddc(hdmi->bridge.dev, connector, - &dw_hdmi_connector_funcs, - DRM_MODE_CONNECTOR_HDMIA, - hdmi->ddc); + ret = drm_connector_init_with_ddc(hdmi->bridge.dev, connector, + &dw_hdmi_connector_funcs, + DRM_MODE_CONNECTOR_HDMIA, + hdmi->ddc); + if (ret) + return ret; + + drm_bridge_get(&hdmi->bridge); /* * drm_connector_attach_max_bpc_property() requires the