[Intel-gfx] [PATCH] drm/dp/mst: Remove port after removing connector.
Daniel Vetter
daniel at ffwll.ch
Sat Aug 15 12:12:37 PDT 2015
On Sat, Aug 15, 2015 at 02:56:57PM +1000, Dave Airlie wrote:
> On 11 August 2015 at 17:54, Maarten Lankhorst
> <maarten.lankhorst at linux.intel.com> wrote:
> > The port is removed synchronously, but the connector delayed.
> > This causes a use after free which can cause a kernel BUG with
> > slug_debug=FPZU. This is fixed by freeing the port after the
> > connector.
>
> Where is the use after free btw? I'm not sure I like delaying the port
> destruction, there should be no need to.
>
> The connector->port pointer shouldn't be used without validation
> anywhere, and if it is that is a bug.
>
> I'd like to reproduce this before pulling this in.
The remove function needs to lock at the connector->port to shut down the
dp mst link. Before your patch that was done _before_ the final kfree on
the port, but with your patch that's now the other way round: First we
synchronously kfree the port, then we call the driver's connector cleanup
function asynchronously. And that is very unhappy that the port is now
gone.
So perfectly ok regression fix imo to restore the ordering we had before
your patch in the cleanup code.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the dri-devel
mailing list