[2/5] drm/panel: Add refcount support

Message ID	20250325-b4-panel-refcounting-v1-2-4e2bf5d19c5d@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Anusha Srivatsa <asrivats@redhat.com> Date: Tue, 25 Mar 2025 13:24:09 -0400 Subject: [PATCH 2/5] drm/panel: Add refcount support MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20250325-b4-panel-refcounting-v1-2-4e2bf5d19c5d@redhat.com> References: <20250325-b4-panel-refcounting-v1-0-4e2bf5d19c5d@redhat.com> In-Reply-To: <20250325-b4-panel-refcounting-v1-0-4e2bf5d19c5d@redhat.com> To: Neil Armstrong <neil.armstrong@linaro.org>, Jessica Zhang <quic_jesszhan@quicinc.com>, Maarten Lankhorst <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>, David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch> Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Luca Ceresoli <luca.ceresoli@bootlin.com>, Anusha Srivatsa <asrivats@redhat.com> Precedence: list Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	drm/panel: Panel Refcounting infrastructure \| expand [0/5] drm/panel: Panel Refcounting infrastructure [1/5] drm/panel: Add new helpers for refcounted panel allocatons [2/5] drm/panel: Add refcount support [3/5] drm/panel: get/put panel reference in drm_panel_add/remove() [4/5] drm/panel: deprecate old-style panel allocation [5/5] drm/panel/panel-simple: Use the new allocation in place of devm_kzalloc()

Message ID

20250325-b4-panel-refcounting-v1-2-4e2bf5d19c5d@redhat.com (mailing list archive)

State

New, archived

Headers

From: Anusha Srivatsa <asrivats@redhat.com>
Date: Tue, 25 Mar 2025 13:24:09 -0400
Subject: [PATCH 2/5] drm/panel: Add refcount support
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250325-b4-panel-refcounting-v1-2-4e2bf5d19c5d@redhat.com>
References: <20250325-b4-panel-refcounting-v1-0-4e2bf5d19c5d@redhat.com>
In-Reply-To: <20250325-b4-panel-refcounting-v1-0-4e2bf5d19c5d@redhat.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
 Jessica Zhang <quic_jesszhan@quicinc.com>,
 Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
 Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>,
 David Airlie <airlied@gmail.com>, Simona Vetter <simona@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
 Luca Ceresoli <luca.ceresoli@bootlin.com>,
 Anusha Srivatsa <asrivats@redhat.com>
Precedence: list
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

drm/panel: Panel Refcounting infrastructure | expand

Commit Message

Anusha Srivatsa March 25, 2025, 5:24 p.m. UTC

Allocate panel via reference counting.
Add _get() and _put() helper functions
to ensure panel allocations are refcounted.
Avoid use after free by ensuring panel is
valid and can be usable till the last reference
is put. This avoids use-after-free

Signed-off-by: Anusha Srivatsa <asrivats@redhat.com>
---
 drivers/gpu/drm/drm_panel.c | 65 ++++++++++++++++++++++++++++++++++++++++++++-
 include/drm/drm_panel.h     | 19 ++++++++++++-
 2 files changed, 82 insertions(+), 2 deletions(-)

Comments

kernel test robot March 26, 2025, 1:21 a.m. UTC | #1

Hi Anusha,

kernel test robot noticed the following build warnings:

[auto build test WARNING on c8ba07caaecc622a9922cda49f24790821af8a71]

url:    https://github.com/intel-lab-lkp/linux/commits/Anusha-Srivatsa/drm-panel-Add-new-helpers-for-refcounted-panel-allocatons/20250326-012651
base:   c8ba07caaecc622a9922cda49f24790821af8a71
patch link:    https://lore.kernel.org/r/20250325-b4-panel-refcounting-v1-2-4e2bf5d19c5d%40redhat.com
patch subject: [PATCH 2/5] drm/panel: Add refcount support
config: s390-randconfig-002-20250326 (https://download.01.org/0day-ci/archive/20250326/202503260820.3wTF0Zap-lkp@intel.com/config)
compiler: clang version 15.0.7 (https://github.com/llvm/llvm-project 8dfdcc7b7bf66834a761bd8de445840ef68e4d1a)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250326/202503260820.3wTF0Zap-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503260820.3wTF0Zap-lkp@intel.com/

