Re: [PATCH v5 1/8] drm/msm/dpu: don't mix devm and drmm functions
From: John Harrison
Date: Tue May 05 2026 - 14:41:22 EST
On 5/4/26 17:24, Dmitry Baryshkov wrote:
Mixing devm and drmm functions will result in a use-after-free on msmextra ) on devm_kzalloc())
driver teardown if userspace keeps a reference on the drm device:
The WB connector data will be destroyed because of the use of
devm_kzalloc()), while the usersoace still can try interacting with the
typo: userspace
Otherwise the description looks good to me and the two typos can be fixed when merging, so:
Reviewed-by: John.Harrison@xxxxxxxxxx
But should wait for at least an ack from Laurent as the person originally requesting an extended description.
John.
WB connector (which uses drmm_ functions).
Change dpu_writeback_init() to use drmm_.
Fixes: 0b37ac63fc9d ("drm/msm/dpu: use drmm_writeback_connector_init()")
Reported-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
Closes: https://lore.kernel.org/r/78c764b8-44cf-4db5-88e7-807a85954518@xxxxxxxxxx
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxxxxxxxx>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
index 7545c0293efb..6f2370c9dd98 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
@@ -5,6 +5,7 @@
#include <drm/drm_edid.h>
#include <drm/drm_framebuffer.h>
+#include <drm/drm_managed.h>
#include "dpu_writeback.h"
@@ -125,7 +126,7 @@ int dpu_writeback_init(struct drm_device *dev, struct drm_encoder *enc,
struct dpu_wb_connector *dpu_wb_conn;
int rc = 0;
- dpu_wb_conn = devm_kzalloc(dev->dev, sizeof(*dpu_wb_conn), GFP_KERNEL);
+ dpu_wb_conn = drmm_kzalloc(dev, sizeof(*dpu_wb_conn), GFP_KERNEL);
if (!dpu_wb_conn)
return -ENOMEM;