From: Jonas Karlman <jonas@kwiboo•se>
To: Andrzej Hajda <andrzej.hajda@intel•com>,
Neil Armstrong <neil.armstrong@linaro•org>,
Robert Foss <rfoss@kernel•org>, Heiko Stuebner <heiko@sntech•de>,
Laurent Pinchart <Laurent.pinchart@ideasonboard•com>,
Jonas Karlman <jonas@kwiboo•se>,
Jernej Skrabec <jernej.skrabec@gmail•com>,
Luca Ceresoli <luca.ceresoli@bootlin•com>,
Maarten Lankhorst <maarten.lankhorst@linux•intel.com>,
Maxime Ripard <mripard@kernel•org>,
Thomas Zimmermann <tzimmermann@suse•de>,
David Airlie <airlied@gmail•com>, Simona Vetter <simona@ffwll•ch>,
Russell King <rmk+kernel@armlinux•org.uk>,
Hans Verkuil <hverkuil@kernel•org>,
Archit Taneja <architt@codeaurora•org>
Cc: Liu Ying <victor.liu@nxp•com>, Sandy Huang <hjc@rock-chips•com>,
Andy Yan <andy.yan@rock-chips•com>,
Chen-Yu Tsai <wens@kernel•org>,
Christian Hewitt <christianshewitt@gmail•com>,
Diederik de Haas <diederik@cknow-tech•com>,
Nicolas Frattaroli <nicolas.frattaroli@collabora•com>,
Dmitry Baryshkov <dmitry.baryshkov@oss•qualcomm.com>,
dri-devel@lists•freedesktop.org,
linux-arm-kernel@lists•infradead.org,
linux-rockchip@lists•infradead.org,
linux-amlogic@lists•infradead.org, linux-sunxi@lists•linux.dev,
imx@lists•linux.dev, linux-kernel@vger•kernel.org
Subject: [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
Date: Mon, 18 May 2026 18:01:39 +0000 [thread overview]
Message-ID: <20260518180206.2480119-4-jonas@kwiboo.se> (raw)
In-Reply-To: <20260518180206.2480119-1-jonas@kwiboo.se>
The interrupt allocated with devm_request_threaded_irq() can be
use-after-free when the devres release action try to free_irq().
KASAN report a slab-use-after-free in dw_hdmi_cec_hardirq during unbind:
Call trace:
[...]
dw_hdmi_cec_hardirq+0x4cc/0x560
free_irq+0x48c/0x7e4
devm_irq_release+0x54/0x90
dr_node_release+0x38/0x5c
release_nodes+0xac/0x130
devres_release_all+0xf4/0x1b0
device_unbind_cleanup+0x28/0x1f8
device_release_driver_internal+0x358/0x470
device_release_driver+0x18/0x24
bus_remove_device+0x33c/0x4f0
device_del+0x2d8/0x790
platform_device_del+0x34/0x1e0
platform_device_unregister+0x14/0x3c
dw_hdmi_remove+0x74/0x180
[...]
Freed by:
[...]
kfree+0x1dc/0x5dc
cec_delete_adapter+0xd4/0x118
cec_devnode_release+0xa4/0xe0
device_release+0xa0/0x200
kobject_put+0x14c/0x26c
put_device+0x14/0x30
cec_unregister_adapter+0x20c/0x280
dw_hdmi_cec_remove+0x8c/0xd0
[...]
Explicitly devm_free_irq() before the CEC adapter is unregistered to
fix this possible use-after-free issue.
Fixes: a616e63c56ef ("drm/bridge: dw-hdmi: add cec driver")
Signed-off-by: Jonas Karlman <jonas@kwiboo•se>
---
v7: New patch
KASAN report a slab-use-after-free in dw_hdmi_cec_hardirq when,
echo fe0a0000.hdmi > /sys/bus/platform/drivers/dwhdmi-rockchip/unbind
on a Rockchip RK3566 device prior to this fix.