All warnings (new ones prefixed by >>):

>> drivers/gpu/drm/drm_panel.c:408: warning: expecting prototype for drm_bridge_put_void(). Prototype was for drm_panel_put_void() instead


vim +408 drivers/gpu/drm/drm_panel.c

   398	
   399	/**
   400	 * drm_bridge_put_void - wrapper to drm_bridge_put() taking a void pointer
   401	 *
   402	 * @data: pointer to @struct drm_bridge, cast to a void pointer
   403	 *
   404	 * Wrapper of drm_bridge_put() to be used when a function taking a void
   405	 * pointer is needed, for example as a devm action.
   406	 */
   407	static void drm_panel_put_void(void *data)
 > 408	{
   409		struct drm_panel *panel = (struct drm_panel *)data;
   410	
   411		drm_panel_put(panel);
   412	}
   413

Luca Ceresoli March 26, 2025, 9:23 a.m. UTC | #2

On Tue, 25 Mar 2025 13:24:09 -0400
Anusha Srivatsa <asrivats@redhat.com> wrote:

> Allocate panel via reference counting.
> Add _get() and _put() helper functions
> to ensure panel allocations are refcounted.
> Avoid use after free by ensuring panel is
> valid and can be usable till the last reference
> is put. This avoids use-after-free

"panel is valid and can be usable" is not totally correct. When there
are still references held, you ensure the panel struct is still
_allocated_, not necessarily valid and usable.

Minor nit: you are wrapping at less than 50 columns, which is a bit
tight. I think 75 is the expected value for wrapping.

> Signed-off-by: Anusha Srivatsa <asrivats@redhat.com>

[...]

> +/**
> + * drm_panel_get - Acquire a panel reference
> + * @panel: DRM panel
> + *
> + * This function increments the panel's refcount.
> + *
> + */

Not sure it's mandatory, but documenting the returned value is good
practice , e.g.:

 * Returns:
 * Pointer to @panel.

> +/**
> + * drm_panel_put - Release a panel reference
> + * @panel: DRM panel
> + *
> + * This function decrements the panel's reference count and frees the
> + * object if the reference count drops to zero.
> + */
> +struct drm_panel *drm_panel_put(struct drm_panel *panel)
> +{
> +	if (!panel)
> +		return panel;
> +
> +	kref_put(&panel->refcount, __drm_panel_free);
> +
> +	return panel;

While this is using the same structure as my bridge work, I now realize
the _put() should probably not return the panel (or bridge) pointer, it
should just be a void function. The reason is the pointer might have
been freed when _put() returns (depending on the refcount) so that
pointer value might be dangling and whoever calls _put() must not use
that pointer anymore.

Other get/put APIs do this, e.g. of_node_get/put().

So I'm going to change drm_bridge_put() to return void, unless there
are good reasons to keep it and that I'm missing.

> @@ -280,7 +291,10 @@ void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
>   * @member: the name of the &drm_panel within @type
>   * @funcs: callbacks for this panel
>   * @connector_type: connector type of the driver
> - * The returned refcount is initialised to 1
> + *
> + * The returned refcount is initialised to 1. This  reference will
> + * be automatically dropped via devm (by calling
> + * drm_bridge_put()) when @dev is removed.
          ^^^^^^
"panel". Same in a few other places in this patch. Please search in all
this series in case there are more. It's easy to forget about replacing
some of those in the comments. :)

