<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - [Patch?] DisplayPort MST (Multistream Transport) hotplug kernel memory fault" href="https://bugs.freedesktop.org/show_bug.cgi?id=91481">91481</a> </td> </tr> <tr> <th>Summary</th> <td>[Patch?] DisplayPort MST (Multistream Transport) hotplug kernel memory fault </td> </tr> <tr> <th>Product</th> <td>DRI </td> </tr> <tr> <th>Version</th> <td>XOrg git </td> </tr> <tr> <th>Hardware</th> <td>x86 (IA32) </td> </tr> <tr> <th>OS</th> <td>Linux (All) </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>DRM/other </td> </tr> <tr> <th>Assignee</th> <td>dri-devel@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>adam_richter2004@yahoo.com </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=117412" name="attach_117412" title="Path to make drm_dp_send_link_address set link_address_sent before hotplug handler changes the pointer to it">attachment 117412</a> <a href="attachment.cgi?id=117412&action=edit" title="Path to make drm_dp_send_link_address set link_address_sent before hotplug handler changes the pointer to it">[details]</a></span> Path to make drm_dp_send_link_address set link_address_sent before hotplug handler changes the pointer to it When I "hot plug" insert a DisplayPort multistream transport ("MST") hub into a computer that is running a Linux 4.2-rc4 kernel or any recent version, I get a kernel memory fault in drm_dp_add_port. In earlier kernels, I traced it to the line after drm_dp_add_port's call to drm_dp_send_link_address: drm_dp_send_link_address(mstb->mgr, port->mstb); port->mstb->link_address_sent = true; I believe that the problem is that drm_dp_send_link_address can call a hotplug handler, which can change port->mstb so that it cannot be dereferenced (I think it is set to NULL, but I have forgotten). Since drm_dp_send_link_address is a static function in this file, its address is never taken, and there are only two call sites, both of which set link_address_sent to true, the patch that I have attached changes drm_dp_send_link_address so that it sets that flag, reducing duplication of code, and also allowing drm_dp_send_link_address to skip setting the flag if sending the link address fails. An intentional behavior change introduced by this patch is that the mstb->link_address_sent is not set if sending the link address was aborted due to the memory allocation in drm_dp_send_link_address failing. Perhaps it should also not be set if the action receives a NAK reply, but I haven't studied the code and DisplayPort documentation enough to guess. Whoever examines this patch should feel free to revise it as they see fit. I should also warn that after I made this change in linux-4.2-rc4, the resulting kernel eventually got another kernel memory fault in i2c_transfer (called by drm_do_probe_ddc_edid), but I believe that that is a separate issue. I am happy to answer questions about this patch. If nobody sees any problems with it, I would ask that whoever takes this bug report submit the patch upstream. Thanks for considering this bug report and proposed patch.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>