From: Jonas Karlman <jonas@kwiboo.se>
To: Andrzej Hajda <andrzej.hajda@intel.com>,
Neil Armstrong <neil.armstrong@linaro.org>,
Robert Foss <rfoss@kernel.org>, Heiko Stuebner <heiko@sntech.de>,
Laurent Pinchart <Laurent.pinchart@ideasonboard.com>,
Jonas Karlman <jonas@kwiboo.se>,
Jernej Skrabec <jernej.skrabec@gmail.com>,
Luca Ceresoli <luca.ceresoli@bootlin.com>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Maxime Ripard <mripard@kernel.org>,
Thomas Zimmermann <tzimmermann@suse.de>,
David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>
Cc: Liu Ying <victor.liu@nxp.com>, Sandy Huang <hjc@rock-chips.com>,
Andy Yan <andy.yan@rock-chips.com>,
Chen-Yu Tsai <wens@kernel.org>,
Christian Hewitt <christianshewitt@gmail.com>,
Diederik de Haas <diederik@cknow-tech.com>,
Nicolas Frattaroli <nicolas.frattaroli@collabora.com>,
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>,
dri-devel@lists.freedesktop.org,
linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org,
linux-amlogic@lists.infradead.org, linux-sunxi@lists.linux.dev,
imx@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: [PATCH v6 07/22] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup
Date: Sat, 16 May 2026 18:38:17 +0000 [thread overview]
Message-ID: <20260516183838.2024991-8-jonas@kwiboo.se> (raw)
In-Reply-To: <20260516183838.2024991-1-jonas@kwiboo.se>
drmres connector cleanup typically run after devres has released the
last dw-hdmi bridge reference. Since struct dw_hdmi, where the connector
lives, is freed when the last bridge reference is released, connector
cleanup can end up accessing freed memory.
Call trace without a bridge reference held until connector cleanup:
- dw_hdmi_bridge_detach()
- dw_hdmi_bridge_destroy() <<-- struct dw_hdmi is free()
- [drm:drm_managed_release] drmres release begin
- [drm:drm_managed_release] REL (____ptrval____) drm_mode_config_init_release (0 bytes)
- dw_hdmi_connector_destroy()
- drm_connector_cleanup() <<-- drm_connector is use-after-free
[...]
- [drm:drm_managed_release] drmres release end
Hold a bridge reference for as long as the connector exists and drop it
after drm_connector_cleanup() has completed to keep struct dw_hdmi alive
until connector teardown is finished and avoids the use-after-free.
Call trace with a bridge reference held until connector cleanup:
- dw_hdmi_bridge_detach()
- [drm:drm_managed_release] drmres release begin
- [drm:drm_managed_release] REL (____ptrval____) drm_mode_config_init_release (0 bytes)
- dw_hdmi_connector_destroy()
- drm_connector_cleanup() <<-- drm_connector is destroy()
- drm_bridge_put()
- dw_hdmi_bridge_destroy() <<-- struct dw_hdmi is free()
[...]