Luca

Maxime Ripard March 26, 2025, 3:28 p.m. UTC | #3

On Tue, Mar 25, 2025 at 01:24:09PM -0400, Anusha Srivatsa wrote:
> Allocate panel via reference counting.
> Add _get() and _put() helper functions
> to ensure panel allocations are refcounted.
> Avoid use after free by ensuring panel is
> valid and can be usable till the last reference
> is put. This avoids use-after-free
> 
> Signed-off-by: Anusha Srivatsa <asrivats@redhat.com>
> ---
>  drivers/gpu/drm/drm_panel.c | 65 ++++++++++++++++++++++++++++++++++++++++++++-
>  include/drm/drm_panel.h     | 19 ++++++++++++-
>  2 files changed, 82 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
> index bdeab5710ee324dc1742fbc77582250960556308..079c3c666a2ddc99a0051d1a3c9ba65d986dd003 100644
> --- a/drivers/gpu/drm/drm_panel.c
> +++ b/drivers/gpu/drm/drm_panel.c
> @@ -355,24 +355,87 @@ struct drm_panel *of_drm_find_panel(const struct device_node *np)
>  }
>  EXPORT_SYMBOL(of_drm_find_panel);
>  
> +static void __drm_panel_free(struct kref *kref)
> +{
> +	struct drm_panel *panel = container_of(kref, struct drm_panel, refcount);
> +
> +	kfree(panel->container);
> +}
> +
> +/**
> + * drm_panel_get - Acquire a panel reference
> + * @panel: DRM panel
> + *
> + * This function increments the panel's refcount.
> + *
> + */
> +struct drm_panel *drm_panel_get(struct drm_panel *panel)
> +{
> +	if (!panel)
> +		return panel;
> +
> +	kref_get(&panel->refcount);
> +
> +	return panel;
> +}

This should be exported

> +/**
> + * drm_panel_put - Release a panel reference
> + * @panel: DRM panel
> + *
> + * This function decrements the panel's reference count and frees the
> + * object if the reference count drops to zero.
> + */
> +struct drm_panel *drm_panel_put(struct drm_panel *panel)
> +{
> +	if (!panel)
> +		return panel;
> +
> +	kref_put(&panel->refcount, __drm_panel_free);
> +
> +	return panel;
> +}

Ditto,

> +/**
> + * drm_bridge_put_void - wrapper to drm_bridge_put() taking a void pointer
> + *
> + * @data: pointer to @struct drm_bridge, cast to a void pointer
> + *
> + * Wrapper of drm_bridge_put() to be used when a function taking a void
> + * pointer is needed, for example as a devm action.
> + */
> +static void drm_panel_put_void(void *data)
> +{
> +	struct drm_panel *panel = (struct drm_panel *)data;
> +
> +	drm_panel_put(panel);
> +}

You can drop the documentation on that one.

Looks good otherwise,
Maxime

Maxime Ripard March 26, 2025, 3:30 p.m. UTC | #4

On Wed, Mar 26, 2025 at 10:23:04AM +0100, Luca Ceresoli wrote:
> On Tue, 25 Mar 2025 13:24:09 -0400
> Anusha Srivatsa <asrivats@redhat.com> wrote:
> 
> > Allocate panel via reference counting.
> > Add _get() and _put() helper functions
> > to ensure panel allocations are refcounted.
> > Avoid use after free by ensuring panel is
> > valid and can be usable till the last reference
> > is put. This avoids use-after-free
> 
> "panel is valid and can be usable" is not totally correct. When there
> are still references held, you ensure the panel struct is still
> _allocated_, not necessarily valid and usable.

I guess "panel pointer is valid" is a better wording indeed.

> > +/**
> > + * drm_panel_put - Release a panel reference
> > + * @panel: DRM panel
> > + *
> > + * This function decrements the panel's reference count and frees the
> > + * object if the reference count drops to zero.
> > + */
> > +struct drm_panel *drm_panel_put(struct drm_panel *panel)
> > +{
> > +	if (!panel)
> > +		return panel;
> > +
> > +	kref_put(&panel->refcount, __drm_panel_free);
> > +
> > +	return panel;
> 
> While this is using the same structure as my bridge work, I now realize
> the _put() should probably not return the panel (or bridge) pointer, it
> should just be a void function. The reason is the pointer might have
> been freed when _put() returns (depending on the refcount) so that
> pointer value might be dangling and whoever calls _put() must not use
> that pointer anymore.
> 
> Other get/put APIs do this, e.g. of_node_get/put().
> 
> So I'm going to change drm_bridge_put() to return void, unless there
> are good reasons to keep it and that I'm missing.

Oh, right, definitely.

