On Mon, Jun 10, 2024 at 02:07:06PM +0200, Maxime Ripard wrote:
> Hi,
>
> +Hans
>
> On Mon, Jun 10, 2024 at 02:46:03PM GMT, Dmitry Baryshkov wrote:
> > On Mon, 10 Jun 2024 at 11:04, Maxime Ripard <mripard@xxxxxxxxxx> wrote:
> > >
> > > Hi,
> > >
> > > On Fri, Jun 07, 2024 at 04:22:59PM GMT, Dmitry Baryshkov wrote:
> > > > Turn drm_bridge_connector to using drmm_kzalloc() and
> > > > drmm_connector_init() and drop the custom destroy function. The
> > > > drm_connector_unregister() and fwnode_handle_put() are already handled
> > > > by the drm_connector_cleanup() and so are safe to be dropped.
> > > >
> > > > Acked-by: Maxime Ripard <mripard@xxxxxxxxxx>
> > > > Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
> > > > ---
> > > > drivers/gpu/drm/drm_bridge_connector.c | 23 +++++------------------
> > > > 1 file changed, 5 insertions(+), 18 deletions(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/drm_bridge_connector.c b/drivers/gpu/drm/drm_bridge_connector.c
> > > > index 982552c9f92c..e093fc8928dc 100644
> > > > --- a/drivers/gpu/drm/drm_bridge_connector.c
> > > > +++ b/drivers/gpu/drm/drm_bridge_connector.c
> > > > @@ -15,6 +15,7 @@
> > > > #include <drm/drm_connector.h>
> > > > #include <drm/drm_device.h>
> > > > #include <drm/drm_edid.h>
> > > > +#include <drm/drm_managed.h>
> > > > #include <drm/drm_modeset_helper_vtables.h>
> > > > #include <drm/drm_probe_helper.h>
> > > >
> > > > @@ -193,19 +194,6 @@ drm_bridge_connector_detect(struct drm_connector *connector, bool force)
> > > > return status;
> > > > }
> > > >
> > > > -static void drm_bridge_connector_destroy(struct drm_connector *connector)
> > > > -{
> > > > - struct drm_bridge_connector *bridge_connector =
> > > > - to_drm_bridge_connector(connector);
> > > > -
> > > > - drm_connector_unregister(connector);
> > > > - drm_connector_cleanup(connector);
> > > > -
> > > > - fwnode_handle_put(connector->fwnode);
> > > > -
> > > > - kfree(bridge_connector);
> > > > -}
> > > > -
> > > > static void drm_bridge_connector_debugfs_init(struct drm_connector *connector,
> > > > struct dentry *root)
> > > > {
> > > > @@ -224,7 +212,6 @@ static const struct drm_connector_funcs drm_bridge_connector_funcs = {
> > > > .reset = drm_atomic_helper_connector_reset,
> > > > .detect = drm_bridge_connector_detect,
> > > > .fill_modes = drm_helper_probe_single_connector_modes,
> > > > - .destroy = drm_bridge_connector_destroy,
> > > > .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
> > > > .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
> > > > .debugfs_init = drm_bridge_connector_debugfs_init,
> > > > @@ -328,7 +315,7 @@ struct drm_connector *drm_bridge_connector_init(struct drm_device *drm,
> > > > int connector_type;
> > > > int ret;
> > > >
> > > > - bridge_connector = kzalloc(sizeof(*bridge_connector), GFP_KERNEL);
> > > > + bridge_connector = drmm_kzalloc(drm, sizeof(*bridge_connector), GFP_KERNEL);
> > >
> > > So you make destroy's kfree call unnecessary here ...
> > >
> > > > if (!bridge_connector)
> > > > return ERR_PTR(-ENOMEM);
> > > >
> > > > @@ -383,9 +370,9 @@ struct drm_connector *drm_bridge_connector_init(struct drm_device *drm,
> > > > return ERR_PTR(-EINVAL);
> > > > }
> > > >
> > > > - ret = drm_connector_init_with_ddc(drm, connector,
> > > > - &drm_bridge_connector_funcs,
> > > > - connector_type, ddc);
> > > > + ret = drmm_connector_init(drm, connector,
> > > > + &drm_bridge_connector_funcs,
> > > > + connector_type, ddc);
> > >
> > > ... and here of drm_connector_cleanup.
> > >
> > > drm_connector_unregister wasn't needed, so can ignore it, but you leak a reference to
> > > connector->fwnode since you don't call fwnode_handle_put anymore.
> > >
> > > We should register a drmm action right below the call to fwnode_handle_get too.
> >
> > But drm_connector_cleanup() already contains
> > fwnode_handle_put(connector->fwnode). Isn't that enough?
>
> It does, but now I'm confused.
>
> drm_bridge_connector_init takes a reference, drm_connector_init doesn't.
> It will call drm_bridge_connector_destroy() that gives back its
> reference (which makes sense to me), but then why do
> drm_connector_cleanup() does? None of the drm_connector code even took
> that reference, and we end up with a double-put.
>
> It looks like it was introduced by commit 48c429c6d18d ("drm/connector:
> Add a fwnode pointer to drm_connector and register with ACPI (v2)") from
> Hans, which does call put, but never gets that reference.
The mentioned patch documents that pretty clearly:
* Drivers can set this to associate a fwnode with a connector, drivers
* are expected to get a reference on the fwnode when setting this.
* drm_connector_cleanup() will call fwnode_handle_put() on this.
This is logical. Whoever sets the drm_connector::fwnode pointer, should
get reference. This way drm_connector_init() doesn't need to play with
the reference counting. The cleanup code drops the reference (so the
driver doesn't need to), because cleanup might be assynchronous..
The drm_bridge_connector follows this approach: it sets
drm_connector->fwnode, so it gets the reference. It uses
drm_connector_cleanup(), so it doesn't need to put it.
>
> It has nothing to do with this series anymore, but that's super fishy to
> me, and the source of bugs as we can see here.
--
With best wishes
Dmitry
