On Mon, Feb 10, 2025 at 06:12:52PM +0100, Luca Ceresoli wrote:
> Hello Maxime,
>
> On Fri, 7 Feb 2025 12:47:51 +0100
> Maxime Ripard <mripard@xxxxxxxxxx> wrote:
>
> > > diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
> > > index ad7ba444a13e5ecf16f996de3742e4ac67dc21f1..43cef0f6ccd36034f64ad2babfebea62db1d9e43 100644
> > > --- a/include/drm/drm_bridge.h
> > > +++ b/include/drm/drm_bridge.h
> > > @@ -31,6 +31,7 @@
> > > #include <drm/drm_encoder.h>
> > > #include <drm/drm_mode_object.h>
> > > #include <drm/drm_modes.h>
> > > +#include <drm/drm_print.h>
> > >
> > > struct device_node;
> > >
> > > @@ -863,6 +864,22 @@ struct drm_bridge {
> > > const struct drm_bridge_timings *timings;
> > > /** @funcs: control functions */
> > > const struct drm_bridge_funcs *funcs;
> > > +
> > > + /**
> > > + * @container_offset: Offset of this struct within the container
> > > + * struct embedding it. Used for refcounted bridges to free the
> > > + * embeddeing struct when the refcount drops to zero. Unused on
> > > + * legacy bridges.
> > > + */
> > > + size_t container_offset;
> >
> > This shouldn't be in there. You can create an intermediate structure and
> > store both pointers for the action to consume.
>
> You mean to store container_offset + refcount + is_refcounted?
No, I meant for the private structure pointer and the drm_bridge
pointer. refcount should be in drm_bridge, and I think is_refcounted
should be dropped.
> It can be named drm_bridge_object maybe, as it is somewhat resembling
> struct drm_mode_object?
>
> > > + /**
> > > + * @refcount: reference count for bridges with dynamic lifetime
> > > + * (see drm_bridge_init)
> > > + */
> > > + struct kref refcount;
> > > + /** @is_refcounted: this bridge has dynamic lifetime management */
> > > + bool is_refcounted;
> > > +
> >
> > I'm not sure we want to treat both paths separately too. It'll require
> > to update most of/all the drivers, but it's not too hard with
> > coccinelle:
> >
> > virtual patch
> >
> > @@
> > identifier f;
> > identifier b, c, d;
> > expression bf;
> > type T;
> > @@
> >
> > f(...)
> > {
> > ...
> > - T *c;
> > + T *c;
> > ...
> > - c = devm_kzalloc(d, ...);
> > + c = devm_drm_bridge_alloc(d, T, b, bf);
> > ...
> > - c->b.funcs = bf;
> > ...
> > drm_bridge_add(&c->b);
> > ...
> > }
> >
> > We need to add a bit more variations (like kzalloc vs devm_kzalloc,
> > drm_bridge_add vs devm_drm_bridge_add, etc.), but it should be a good
> > first approximation
>
> Sure, this can be useful, thanks.
You can identify all the bridges affected by this issue using:
virtual report
@ find_add @
identifier add_f;
identifier c;
identifier b;
expression d;
position p;
identifier r;
type T;
@@
add_f(...)
{
...
- T *c;
+ T *c;
...
(
drm_bridge_add(&c->b)@p;
|
devm_drm_bridge_add(d, &c->b)@p;
|
r = devm_drm_bridge_add(d, &c->b)@p;
)
...
}
@ find_allocation depends on find_add @
identifier alloc_f;
type find_add.T;
identifier cal;
position p;
@@
alloc_f(...)
{
...
- T *cal;
+ T *cal;
...
(
cal = kzalloc(...)@p;
|
cal = devm_kzalloc(...)@p;
)
...
}
@ script:python depends on report && (find_add && find_allocation) @
add_f << find_add.add_f;
alloc_f << find_allocation.alloc_f;
add_p << find_add.p;
alloc_p << find_allocation.p;
@@
coccilib.report.print_report(alloc_p[0], "ERROR: Bridge Driver is unsafely allocated in %s and added in %s" % (alloc_f, add_f))
Maxime
Attachment:
signature.asc
Description: PGP signature