---
drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
index 9549dabde941..67a2a242d3ca 100644
--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
@@ -309,6 +309,7 @@ static void dw_hdmi_cec_remove(struct platform_device *pdev)
struct dw_hdmi_cec *cec = platform_get_drvdata(pdev);
cec_notifier_cec_adap_unregister(cec->notify, cec->adap);
+ devm_free_irq(&pdev->dev, cec->irq, cec->adap);
cec_unregister_adapter(cec->adap);
}
--
2.54.0
next prev parent reply other threads:[~2026-05-18 18:02 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 18:01 [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 01/23] drm: bridge: dw_hdmi: Disable scrambler feature when not supported Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 02/23] drm: bridge: dw_hdmi: Only notify connected status on HPD interrupt Jonas Karlman
2026-05-18 18:01 ` Jonas Karlman [this message]
2026-05-19 6:21 ` [PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 04/23] drm: bridge: dw_hdmi: Hold bridge ref until connector cleanup Jonas Karlman
2026-05-19 12:06 ` Luca Ceresoli
2026-05-19 15:18 ` Jonas Karlman
2026-05-20 6:45 ` Luca Ceresoli
2026-05-20 9:38 ` Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 05/23] drm: bridge: dw_hdmi: Call poweron/poweroff from atomic enable/disable Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 06/23] drm: bridge: dw_hdmi: Use passed mode instead of stored previous_mode Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 07/23] drm: bridge: dw_hdmi: Fold poweron and setup functions Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 08/23] drm: bridge: dw_hdmi: Remove previous_mode and mode_set Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 09/23] drm: bridge: dw_hdmi: Unregister CEC notifier during connector cleanup Jonas Karlman
2026-05-19 6:22 ` Hans Verkuil
2026-05-19 12:06 ` Luca Ceresoli
2026-05-18 18:01 ` [PATCH v7 10/23] drm: bridge: dw_hdmi: Invalidate CEC phys addr from connector detect Jonas Karlman
2026-05-19 6:25 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 11/23] drm: bridge: dw_hdmi: Remove cec_notifier_mutex Jonas Karlman
2026-05-19 6:28 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 12/23] drm: bridge: dw_hdmi: Extract dw_hdmi_connector_status_update() Jonas Karlman
2026-05-19 6:26 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 13/23] drm: bridge: dw_hdmi: Use dw_hdmi_connector_status_update() Jonas Karlman
2026-05-19 6:29 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 14/23] drm: bridge: dw_hdmi: Use display_info is_hdmi and has_audio Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 15/23] drm: bridge: dw_hdmi: Use generic CEC notifier helpers Jonas Karlman
2026-05-19 6:32 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 16/23] drm: bridge: dw_hdmi: Update EDID and CEC phys addr in bridge detect() Jonas Karlman
2026-05-20 9:17 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 17/23] drm: bridge: dw_hdmi: Declare bridge CEC notifier support Jonas Karlman
2026-05-19 6:35 ` Hans Verkuil
2026-05-18 18:01 ` [PATCH v7 18/23] drm: bridge: dw_hdmi: Drop call to drm_bridge_hpd_notify() Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 19/23] drm: bridge: dw_hdmi: Use delayed_work to debounce hotplug event Jonas Karlman
2026-05-20 9:58 ` Neil Armstrong
2026-05-21 20:13 ` Jonas Karlman
2026-05-22 12:35 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 20/23] drm: bridge: dw_hdmi: Rework HDP and RXSENSE interrupt handling Jonas Karlman
2026-05-20 9:59 ` Neil Armstrong
2026-05-18 18:01 ` [PATCH v7 21/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_setup_rx_sense() Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 22/23] drm: bridge: dw_hdmi: Remove the empty dw_hdmi_phy_update_hpd() Jonas Karlman
2026-05-18 18:01 ` [PATCH v7 23/23] drm: bridge: dw_hdmi: Merge top and bottom half IRQ handlers Jonas Karlman
2026-05-21 9:14 ` [PATCH v7 00/23] drm: bridge: dw_hdmi: Misc enable/disable, CEC and EDID cleanup Heiko Stuebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260518180206.2480119-4-jonas@kwiboo.se \
--to=jonas@kwiboo$(echo .)se \
--cc=Laurent.pinchart@ideasonboard$(echo .)com \
--cc=airlied@gmail$(echo .)com \
--cc=andrzej.hajda@intel$(echo .)com \
--cc=andy.yan@rock-chips$(echo .)com \
--cc=architt@codeaurora$(echo .)org \
--cc=christianshewitt@gmail$(echo .)com \
--cc=diederik@cknow-tech$(echo .)com \
--cc=dmitry.baryshkov@oss$(echo .)qualcomm.com \
--cc=dri-devel@lists$(echo .)freedesktop.org \
--cc=heiko@sntech$(echo .)de \
--cc=hjc@rock-chips$(echo .)com \
--cc=hverkuil@kernel$(echo .)org \
--cc=imx@lists$(echo .)linux.dev \
--cc=jernej.skrabec@gmail$(echo .)com \
--cc=linux-amlogic@lists$(echo .)infradead.org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-rockchip@lists$(echo .)infradead.org \
--cc=linux-sunxi@lists$(echo .)linux.dev \
--cc=luca.ceresoli@bootlin$(echo .)com \
--cc=maarten.lankhorst@linux$(echo .)intel.com \
--cc=mripard@kernel$(echo .)org \
--cc=neil.armstrong@linaro$(echo .)org \
--cc=nicolas.frattaroli@collabora$(echo .)com \
--cc=rfoss@kernel$(echo .)org \
--cc=rmk+kernel@armlinux$(echo .)org.uk \
--cc=simona@ffwll$(echo .)ch \
--cc=tzimmermann@suse$(echo .)de \
--cc=victor.liu@nxp$(echo .)com \
--cc=wens@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox