Message ID | 20240217150228.5788-3-johan+linaro@kernel.org |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free | expand |
On Sat, Feb 17, 2024 at 04:02:24PM +0100, Johan Hovold wrote: > diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c [..] > +/** > + * devm_drm_dp_hpd_bridge_add - register a HDP DisplayPort bridge kernel-doc wants () after function names. > + * @dev: struct device to tie registration lifetime to > + * @adev: bridge auxiliary device to be registered > + * > + * Returns: zero on success or a negative errno and "Return:" without the 's'. This could however be done in a separate patch, as the file is already wrong in this regard. Reviewed-by: Bjorn Andersson <andersson@kernel.org> Regards, Bjorn
On Wed, Feb 21, 2024 at 08:06:41PM -0600, Bjorn Andersson wrote: > On Sat, Feb 17, 2024 at 04:02:24PM +0100, Johan Hovold wrote: > > diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c > [..] > > +/** > > + * devm_drm_dp_hpd_bridge_add - register a HDP DisplayPort bridge > > kernel-doc wants () after function names. I don't think that's required for the symbol name here even if some subsystems (drivers) use it. > > + * @dev: struct device to tie registration lifetime to > > + * @adev: bridge auxiliary device to be registered > > + * > > + * Returns: zero on success or a negative errno > > and "Return:" without the 's'. This was a mistake however. Perhaps whoever applies this can drop it, or I can send a v2. Side note: Looks like there are more instances with an 's' than without under driver/gpu/drm... > This could however be done in a separate patch, as the file is already > wrong in this regard. > > Reviewed-by: Bjorn Andersson <andersson@kernel.org> Thanks for reviewing. Johan
On Sat, 17 Feb 2024 at 17:03, Johan Hovold <johan+linaro@kernel.org> wrote: > > Combining allocation and registration is an anti-pattern that should be > avoided. Add two new functions for allocating and registering an dp-hpd > bridge with a proper 'devm' prefix so that it is clear that these are > device managed interfaces. > > devm_drm_dp_hpd_bridge_alloc() > devm_drm_dp_hpd_bridge_add() > > The new interface will be used to fix a use-after-free bug in the > Qualcomm PMIC GLINK driver and may prevent similar issues from being > introduced elsewhere. > > The existing drm_dp_hpd_bridge_register() is reimplemented using the > above and left in place for now. > > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Minor nit below. > --- > drivers/gpu/drm/bridge/aux-hpd-bridge.c | 67 +++++++++++++++++++------ > include/drm/bridge/aux-bridge.h | 15 ++++++ > 2 files changed, 67 insertions(+), 15 deletions(-) > > diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c > index 9e71daf95bde..6886db2d9e00 100644 > --- a/drivers/gpu/drm/bridge/aux-hpd-bridge.c > +++ b/drivers/gpu/drm/bridge/aux-hpd-bridge.c > @@ -30,16 +30,13 @@ static void drm_aux_hpd_bridge_release(struct device *dev) > kfree(adev); > } > > -static void drm_aux_hpd_bridge_unregister_adev(void *_adev) > +static void drm_aux_hpd_bridge_free_adev(void *_adev) > { > - struct auxiliary_device *adev = _adev; > - > - auxiliary_device_delete(adev); > - auxiliary_device_uninit(adev); > + auxiliary_device_uninit(_adev); > } > > /** > - * drm_dp_hpd_bridge_register - Create a simple HPD DisplayPort bridge > + * devm_drm_dp_hpd_bridge_alloc - allocate a HPD DisplayPort bridge > * @parent: device instance providing this bridge > * @np: device node pointer corresponding to this bridge instance > * > @@ -47,11 +44,9 @@ static void drm_aux_hpd_bridge_unregister_adev(void *_adev) > * DRM_MODE_CONNECTOR_DisplayPort, which terminates the bridge chain and is > * able to send the HPD events. > * > - * Return: device instance that will handle created bridge or an error code > - * encoded into the pointer. > + * Return: bridge auxiliary device pointer or an error pointer > */ > -struct device *drm_dp_hpd_bridge_register(struct