On Mon, May 4, 2026 at 5:25 PM Dmitry Baryshkov <[email protected]> wrote: > > Mixing devm and drmm functions will result in a use-after-free on msm > driver teardown if userspace keeps a reference on the drm device: > The WB connector data will be destroyed because of the use of > devm_kzalloc()), while the usersoace still can try interacting with the > WB connector (which uses drmm_ functions). > > Change dpu_writeback_init() to use drmm_.
>From [1] it doesn't sound like userspace holding the drm device open is the issue (if that were possible, it seems like it would go badly), but rather the order of managed cleanup? [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/gpu/drm/xe/xe_hwmon.c?id=3a13c2de442d6bfaef9c102cd1092e6cae22b753 > Fixes: 0b37ac63fc9d ("drm/msm/dpu: use drmm_writeback_connector_init()") > Reported-by: Christophe JAILLET <[email protected]> > Closes: > https://lore.kernel.org/r/[email protected] > Signed-off-by: Dmitry Baryshkov <[email protected]> > --- > drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c > b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c > index 7545c0293efb..6f2370c9dd98 100644 > --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c > +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c > @@ -5,6 +5,7 @@ > > #include <drm/drm_edid.h> > #include <drm/drm_framebuffer.h> > +#include <drm/drm_managed.h> > > #include "dpu_writeback.h" > > @@ -125,7 +126,7 @@ int dpu_writeback_init(struct drm_device *dev, struct > drm_encoder *enc, > struct dpu_wb_connector *dpu_wb_conn; > int rc = 0; > > - dpu_wb_conn = devm_kzalloc(dev->dev, sizeof(*dpu_wb_conn), > GFP_KERNEL); > + dpu_wb_conn = drmm_kzalloc(dev, sizeof(*dpu_wb_conn), GFP_KERNEL); > if (!dpu_wb_conn) > return -ENOMEM; > > > -- > 2.47.3 >
