[PATCH RFC 1/2] drm/panel: Add new helpers for refcounted panel allocatons

Wed, 12 Mar 2025 18:12:05 -0700 

Introduce reference counted allocations for panels to avoid
use-after-free. The patch adds the macro devm_drm_bridge_alloc()
to allocate a new refcounted panel. Followed the documentation for
drmm_encoder_alloc() and devm_drm_dev_alloc and other similar
implementations for this purpose.

Also adding drm_panel_get() and drm_panel_put() to suitably
increment and decrement the refcount

Signed-off-by: Anusha Srivatsa <asriv...@redhat.com>
---
 drivers/gpu/drm/drm_panel.c | 50 ++++++++++++++++++++++++++++++++++++++
 include/drm/drm_panel.h     | 58 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)

diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c
index 
c627e42a7ce70459f50eb5095fffc806ca45dabf..b55e380e4a2f7ffd940c207e841c197d85113907
 100644
--- a/drivers/gpu/drm/drm_panel.c
+++ b/drivers/gpu/drm/drm_panel.c
@@ -79,6 +79,7 @@ EXPORT_SYMBOL(drm_panel_init);
  */
 void drm_panel_add(struct drm_panel *panel)
 {
+       drm_panel_get(panel);
        mutex_lock(&panel_lock);
        list_add_tail(&panel->list, &panel_list);
        mutex_unlock(&panel_lock);
@@ -96,6 +97,7 @@ void drm_panel_remove(struct drm_panel *panel)
        mutex_lock(&panel_lock);
        list_del_init(&panel->list);
        mutex_unlock(&panel_lock);
+       drm_panel_put(panel);
 }
 EXPORT_SYMBOL(drm_panel_remove);
 
@@ -355,6 +357,54 @@ struct drm_panel *of_drm_find_panel(const struct 
device_node *np)
 }
 EXPORT_SYMBOL(of_drm_find_panel);
 
+/* Internal function (for refcounted panels) */
+void __drm_panel_free(struct kref *kref)
+{
+       struct drm_panel *panel = container_of(kref, struct drm_panel, 
refcount);
+       void *container = ((void *)panel) - panel->container_offset;
+
+       kfree(container);
+}
+EXPORT_SYMBOL(__drm_panel_free);
+
+static void drm_panel_put_void(void *data)
+{
+       struct drm_panel *panel = (struct drm_panel *)data;
+
+       drm_panel_put(panel);
+}
+
+void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
+                            const struct drm_panel_funcs *funcs)
+{
+       void *container;
+       struct drm_panel *panel;
+       int err;
+
+       if (!funcs) {
+               dev_warn(dev, "Missing funcs pointer\n");
+               return ERR_PTR(-EINVAL);
+       }
+
+       container = kzalloc(size, GFP_KERNEL);
+       if (!container)
+               return ERR_PTR(-ENOMEM);
+
+       panel = container + offset;
+       panel->container_offset = offset;
+       panel->funcs = funcs;
+       kref_init(&panel->refcount);
+
+       err = devm_add_action_or_reset(dev, drm_panel_put_void, panel);
+       if (err)
+               return ERR_PTR(err);
+
+       drm_panel_init(panel, dev, funcs, panel->connector_type);
+
+       return container;
+}
+EXPORT_SYMBOL(__devm_drm_panel_alloc);
+
 /**
  * of_drm_get_panel_orientation - look up the orientation of the panel through
  * the "rotation" binding from a device tree node
diff --git a/include/drm/drm_panel.h b/include/drm/drm_panel.h
index 
a9c042c8dea1a82ef979c7a68204e0b55483fc28..f7cfda0039c066ea2c2b26da5062015e61880971
 100644
--- a/include/drm/drm_panel.h
+++ b/include/drm/drm_panel.h
@@ -28,6 +28,7 @@
 #include <linux/errno.h>
 #include <linux/list.h>
 #include <linux/mutex.h>
+#include <linux/kref.h>
 
 struct backlight_device;
 struct dentry;
@@ -266,8 +267,65 @@ struct drm_panel {
         * If true then the panel has been enabled.
         */
        bool enabled;
+
+       /**
+        * @container_offset: Offset of this struct within the container
+        * struct embedding it. Used for refcounted panels to free the
+        * embeddeing struct when the refcount drops to zero.
+        */
+       size_t container_offset;
+       /**
+        * @refcount: reference count for panels with dynamic lifetime
+        */
+       struct kref refcount;
 };
 
+void __drm_panel_free(struct kref *kref);
+
+/**
+ * drm_panel_get - Acquire a panel reference
+ * @panel: DRM panel
+ *
+ * This function increments the panel's refcount.
+ *
+ */
+static inline void drm_panel_get(struct drm_panel *panel)
+{
+
+       kref_get(&panel->refcount);
+}
+
+/**
+ * drm_panel_put - Release a panel reference
+ * @panel: DRM panel
+ *
+ * This function decrements the panel's reference count and frees the
+ * object if the reference count drops to zero.
+ */
+static inline void drm_panel_put(struct drm_panel *panel)
+{
+       kref_put(&panel->refcount, __drm_panel_free);
+}
+
+void *__devm_drm_panel_alloc(struct device *dev, size_t size, size_t offset,
+                            const struct drm_panel_funcs *funcs);
+
+/**
+ * devm_drm_panel_alloc - Allocate and initialize an refcounted panel
+ * @dev: struct device of the panel device
+ * @type: the type of the struct which contains struct &drm_panel
+ * @member: the name of the &drm_panel within @type
+ * @funcs: callbacks for this panel
+ *
+ * The returned refcount is initialised to 1
+ *
+ * Returns:
+ * Pointer to new panel, or ERR_PTR on failure.
+ */
+#define devm_drm_panel_alloc(dev, type, member, funcs) \
+       ((type *)__devm_drm_panel_alloc(dev, sizeof(type), \
+                                        offsetof(type, member), funcs))
+
 void drm_panel_init(struct drm_panel *panel, struct device *dev,
                    const struct drm_panel_funcs *funcs,
                    int connector_type);

-- 
2.48.1

Reply via email to