device *parent, > - struct device_node *np) > +struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, struct device_node *np) > { > struct auxiliary_device *adev; > int ret; > @@ -82,13 +77,55 @@ struct device *drm_dp_hpd_bridge_register(struct device *parent, > return ERR_PTR(ret); > } > > - ret = auxiliary_device_add(adev); > - if (ret) { > - auxiliary_device_uninit(adev); > + ret = devm_add_action_or_reset(parent, drm_aux_hpd_bridge_free_adev, adev); > + if (ret) > return ERR_PTR(ret); > - } > > - ret = devm_add_action_or_reset(parent, drm_aux_hpd_bridge_unregister_adev, adev); > + return adev; > +} > +EXPORT_SYMBOL_GPL(devm_drm_dp_hpd_bridge_alloc); > + > +static void drm_aux_hpd_bridge_del_adev(void *_adev) > +{ > + auxiliary_device_delete(_adev); > +} > + > +/** > + * devm_drm_dp_hpd_bridge_add - register a HDP DisplayPort bridge > + * @dev: struct device to tie registration lifetime to > + * @adev: bridge auxiliary device to be registered > + * > + * Returns: zero on success or a negative errno > + */ > +int devm_drm_dp_hpd_bridge_add(struct device *dev, struct auxiliary_device *adev) > +{ > + int ret; > + > + ret = auxiliary_device_add(adev); > + if (ret) > + return ret; > + > + return devm_add_action_or_reset(dev, drm_aux_hpd_bridge_del_adev, adev); > +} > +EXPORT_SYMBOL_GPL(devm_drm_dp_hpd_bridge_add); > + > +/** > + * drm_dp_hpd_bridge_register - allocate and register a HDP DisplayPort bridge > + * @parent: device instance providing this bridge > + * @np: device node pointer corresponding to this bridge instance > + * > + * Return: device instance that will handle created bridge or an error pointer > + */ > +struct device *drm_dp_hpd_bridge_register(struct device *parent, struct device_node *np) > +{ > + struct auxiliary_device *adev; > + int ret; > + > + adev = devm_drm_dp_hpd_bridge_alloc(parent, np); > + if (IS_ERR(adev)) > + return ERR_CAST(adev); > + > + ret = devm_drm_dp_hpd_bridge_add(parent, adev); > if (ret) > return ERR_PTR(ret); > > diff --git a/include/drm/bridge/aux-bridge.h b/include/drm/bridge/aux-bridge.h > index c4c423e97f06..4453906105ca 100644 > --- a/include/drm/bridge/aux-bridge.h > +++ b/include/drm/bridge/aux-bridge.h > @@ -9,6 +9,8 @@ > > #include <drm/drm_connector.h> > > +struct auxiliary_device; > + > #if IS_ENABLED(CONFIG_DRM_AUX_BRIDGE) > int drm_aux_bridge_register(struct device *parent); > #else > @@ -19,10 +21,23 @@ static inline int drm_aux_bridge_register(struct device *parent) > #endif > > #if IS_ENABLED(CONFIG_DRM_AUX_HPD_BRIDGE) > +struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, struct device_node *np); > +int devm_drm_dp_hpd_bridge_add(struct device *dev, struct auxiliary_device *adev); I had a pretty close idea during prototyping, but I ended up doing it as a single function for the following reasons: First, this exports the implementation detail that internally the code uses an aux device. Also, by exporting the aux device the code becomes less type-safe. By mistake one can call devm_drm_dp_hpd_bridge_add() on any aux device, which is not necessarily the HPD bridge. I'd prefer to see an opaque device-specific structure instead. WDYT? > struct device *drm_dp_hpd_bridge_register(struct device *parent, > struct device_node *np); > void drm_aux_hpd_bridge_notify(struct device *dev, enum drm_connector_status status); > #else > +static inline struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, > + struct device_node *np) > +{ > + return NULL; > +} > + > +static inline int devm_drm_dp_hpd_bridge_add(struct auxiliary_device *adev) > +{ > + return 0; > +} > + > static inline struct device *drm_dp_hpd_bridge_register(struct device *parent, > struct device_node *np) > { > -- > 2.43.0 >
