Il 28/10/25 10:55, CK Hu (胡俊光) ha scritto:
On Wed, 2025-09-24 at 12:37 +0200, AngeloGioacchino Del Regno wrote:
External email : Please do not click links or open attachments until you have
verified the sender or the content.
The OVL driver is installing an ISR in the probe function but, if
the component is not bound yet, the interrupt handler may call the
vblank_cb ahead of time (while probing other drivers) or too late
(while removing other drivers), possibly accessing memory that it
should not try to access by reusing stale pointers.
In order to fix this, add a new `irq` member to struct mtk_disp_ovl
and then set the NOAUTOEN flag to the irq before installing the ISR
to manually call enable_irq() and disable_irq() in the bind and
unbind callbacks respectively.
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Link:
https://lore.kernel.org/r/[email protected]
Signed-off-by: AngeloGioacchino Del Regno
<[email protected]>
---
drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
index e0236353d499..8e20b45411fc 100644
--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
+++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl.c
@@ -161,6 +161,7 @@ struct mtk_disp_ovl {
struct drm_crtc *crtc;
struct clk *clk;
void __iomem *regs;
+ int irq;
struct cmdq_client_reg cmdq_reg;
const struct mtk_disp_ovl_data *data;
void (*vblank_cb)(void *data);
@@ -594,12 +595,18 @@ void mtk_ovl_bgclr_in_off(struct device *dev)
static int mtk_disp_ovl_bind(struct device *dev, struct device *master,
void *data)
{
+ struct mtk_disp_ovl *priv = dev_get_drvdata(dev);
+
+ enable_irq(priv->irq);
return 0;
}
static void mtk_disp_ovl_unbind(struct device *dev, struct device *master,
void *data)
{
+ struct mtk_disp_ovl *priv = dev_get_drvdata(dev);
+
+ disable_irq(priv->irq);
}
static const struct component_ops mtk_disp_ovl_component_ops = {
@@ -611,16 +618,15 @@ static int mtk_disp_ovl_probe(struct platform_device
*pdev)
{
struct device *dev = &pdev->dev;
struct mtk_disp_ovl *priv;
- int irq;
int ret;
priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
- irq = platform_get_irq(pdev, 0);
- if (irq < 0)
- return irq;
+ priv->irq = platform_get_irq(pdev, 0);
+ if (priv->irq < 0)
+ return priv->irq;
priv->clk = devm_clk_get(dev, NULL);
if (IS_ERR(priv->clk))
@@ -640,10 +646,10 @@ static int mtk_disp_ovl_probe(struct platform_device
*pdev)
priv->data = of_device_get_match_data(dev);
platform_set_drvdata(pdev, priv);
- ret = devm_request_irq(dev, irq, mtk_disp_ovl_irq_handler,
- IRQF_TRIGGER_NONE, dev_name(dev), priv);
+ ret = devm_request_irq(dev, priv->irq, mtk_disp_ovl_irq_handler,
+ IRQF_NO_AUTOEN, dev_name(dev), priv);
RDMA driver would clear pending interrupt and disable interrupt before request
irq.
I would like the hardware would be in idle state when probe.
So OVL should do like RDMA.
As I commented on RDMA - that won't work. After unbinding components, only the
bind() op will be executed, not probe(), so the interrupt will not be reset in
HW, and while re-binding other components, IRQs will come and produce a kernel
panic (in the best scenario, eh!) for use-after-free.
Regards,
Angelo
Regards,
CK
if (ret < 0)
- return dev_err_probe(dev, ret, "Failed to request irq %d\n",
irq);
+ return dev_err_probe(dev, ret, "Failed to request irq %d\n",
priv->irq);
pm_runtime_enable(dev);
--
2.51.0
