On Mon, Sep 08, 2025 at 11:38:44PM +0200, Christophe JAILLET wrote:
> Le 08/09/2025 à 23:26, Dmitry Baryshkov a écrit :
> > On Mon, Sep 08, 2025 at 11:09:07PM +0200, Christophe JAILLET wrote:
> > > Le 19/08/2025 à 22:32, Dmitry Baryshkov a écrit :
> > > > Use drmm_plain_encoder_alloc() to allocate simple encoder and
> > > > drmm_writeback_connector_init() in order to initialize writeback
> > > > connector instance.
> > > >
> > > > Reviewed-by: Louis Chauvet
> > > > <louis.chauvet-ldxbnhwyfcjbdgjk7y7tuq-xmd5yjdbdmrexy1tmh2...@public.gmane.org>
> > > > Reviewed-by: Suraj Kandpal
> > > > <suraj.kandpal-ral2jqcrhueavxtiumwx3w-xmd5yjdbdmrexy1tmh2...@public.gmane.org>
> > > > Reviewed-by: Jessica Zhang
> > > > <jessica.zhang-5ofbvzjwu8ry9ajcnzt0uw-xmd5yjdbdmrexy1tmh2...@public.gmane.org>
> > > > Signed-off-by: Dmitry Baryshkov
> > > > <dmitry.baryshkov-5ofbvzjwu8ry9ajcnzt0uw-xmd5yjdbdmrexy1tmh2...@public.gmane.org>
> > > > ---
> > > > drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 10 +++-------
> > > > 1 file changed, 3 insertions(+), 7 deletions(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > index
> > > > 8ff496082902b1ee713e806140f39b4730ed256a..cd73468e369a93c50303db2a7d4499bcb17be5d1
> > > > 100644
> > > > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
> > > > @@ -80,7 +80,6 @@ static int dpu_wb_conn_atomic_check(struct
> > > > drm_connector *connector,
> > > > static const struct drm_connector_funcs dpu_wb_conn_funcs = {
> > > > .reset = drm_atomic_helper_connector_reset,
> > > > .fill_modes = drm_helper_probe_single_connector_modes,
> > > > - .destroy = drm_connector_cleanup,
> > > > .atomic_duplicate_state =
> > > > drm_atomic_helper_connector_duplicate_state,
> > > > .atomic_destroy_state =
> > > > drm_atomic_helper_connector_destroy_state,
> > > > };
> > > > @@ -131,12 +130,9 @@ int dpu_writeback_init(struct drm_device *dev,
> > > > struct drm_encoder *enc,
> > > > drm_connector_helper_add(&dpu_wb_conn->base.base,
> > > > &dpu_wb_conn_helper_funcs);
> > > > - /* DPU initializes the encoder and sets it up completely for
> > > > writeback
> > > > - * cases and hence should use the new API
> > > > drm_writeback_connector_init_with_encoder
> > > > - * to initialize the writeback connector
> > > > - */
> > > > - rc = drm_writeback_connector_init_with_encoder(dev,
> > > > &dpu_wb_conn->base, enc,
> > > > - &dpu_wb_conn_funcs, format_list, num_formats);
> > > > + rc = drmm_writeback_connector_init(dev, &dpu_wb_conn->base,
> > > > + &dpu_wb_conn_funcs, enc,
> > > > + format_list, num_formats);
> > > > if (!rc)
> > > > dpu_wb_conn->wb_enc = enc;
> > > >
> > >
> > > dpu_wb_conn is allocated a few lines above using devm_kzalloc().
> >
> > That's a valid point, thanks!
>
> I've not analyzed in details all the patches of the serie, but at least
> patch 2/8 and 6/8 seems to have the same pattern.
Not quite, 2/8 and 6/8 use drmm_kzalloc(), it is fine to be used with
drmm_writeback_connector_init(). This one is indeed incorrect.
>
> CJ
>
> >
> > >
> > > Based on [1], mixing devm_ and drmm_ is not safe and can lead to a uaf.
> > >
> > > Is it correct here?
> > > If the explanation at [1] is correct, then &dpu_wb_conn->base would point
> > > to
> > > some released memory, IIUC.
> > >
> > >
> > > just my 2c.
> > >
> > > CJ
> > >
> > > [1]:
> > > https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753
> >
>
--
With best wishes
Dmitry