On Thu, Feb 22, 2024 at 10:57:07PM +0200, Dmitry Baryshkov wrote: > On Sat, 17 Feb 2024 at 17:03, Johan Hovold <johan+linaro@kernel.org> wrote: > > > > Combining allocation and registration is an anti-pattern that should be > > avoided. Add two new functions for allocating and registering an dp-hpd > > bridge with a proper 'devm' prefix so that it is clear that these are > > device managed interfaces. > > > > devm_drm_dp_hpd_bridge_alloc() > > devm_drm_dp_hpd_bridge_add() > > > > The new interface will be used to fix a use-after-free bug in the > > Qualcomm PMIC GLINK driver and may prevent similar issues from being > > introduced elsewhere. > > > > The existing drm_dp_hpd_bridge_register() is reimplemented using the > > above and left in place for now. > > > > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > > Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Thanks for reviewing. > Minor nit below. > > diff --git a/include/drm/bridge/aux-bridge.h b/include/drm/bridge/aux-bridge.h > > index c4c423e97f06..4453906105ca 100644 > > --- a/include/drm/bridge/aux-bridge.h > > +++ b/include/drm/bridge/aux-bridge.h > > @@ -9,6 +9,8 @@ > > > > #include <drm/drm_connector.h> > > > > +struct auxiliary_device; > > + > > #if IS_ENABLED(CONFIG_DRM_AUX_BRIDGE) > > int drm_aux_bridge_register(struct device *parent); > > #else > > @@ -19,10 +21,23 @@ static inline int drm_aux_bridge_register(struct device *parent) > > #endif > > > > #if IS_ENABLED(CONFIG_DRM_AUX_HPD_BRIDGE) > > +struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, struct device_node *np); > > +int devm_drm_dp_hpd_bridge_add(struct device *dev, struct auxiliary_device *adev); > > I had a pretty close idea during prototyping, but I ended up doing it > as a single function for the following reasons: > > First, this exports the implementation detail that internally the code > uses an aux device. That's not an issue. The opposite, with interfaces trying to do too much and hide details from the developers so that they can no longer reason about what is going on, is a real problem though. > Also, by exporting the aux device the code becomes less type-safe. By > mistake one can call devm_drm_dp_hpd_bridge_add() on any aux device, > which is not necessarily the HPD bridge. No. First, that is currently not even an issue either as the registration interface is safe to use with any aux device. Second, if you cared about about type-safety you wouldn't have used a struct device pointer for drm_aux_hpd_bridge_notify() which you back cast to an aux device. > I'd prefer to see an opaque device-specific structure instead. WDYT? That should have been there from the start. But I'm not interested in cleaning up this mess beyond what is minimally required to fix the regressions it caused. This can be reworked for 6.9 or later. > > struct device *drm_dp_hpd_bridge_register(struct device *parent, > > struct device_node *np); > > void drm_aux_hpd_bridge_notify(struct device *dev, enum drm_connector_status status); Johan
diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c index 9e71daf95bde..6886db2d9e00 100644 --- a/drivers/gpu/drm/bridge/aux-hpd-bridge.c +++ b/drivers/gpu/drm/bridge/aux-hpd-bridge.c @@ -30,16 +30,13 @@ static void drm_aux_hpd_bridge_release(struct device *dev) kfree(adev); } -static void drm_aux_hpd_bridge_unregister_adev(void *_adev) +static void drm_aux_hpd_bridge_free_adev(void *_adev) { - struct auxiliary_device *adev = _adev; - - auxiliary_device_delete(adev); - auxiliary_device_uninit(adev); + auxiliary_device_uninit(_adev); } /** - * drm_dp_hpd_bridge_register - Create a simple HPD DisplayPort bridge + * devm_drm_dp_hpd_bridge_alloc - allocate a HPD DisplayPort bridge * @parent: device instance providing this bridge * @np: device node pointer corresponding to this bridge instance * @@ -47,11 +44,9 @@ static void drm_aux_hpd_bridge_unregister_adev(void *_adev) * DRM_MODE_CONNECTOR_DisplayPort, which terminates the bridge chain and is * able to send the HPD events. * - * Return: device instance that will handle created bridge or an error code - * encoded into the pointer. + * Return: