Hi Anusha,
In addition to the feedback Luca already provided, I have a few comments
On Wed, Mar 12, 2025 at 08:54:42PM -0400, Anusha Srivatsa wrote:
> Introduce reference counted allocations for panels to avoid
> use-after-free. The patch adds the macro devm_drm_bridge_alloc()
> to allocate a new refcounted panel. Followed the documentation for
> drmm_encoder_alloc() and devm_drm_dev_alloc and other similar
> implementations for this purpose.
>
> Also adding drm_panel_get() and drm_panel_put() to suitably
> increment and decrement the refcount
>
> Signed-off-by: Anusha Srivatsa <asrivats@xxxxxxxxxx>
> ---
> drivers/gpu/drm/drm_panel.c | 50 ++++++++++++++++++++++++++++++++++++++
> include/drm/drm_panel.h | 58 +++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 108 insertions(+)
>
> diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
> index c627e42a7ce70459f50eb5095fffc806ca45dabf..b55e380e4a2f7ffd940c207e841c197d85113907 100644
> --- a/drivers/gpu/drm/drm_panel.c
> +++ b/drivers/gpu/drm/drm_panel.c
> @@ -79,6 +79,7 @@ EXPORT_SYMBOL(drm_panel_init);
> */
> void drm_panel_add(struct drm_panel *panel)
> {
> + drm_panel_get(panel);
> mutex_lock(&panel_lock);
> list_add_tail(&panel->list, &panel_list);
> mutex_unlock(&panel_lock);
> @@ -96,6 +97,7 @@ void drm_panel_remove(struct drm_panel *panel)
> mutex_lock(&panel_lock);
> list_del_init(&panel->list);
> mutex_unlock(&panel_lock);
> + drm_panel_put(panel);
> }
> EXPORT_SYMBOL(drm_panel_remove);
I think these two should be added as a separate patch, with some
additional comment on why it's needed (because we store a pointer in the
panel list).
>
> @@ -355,6 +357,54 @@ struct drm_panel *of_drm_find_panel(const struct device_node *np)
> }
> EXPORT_SYMBOL(of_drm_find_panel);
>
> +/* Internal function (for refcounted panels) */
> +void __drm_panel_free(struct kref *kref)
> +{
> + struct drm_panel *panel = container_of(kref, struct drm_panel, refcount);
> + void *container = ((void *)panel) - panel->container_offset;
> +
> + kfree(container);
> +}
> +EXPORT_SYMBOL(__drm_panel_free);
> +
> +static void drm_panel_put_void(void *data)
> +{
> + struct drm_panel *panel = (struct drm_panel *)data;
> +
> + drm_panel_put(panel);
> +}
> +
> +void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
> + const struct drm_panel_funcs *funcs)
> +{
> + void *container;
> + struct drm_panel *panel;
> + int err;
> +
> + if (!funcs) {
> + dev_warn(dev, "Missing funcs pointer\n");
> + return ERR_PTR(-EINVAL);
> + }
> +
> + container = kzalloc(size, GFP_KERNEL);
> + if (!container)
> + return ERR_PTR(-ENOMEM);
> +
> + panel = container + offset;
> + panel->container_offset = offset;
> + panel->funcs = funcs;
> + kref_init(&panel->refcount);
> +
> + err = devm_add_action_or_reset(dev, drm_panel_put_void, panel);
> + if (err)
> + return ERR_PTR(err);
> +
> + drm_panel_init(panel, dev, funcs, panel->connector_type);
> +
> + return container;
> +}
> +EXPORT_SYMBOL(__devm_drm_panel_alloc);
Similarly, here, I think we'd need to split that some more. Ideally, we
should have a series of patches doing
1: Adding that allocation function you have right now, but using
devm_kzalloc
2: Adding the reference counting to drm_panel, with drm_panel_get /
drm_panel_put and the devm_action to put the reference in
__devm_drm_panel_alloc()
3: Adding X patches to add calls to drm_bridge_get/drm_bridge_put
everywhere it's needed, starting indeed by
drm_panel_add/drm_panel_put. We don't have to do all of them in that
series though. of_drm_find_panel though will probably merit a series
of its own, given we'd have to fix all its callers too.
4: Convert some panels to the new allocation function. You already did
that with panel_simple so there's nothing to change yet, but once we
agree on the API we should mass convert all the panels.
Maxime
Attachment:
signature.asc
Description: PGP signature
