On Tue, 25 Mar 2025 13:24:09 -0400
Anusha Srivatsa <asriv...@redhat.com> wrote:
> Allocate panel via reference counting.
> Add _get() and _put() helper functions
> to ensure panel allocations are refcounted.
> Avoid use after free by ensuring panel is
> valid and can be usable till the last reference
> is put. This avoids use-after-free
"panel is valid and can be usable" is not totally correct. When there
are still references held, you ensure the panel struct is still
_allocated_, not necessarily valid and usable.
Minor nit: you are wrapping at less than 50 columns, which is a bit
tight. I think 75 is the expected value for wrapping.
> Signed-off-by: Anusha Srivatsa <asriv...@redhat.com>
[...]
> +/**
> + * drm_panel_get - Acquire a panel reference
> + * @panel: DRM panel
> + *
> + * This function increments the panel's refcount.
> + *
> + */
Not sure it's mandatory, but documenting the returned value is good
practice , e.g.:
* Returns:
* Pointer to @panel.
> +/**
> + * drm_panel_put - Release a panel reference
> + * @panel: DRM panel
> + *
> + * This function decrements the panel's reference count and frees the
> + * object if the reference count drops to zero.
> + */
> +struct drm_panel *drm_panel_put(struct drm_panel *panel)
> +{
> + if (!panel)
> + return panel;
> +
> + kref_put(&panel->refcount, __drm_panel_free);
> +
> + return panel;
While this is using the same structure as my bridge work, I now realize
the _put() should probably not return the panel (or bridge) pointer, it
should just be a void function. The reason is the pointer might have
been freed when _put() returns (depending on the refcount) so that
pointer value might be dangling and whoever calls _put() must not use
that pointer anymore.
Other get/put APIs do this, e.g. of_node_get/put().
So I'm going to change drm_bridge_put() to return void, unless there
are good reasons to keep it and that I'm missing.
> @@ -280,7 +291,10 @@ void *__devm_drm_panel_alloc(struct device *dev, size_t
> size, size_t offset,
> * @member: the name of the &drm_panel within @type
> * @funcs: callbacks for this panel
> * @connector_type: connector type of the driver
> - * The returned refcount is initialised to 1
> + *
> + * The returned refcount is initialised to 1. This reference will
> + * be automatically dropped via devm (by calling
> + * drm_bridge_put()) when @dev is removed.
^^^^^^
"panel". Same in a few other places in this patch. Please search in all
this series in case there are more. It's easy to forget about replacing
some of those in the comments. :)
Luca
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