bridge auxiliary device pointer or an error pointer */ -struct device *drm_dp_hpd_bridge_register(struct device *parent, - struct device_node *np) +struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, struct device_node *np) { struct auxiliary_device *adev; int ret; @@ -82,13 +77,55 @@ struct device *drm_dp_hpd_bridge_register(struct device *parent, return ERR_PTR(ret); } - ret = auxiliary_device_add(adev); - if (ret) { - auxiliary_device_uninit(adev); + ret = devm_add_action_or_reset(parent, drm_aux_hpd_bridge_free_adev, adev); + if (ret) return ERR_PTR(ret); - } - ret = devm_add_action_or_reset(parent, drm_aux_hpd_bridge_unregister_adev, adev); + return adev; +} +EXPORT_SYMBOL_GPL(devm_drm_dp_hpd_bridge_alloc); + +static void drm_aux_hpd_bridge_del_adev(void *_adev) +{ + auxiliary_device_delete(_adev); +} + +/** + * devm_drm_dp_hpd_bridge_add - register a HDP DisplayPort bridge + * @dev: struct device to tie registration lifetime to + * @adev: bridge auxiliary device to be registered + * + * Returns: zero on success or a negative errno + */ +int devm_drm_dp_hpd_bridge_add(struct device *dev, struct auxiliary_device *adev) +{ + int ret; + + ret = auxiliary_device_add(adev); + if (ret) + return ret; + + return devm_add_action_or_reset(dev, drm_aux_hpd_bridge_del_adev, adev); +} +EXPORT_SYMBOL_GPL(devm_drm_dp_hpd_bridge_add); + +/** + * drm_dp_hpd_bridge_register - allocate and register a HDP DisplayPort bridge + * @parent: device instance providing this bridge + * @np: device node pointer corresponding to this bridge instance + * + * Return: device instance that will handle created bridge or an error pointer + */ +struct device *drm_dp_hpd_bridge_register(struct device *parent, struct device_node *np) +{ + struct auxiliary_device *adev; + int ret; + + adev = devm_drm_dp_hpd_bridge_alloc(parent, np); + if (IS_ERR(adev)) + return ERR_CAST(adev); + + ret = devm_drm_dp_hpd_bridge_add(parent, adev); if (ret) return ERR_PTR(ret); diff --git a/include/drm/bridge/aux-bridge.h b/include/drm/bridge/aux-bridge.h index c4c423e97f06..4453906105ca 100644 --- a/include/drm/bridge/aux-bridge.h +++ b/include/drm/bridge/aux-bridge.h @@ -9,6 +9,8 @@ #include <drm/drm_connector.h> +struct auxiliary_device; + #if IS_ENABLED(CONFIG_DRM_AUX_BRIDGE) int drm_aux_bridge_register(struct device *parent); #else @@ -19,10 +21,23 @@ static inline int drm_aux_bridge_register(struct device *parent) #endif #if IS_ENABLED(CONFIG_DRM_AUX_HPD_BRIDGE) +struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, struct device_node *np); +int devm_drm_dp_hpd_bridge_add(struct device *dev, struct auxiliary_device *adev); struct device *drm_dp_hpd_bridge_register(struct device *parent, struct device_node *np); void drm_aux_hpd_bridge_notify(struct device *dev, enum drm_connector_status status); #else +static inline struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, + struct device_node *np) +{ + return NULL; +} + +static inline int devm_drm_dp_hpd_bridge_add(struct auxiliary_device *adev) +{ + return 0; +} + static inline struct device *drm_dp_hpd_bridge_register(struct device *parent, struct device_node *np) {
Combining allocation and registration is an anti-pattern that should be avoided. Add two new functions for allocating and registering an dp-hpd bridge with a proper 'devm' prefix so that it is clear that these are device managed interfaces. devm_drm_dp_hpd_bridge_alloc() devm_drm_dp_hpd_bridge_add() The new interface will be used to fix a use-after-free bug in the Qualcomm PMIC GLINK driver and may prevent similar issues from being introduced elsewhere. The existing drm_dp_hpd_bridge_register() is reimplemented using the above and left in place for now. Signed-off-by: Johan Hovold <johan+linaro@kernel.org> --- drivers/gpu/drm/bridge/aux-hpd-bridge.c | 67 +++++++++++++++++++------ include/drm/bridge/aux-bridge.h | 15 ++++++ 2 files changed, 67 insertions(+), 15 deletions(-)