Maxime

diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
index bdeab5710ee324dc1742fbc77582250960556308..079c3c666a2ddc99a0051d1a3c9ba65d986dd003 100644
--- a/drivers/gpu/drm/drm_panel.c
+++ b/drivers/gpu/drm/drm_panel.c
@@ -355,24 +355,87 @@  struct drm_panel *of_drm_find_panel(const struct device_node *np)
 }
 EXPORT_SYMBOL(of_drm_find_panel);
 
+static void __drm_panel_free(struct kref *kref)
+{
+	struct drm_panel *panel = container_of(kref, struct drm_panel, refcount);
+
+	kfree(panel->container);
+}
+
+/**
+ * drm_panel_get - Acquire a panel reference
+ * @panel: DRM panel
+ *
+ * This function increments the panel's refcount.
+ *
+ */
+struct drm_panel *drm_panel_get(struct drm_panel *panel)
+{
+	if (!panel)
+		return panel;
+
+	kref_get(&panel->refcount);
+
+	return panel;
+}
+
+/**
+ * drm_panel_put - Release a panel reference
+ * @panel: DRM panel
+ *
+ * This function decrements the panel's reference count and frees the
+ * object if the reference count drops to zero.
+ */
+struct drm_panel *drm_panel_put(struct drm_panel *panel)
+{
+	if (!panel)
+		return panel;
+
+	kref_put(&panel->refcount, __drm_panel_free);
+
+	return panel;
+}
+
+/**
+ * drm_bridge_put_void - wrapper to drm_bridge_put() taking a void pointer
+ *
+ * @data: pointer to @struct drm_bridge, cast to a void pointer
+ *
+ * Wrapper of drm_bridge_put() to be used when a function taking a void
+ * pointer is needed, for example as a devm action.
+ */
+static void drm_panel_put_void(void *data)
+{
+	struct drm_panel *panel = (struct drm_panel *)data;
+
+	drm_panel_put(panel);
+}
+
 void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
 			     const struct drm_panel_funcs *funcs,
 			     int connector_type)
 {
 	void *container;
 	struct drm_panel *panel;
+	int err;
 
 	if (!funcs) {
 		dev_warn(dev, "Missing funcs pointer\n");
 		return ERR_PTR(-EINVAL);
 	}
 
-	container = devm_kzalloc(dev, size, GFP_KERNEL);
+	container = kzalloc(size, GFP_KERNEL);
 	if (!container)
 		return ERR_PTR(-ENOMEM);
 
 	panel = container + offset;
+	panel->container = container;
 	panel->funcs = funcs;
+	kref_init(&panel->refcount);
+
+	err = devm_add_action_or_reset(dev, drm_panel_put_void, panel);
+	if (err)
+		return ERR_PTR(err);
 
 	drm_panel_init(panel, dev, funcs, connector_type);
 
diff --git a/include/drm/drm_panel.h b/include/drm/drm_panel.h
index 63fb1dbe15a0556e7484bc18737a6b1f4c208b0c..af81d596f385567a12cf9e08dff9443ce4d97ec0 100644
--- a/include/drm/drm_panel.h
+++ b/include/drm/drm_panel.h
@@ -267,6 +267,17 @@  struct drm_panel {
 	 * If true then the panel has been enabled.
 	 */
 	bool enabled;
+
+	/**
+	 * @container: Pointer to the private driver struct embedding this
+	 * @struct drm_panel.
+	 */
+	void *container;
+
+	/**
+	 * @refcount: reference count of users referencing this bridge.
+	 */
+	struct kref refcount;
 };
 
 void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
@@ -280,7 +291,10 @@  void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
  * @member: the name of the &drm_panel within @type
  * @funcs: callbacks for this panel
  * @connector_type: connector type of the driver
- * The returned refcount is initialised to 1
+ *
+ * The returned refcount is initialised to 1. This  reference will
+ * be automatically dropped via devm (by calling
+ * drm_bridge_put()) when @dev is removed.
  *
  * Returns:
  * Pointer to new panel, or ERR_PTR on failure.
@@ -294,6 +308,9 @@  void drm_panel_init(struct drm_panel *panel, struct device *dev,
 		    const struct drm_panel_funcs *funcs,
 		    int connector_type);
 
+struct drm_panel *drm_panel_get(struct drm_panel *panel);
+struct drm_panel *drm_panel_put(struct drm_panel *panel);
+
 void drm_panel_add(struct drm_panel *panel);
 void drm_panel_remove(struct drm_panel *panel);

[2/5] drm/panel: Add refcount support

Commit Message

Comments

Patch