- [drm:drm_managed_release] drmres release end
Tested-by: Diederik de Haas <diederik@cknow-tech.com> # Rock64, RockPro64, Quartz64-B
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
---
v6: Collect t-b tag
v5: New patch
---
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
index a176eb55418c..cbbd15578042 100644
--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
@@ -2528,10 +2528,18 @@ static void dw_hdmi_connector_force(struct drm_connector *connector)
mutex_unlock(&hdmi->mutex);
}
+static void dw_hdmi_connector_destroy(struct drm_connector *connector)
+{
+ struct dw_hdmi *hdmi = container_of(connector, struct dw_hdmi, connector);
+
+ drm_connector_cleanup(connector);
+ drm_bridge_put(&hdmi->bridge);
+}
+
static const struct drm_connector_funcs dw_hdmi_connector_funcs = {
.fill_modes = drm_helper_probe_single_connector_modes,
.detect = dw_hdmi_connector_detect,
- .destroy = drm_connector_cleanup,
+ .destroy = dw_hdmi_connector_destroy,
.force = dw_hdmi_connector_force,
.reset = drm_atomic_helper_connector_reset,
.atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
@@ -2548,6 +2556,7 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
struct drm_connector *connector = &hdmi->connector;
struct cec_connector_info conn_info;
struct cec_notifier *notifier;
+ int ret;
if (hdmi->version >= 0x200a)
connector->ycbcr_420_allowed =
@@ -2560,10 +2569,14 @@ static int dw_hdmi_connector_create(struct dw_hdmi *hdmi)
drm_connector_helper_add(connector, &dw_hdmi_connector_helper_funcs);
- drm_connector_init_with_ddc(hdmi->bridge.dev, connector,
- &dw_hdmi_connector_funcs,
- DRM_MODE_CONNECTOR_HDMIA,
- hdmi->ddc);
+ ret = drm_connector_init_with_ddc(hdmi->bridge.dev, connector,
+ &dw_hdmi_connector_funcs,
+ DRM_MODE_CONNECTOR_HDMIA,
+ hdmi->ddc);
+ if (ret)
+ return ret;
+
+ drm_bridge_get(&hdmi->bridge);
/*
* drm_connector_attach_max_bpc_property() requires the
--
2.54.0
next prev parent reply other threads:[~2026-05-16 18:41 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-16 18:38 [PATCH v6 00/22] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Jonas Karlman
2026-05-16 18:38 ` [PATCH v6 01/22] drm: bridge: dw_hdmi: Disable scrambler feature when not supported Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 02/22] drm: bridge: dw_hdmi: Only notify connected status on HPD interrupt Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 03/22] drm: bridge: dw_hdmi: Call poweron/poweroff from atomic enable/disable Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 04/22] drm: bridge: dw_hdmi: Use passed mode instead of stored previous_mode Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 05/22] drm: bridge: dw_hdmi: Fold poweron and setup functions Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 06/22] drm: bridge: dw_hdmi: Remove previous_mode and mode_set Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` Jonas Karlman [this message]
2026-05-18 6:41 ` Claude review: drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 08/22] drm: bridge: dw_hdmi: Unregister CEC notifier during " Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 09/22] drm: bridge: dw_hdmi: Invalidate CEC phys addr from connector detect Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 10/22] drm: bridge: dw_hdmi: Remove cec_notifier_mutex Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 11/22] drm: bridge: dw_hdmi: Extract dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 12/22] drm: bridge: dw_hdmi: Use dw_hdmi_connector_status_update() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 13/22] drm: bridge: dw_hdmi: Use generic CEC notifier helpers Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 14/22] drm: bridge: dw_hdmi: Update EDID and CEC phys addr in bridge detect() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 15/22] drm: bridge: dw_hdmi: Declare bridge CEC notifier support Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 16/22] drm: bridge: dw_hdmi: Use display_info is_hdmi and has_audio Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 17/22] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 18/22] drm: bridge: dw_hdmi: Use delayed_work to debounce hotplug event Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 19/22] drm: bridge: dw_hdmi: Rework HDP and RXSENSE interrupt handling Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 20/22] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_setup_rx_sense() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 21/22] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_phy_update_hpd() Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-16 18:38 ` [PATCH v6 22/22] drm: bridge: dw_hdmi: Merge top and bottom half IRQ handlers Jonas Karlman
2026-05-18 6:41 ` Claude review: " Claude Code Review Bot
2026-05-18 6:41 ` Claude review: drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260516183838.2024991-8-jonas@kwiboo.se \
--to=jonas@kwiboo.se \
--cc=Laurent.pinchart@ideasonboard.com \
--cc=airlied@gmail.com \
--cc=andrzej.hajda@intel.com \
--cc=andy.yan@rock-chips.com \
--cc=christianshewitt@gmail.com \
--cc=diederik@cknow-tech.com \
--cc=dmitry.baryshkov@oss.qualcomm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=heiko@sntech.de \
--cc=hjc@rock-chips.com \
--cc=imx@lists.linux.dev \
--cc=jernej.skrabec@gmail.com \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=luca.ceresoli@bootlin.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=nicolas.frattaroli@collabora.com \
--cc=rfoss@kernel.org \
--cc=simona@ffwll.ch \
--cc=tzimmermann@suse.de \
--cc=victor.liu@nxp.com \
--cc=wens@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox