lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250313-feathered-peach-okapi-b32f9d@houat>
Date: Thu, 13 Mar 2025 15:42:15 +0100
From: Maxime Ripard <mripard@...nel.org>
To: Anusha Srivatsa <asrivats@...hat.com>
Cc: Neil Armstrong <neil.armstrong@...aro.org>, 
	Jessica Zhang <quic_jesszhan@...cinc.com>, Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, 
	Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>, 
	Simona Vetter <simona@...ll.ch>, Luca Ceresoli <luca.ceresoli@...tlin.com>, 
	dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC 1/2] drm/panel: Add new helpers for refcounted panel
 allocatons

Hi Anusha,

In addition to the feedback Luca already provided, I have a few comments

On Wed, Mar 12, 2025 at 08:54:42PM -0400, Anusha Srivatsa wrote:
> Introduce reference counted allocations for panels to avoid
> use-after-free. The patch adds the macro devm_drm_bridge_alloc()
> to allocate a new refcounted panel. Followed the documentation for
> drmm_encoder_alloc() and devm_drm_dev_alloc and other similar
> implementations for this purpose.
> 
> Also adding drm_panel_get() and drm_panel_put() to suitably
> increment and decrement the refcount
> 
> Signed-off-by: Anusha Srivatsa <asrivats@...hat.com>
> ---
>  drivers/gpu/drm/drm_panel.c | 50 ++++++++++++++++++++++++++++++++++++++
>  include/drm/drm_panel.h     | 58 +++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 108 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
> index c627e42a7ce70459f50eb5095fffc806ca45dabf..b55e380e4a2f7ffd940c207e841c197d85113907 100644
> --- a/drivers/gpu/drm/drm_panel.c
> +++ b/drivers/gpu/drm/drm_panel.c
> @@ -79,6 +79,7 @@ EXPORT_SYMBOL(drm_panel_init);
>   */
>  void drm_panel_add(struct drm_panel *panel)
>  {
> +	drm_panel_get(panel);
>  	mutex_lock(&panel_lock);
>  	list_add_tail(&panel->list, &panel_list);
>  	mutex_unlock(&panel_lock);
> @@ -96,6 +97,7 @@ void drm_panel_remove(struct drm_panel *panel)
>  	mutex_lock(&panel_lock);
>  	list_del_init(&panel->list);
>  	mutex_unlock(&panel_lock);
> +	drm_panel_put(panel);
>  }
>  EXPORT_SYMBOL(drm_panel_remove);

I think these two should be added as a separate patch, with some
additional comment on why it's needed (because we store a pointer in the
panel list).

>  
> @@ -355,6 +357,54 @@ struct drm_panel *of_drm_find_panel(const struct device_node *np)
>  }
>  EXPORT_SYMBOL(of_drm_find_panel);
>  
> +/* Internal function (for refcounted panels) */
> +void __drm_panel_free(struct kref *kref)
> +{
> +	struct drm_panel *panel = container_of(kref, struct drm_panel, refcount);
> +	void *container = ((void *)panel) - panel->container_offset;
> +
> +	kfree(container);
> +}
> +EXPORT_SYMBOL(__drm_panel_free);
> +
> +static void drm_panel_put_void(void *data)
> +{
> +	struct drm_panel *panel = (struct drm_panel *)data;
> +
> +	drm_panel_put(panel);
> +}
> +
> +void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
> +			     const struct drm_panel_funcs *funcs)
> +{
> +	void *container;
> +	struct drm_panel *panel;
> +	int err;
> +
> +	if (!funcs) {
> +		dev_warn(dev, "Missing funcs pointer\n");
> +		return ERR_PTR(-EINVAL);
> +	}
> +
> +	container = kzalloc(size, GFP_KERNEL);
> +	if (!container)
> +		return ERR_PTR(-ENOMEM);
> +
> +	panel = container + offset;
> +	panel->container_offset = offset;
> +	panel->funcs = funcs;
> +	kref_init(&panel->refcount);
> +
> +	err = devm_add_action_or_reset(dev, drm_panel_put_void, panel);
> +	if (err)
> +		return ERR_PTR(err);
> +
> +	drm_panel_init(panel, dev, funcs, panel->connector_type);
> +
> +	return container;
> +}
> +EXPORT_SYMBOL(__devm_drm_panel_alloc);

Similarly, here, I think we'd need to split that some more. Ideally, we
should have a series of patches doing

1: Adding that allocation function you have right now, but using
   devm_kzalloc

2: Adding the reference counting to drm_panel, with drm_panel_get /
   drm_panel_put and the devm_action to put the reference in
   __devm_drm_panel_alloc()

3: Adding X patches to add calls to drm_bridge_get/drm_bridge_put
   everywhere it's needed, starting indeed by
   drm_panel_add/drm_panel_put. We don't have to do all of them in that
   series though. of_drm_find_panel though will probably merit a series
   of its own, given we'd have to fix all its callers too.

4: Convert some panels to the new allocation function. You already did
   that with panel_simple so there's nothing to change yet, but once we
   agree on the API we should mass convert all the panels.

Maxime

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