[PATCH v7 03/23] drm: bridge: dw_hdmi: Free IRQ before CEC adapter is unregistered
Hans Verkuil
hverkuil+cisco at kernel.org
Mon May 18 23:21:30 PDT 2026
On 18/05/2026 20:01, Jonas Karlman wrote:
> The interrupt allocated with devm_request_threaded_irq() can be
> use-after-free when the devres release action try to free_irq().
>
> KASAN report a slab-use-after-free in dw_hdmi_cec_hardirq during unbind:
>
> Call trace:
> [...]
> dw_hdmi_cec_hardirq+0x4cc/0x560
> free_irq+0x48c/0x7e4
> devm_irq_release+0x54/0x90
> dr_node_release+0x38/0x5c
> release_nodes+0xac/0x130
> devres_release_all+0xf4/0x1b0
> device_unbind_cleanup+0x28/0x1f8
> device_release_driver_internal+0x358/0x470
> device_release_driver+0x18/0x24
> bus_remove_device+0x33c/0x4f0
> device_del+0x2d8/0x790
> platform_device_del+0x34/0x1e0
> platform_device_unregister+0x14/0x3c
> dw_hdmi_remove+0x74/0x180
> [...]
>
> Freed by:
> [...]
> kfree+0x1dc/0x5dc
> cec_delete_adapter+0xd4/0x118
> cec_devnode_release+0xa4/0xe0
> device_release+0xa0/0x200
> kobject_put+0x14c/0x26c
> put_device+0x14/0x30
> cec_unregister_adapter+0x20c/0x280
> dw_hdmi_cec_remove+0x8c/0xd0
> [...]
>
> Explicitly devm_free_irq() before the CEC adapter is unregistered to
> fix this possible use-after-free issue.
>
> Fixes: a616e63c56ef ("drm/bridge: dw-hdmi: add cec driver")
> Signed-off-by: Jonas Karlman <jonas at kwiboo.se>
Acked-by: Hans Verkuil <hverkuil+cisco at kernel.org>
Regards,
Hans
> ---
> v7: New patch
>
> KASAN report a slab-use-after-free in dw_hdmi_cec_hardirq when,
> echo fe0a0000.hdmi > /sys/bus/platform/drivers/dwhdmi-rockchip/unbind
> on a Rockchip RK3566 device prior to this fix.
> ---
> drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> index 9549dabde941..67a2a242d3ca 100644
> --- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> +++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-cec.c
> @@ -309,6 +309,7 @@ static void dw_hdmi_cec_remove(struct platform_device *pdev)
> struct dw_hdmi_cec *cec = platform_get_drvdata(pdev);
>
> cec_notifier_cec_adap_unregister(cec->notify, cec->adap);
> + devm_free_irq(&pdev->dev, cec->irq, cec->adap);
> cec_unregister_adapter(cec->adap);
> }
>
More information about the Linux-rockchip
mailing list