Re: [PATCH 2/5] drm/panel: Add refcount support

From: Luca Ceresoli
Date: Wed Mar 26 2025 - 05:25:30 EST

Next message: Hans de Goede: "Re: [PATCH] Added support for a some new buttons in ideapad-laptop driver"
Previous message: Guo Ren: "Re: [RFC PATCH V3 25/43] rv64ilp32_abi: exec: Adapt 64lp64 env and argv"
In reply to: kernel test robot: "Re: [PATCH 2/5] drm/panel: Add refcount support"
Next in thread: Maxime Ripard: "Re: [PATCH 2/5] drm/panel: Add refcount support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 25 Mar 2025 13:24:09 -0400
Anusha Srivatsa <asrivats@xxxxxxxxxx> wrote:

> Allocate panel via reference counting.
> Add _get() and _put() helper functions
> to ensure panel allocations are refcounted.
> Avoid use after free by ensuring panel is
> valid and can be usable till the last reference
> is put. This avoids use-after-free

"panel is valid and can be usable" is not totally correct. When there
are still references held, you ensure the panel struct is still
_allocated_, not necessarily valid and usable.

Minor nit: you are wrapping at less than 50 columns, which is a bit
tight. I think 75 is the expected value for wrapping.

> Signed-off-by: Anusha Srivatsa <asrivats@xxxxxxxxxx>

[...]

> +/**
> + * drm_panel_get - Acquire a panel reference
> + * @panel: DRM panel
> + *
> + * This function increments the panel's refcount.
> + *
> + */

Not sure it's mandatory, but documenting the returned value is good
practice , e.g.:

* Returns:
* Pointer to @panel.

> +/**
> + * drm_panel_put - Release a panel reference
> + * @panel: DRM panel
> + *
> + * This function decrements the panel's reference count and frees the
> + * object if the reference count drops to zero.
> + */
> +struct drm_panel *drm_panel_put(struct drm_panel *panel)
> +{
> + if (!panel)
> + return panel;
> +
> + kref_put(&panel->refcount, __drm_panel_free);
> +
> + return panel;

While this is using the same structure as my bridge work, I now realize
the _put() should probably not return the panel (or bridge) pointer, it
should just be a void function. The reason is the pointer might have
been freed when _put() returns (depending on the refcount) so that
pointer value might be dangling and whoever calls _put() must not use
that pointer anymore.

Other get/put APIs do this, e.g. of_node_get/put().

So I'm going to change drm_bridge_put() to return void, unless there
are good reasons to keep it and that I'm missing.

> @@ -280,7 +291,10 @@ void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
> * @member: the name of the &drm_panel within @type
> * @funcs: callbacks for this panel
> * @connector_type: connector type of the driver
> - * The returned refcount is initialised to 1
> + *
> + * The returned refcount is initialised to 1. This reference will
> + * be automatically dropped via devm (by calling
> + * drm_bridge_put()) when @dev is removed.
^^^^^^
"panel". Same in a few other places in this patch. Please search in all
this series in case there are more. It's easy to forget about replacing
some of those in the comments. :)

Luca

--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Next message: Hans de Goede: "Re: [PATCH] Added support for a some new buttons in ideapad-laptop driver"
Previous message: Guo Ren: "Re: [RFC PATCH V3 25/43] rv64ilp32_abi: exec: Adapt 64lp64 env and argv"
In reply to: kernel test robot: "Re: [PATCH 2/5] drm/panel: Add refcount support"
Next in thread: Maxime Ripard: "Re: [PATCH 2/5] drm/panel: Add refcount support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]