| Message ID | 20250402083628.20111-3-angelogioacchino.delregno@collabora.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | drm/mediatek: Cleanups and sanitization | expand |
On Wed, Apr 2, 2025 at 4:36 PM AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> wrote: > > In function mtk_drm_get_all_priv(), this driver is incrementing ^ mtk_drm_get_all_drm_priv() > the refcount for the sub-drivers of mediatek-drm with a call to > device_find_child() when taking a reference to all of those child > devices. Looking closer, that function is also missing a platform_device_put() to match of_find_device_by_node(). > When the component bind fails multiple times this results in a > refcount_t overflow, as the reference count is never decremented: > fix that by adding a call to put_device() for all of the mmsys > devices in a loop, in error cases of mtk_drm_bind() and in the > mtk_drm_unbind() callback. > > Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") > Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Reviewed-by: Chen-Yu Tsai <wenst@chromium.org> > --- > drivers/gpu/drm/mediatek/mtk_drm_drv.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c > index a8fbccb50c74..6b31df587507 100644 > --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c > +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c > @@ -676,6 +676,10 @@ static int mtk_drm_bind(struct device *dev) > for (i = 0; i < private->data->mmsys_dev_num; i++) > private->all_drm_private[i]->drm = NULL; > err_put_dev: > + for (i = 0; i < private->data->mmsys_dev_num; i++) { > + /* For device_find_child in mtk_drm_get_all_priv() */ > + put_device(private->all_drm_private[i]->dev); > + } > put_device(private->mutex_dev); > return ret; > } > @@ -683,6 +687,7 @@ static int mtk_drm_bind(struct device *dev) > static void mtk_drm_unbind(struct device *dev) > { > struct mtk_drm_private *private = dev_get_drvdata(dev); > + int i; > > /* for multi mmsys dev, unregister drm dev in mmsys master */ > if (private->drm_master) { > @@ -690,6 +695,10 @@ static void mtk_drm_unbind(struct device *dev) > mtk_drm_kms_deinit(private->drm); > drm_dev_put(private->drm); > > + for (i = 0; i < private->data->mmsys_dev_num; i++) { Just FYI you can also declare the int within the for statement. ChenYu > + /* For device_find_child in mtk_drm_get_all_priv() */ > + put_device(private->all_drm_private[i]->dev); > + } > put_device(private->mutex_dev); > } > private->mtk_drm_bound = false; > -- > 2.48.1 >
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index a8fbccb50c74..6b31df587507 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -676,6 +676,10 @@ static int mtk_drm_bind(struct device *dev) for (i = 0; i < private->data->mmsys_dev_num; i++) private->all_drm_private[i]->drm = NULL; err_put_dev: + for (i = 0; i < private->data->mmsys_dev_num; i++) { + /* For device_find_child in mtk_drm_get_all_priv() */ + put_device(private->all_drm_private[i]->dev); + } put_device(private->mutex_dev); return ret; } @@ -683,6 +687,7 @@ static int mtk_drm_bind(struct device *dev) static void mtk_drm_unbind(struct device *dev) { struct mtk_drm_private *private = dev_get_drvdata(dev); + int i; /* for multi mmsys dev, unregister drm dev in mmsys master */ if (private->drm_master) { @@ -690,6 +695,10 @@ static void mtk_drm_unbind(struct device *dev) mtk_drm_kms_deinit(private->drm); drm_dev_put(private->drm); + for (i = 0; i < private->data->mmsys_dev_num; i++) { + /* For device_find_child in mtk_drm_get_all_priv() */ + put_device(private->all_drm_private[i]->dev); + } put_device(private->mutex_dev); } private->mtk_drm_bound = false;
In function mtk_drm_get_all_priv(), this driver is incrementing the refcount for the sub-drivers of mediatek-drm with a call to device_find_child() when taking a reference to all of those child devices. When the component bind fails multiple times this results in a refcount_t overflow, as the reference count is never decremented: fix that by adding a call to put_device() for all of the mmsys devices in a loop, in error cases of mtk_drm_bind() and in the mtk_drm_unbind() callback. Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 9 +++++++++ 1 file changed, 9 insertions(+)