[PATCH 20/45] drm/i915/dp: Free the drm_dp_aux along with the encoder

Chris Wilson chris at chris-wilson.co.uk
Mon Jun 13 08:15:01 UTC 2016 

The drm_dp_ax object is stored on the encoder, and freeing it from the
connector causes a use-after-free error since the encoder is destroy
first:

[  112.356952] ==================================================================
[  112.357065] BUG: KASAN: use-after-free in intel_dp_connector_destroy+0x68/0xb0 [i915] at addr ffff880386960168
[  112.357130] Read of size 8 by task rmmod/6293
[  112.357159] =============================================================================
[  112.357221] BUG kmalloc-8192 (Tainted: G        W   E  ): kasan: bad access detected
[  112.357268] -----------------------------------------------------------------------------
[  112.357268]
[  112.357333] Disabling lock debugging due to kernel taint
[  112.357362] INFO: Allocated in 0xffff8803869642a8 age=18446744052234668220 cpu=0 pid=0
[  112.357472] 	intel_ddi_init+0xea/0x540 [i915]
[  112.357502] 	___slab_alloc+0x4a3/0x530
[  112.357529] 	__slab_alloc+0x4c/0x90
[  112.357571] 	kmem_cache_alloc+0x180/0x1c0
[  112.357657] 	intel_ddi_init+0xea/0x540 [i915]
[  112.357739] 	intel_modeset_init+0x1e51/0x2150 [i915]
[  112.357806] 	__kms_init_async+0x33/0x50 [i915]
[  112.357880] 	do_initcall_async+0x6e/0xa0 [i915]
[  112.357918] 	async_run_entry_fn+0x60/0x230
[  112.357947] 	process_one_work+0x315/0x6d0
[  112.357989] 	worker_thread+0x86/0x780
[  112.358017] 	kthread+0x141/0x160
[  112.358065] 	ret_from_fork+0x1f/0x40
[  112.358111] INFO: Freed in 0xfffef6db age=18446717049775278270 cpu=2173493056 pid=-1
[  112.358212] 	intel_dp_encoder_destroy+0x2e/0xa0 [i915]
[  112.358242] 	__slab_free+0x17a/0x310
[  112.358268] 	kfree+0x164/0x170
[  112.358361] 	intel_dp_encoder_destroy+0x2e/0xa0 [i915]
[  112.358395] 	drm_mode_config_cleanup+0x63/0x370
[  112.358481] 	intel_modeset_cleanup+0x65/0x90 [i915]
[  112.358550] 	i915_driver_unload+0xbf/0x380 [i915]
[  112.358624] 	i915_pci_remove+0x23/0x30 [i915]
[  112.358663] 	pci_device_remove+0x5c/0x110
[  112.358691] 	__device_release_driver+0xd6/0x1e0
[  112.358734] 	driver_detach+0x112/0x120
[  112.358761] 	bus_remove_driver+0x93/0x160
[  112.358803] 	driver_unregister+0x3e/0x70
[  112.358832] 	pci_unregister_driver+0x24/0xd0
[  112.358932] 	i915_exit+0x1a/0x88c [i915]
[  112.358961] 	SyS_delete_module+0x20a/0x250

Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
---
 drivers/gpu/drm/i915/intel_dp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
index 2d1b12b487e7..83fe5a23a80d 100644
--- a/drivers/gpu/drm/i915/intel_dp.c
+++ b/drivers/gpu/drm/i915/intel_dp.c
@@ -4460,8 +4460,6 @@ intel_dp_connector_destroy(struct drm_connector *connector)
 	if (!IS_ERR_OR_NULL(intel_connector->edid))
 		kfree(intel_connector->edid);
 
-	intel_dp_aux_fini(intel_attached_dp(connector));
-
 	/* Can't call is_edp() since the encoder may have been destroyed
 	 * already. */
 	if (connector->connector_type == DRM_MODE_CONNECTOR_eDP)
@@ -4492,6 +4490,9 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder)
 			intel_dp->edp_notifier.notifier_call = NULL;
 		}
 	}
+
+	intel_dp_aux_fini(intel_dp);
+
 	drm_encoder_cleanup(encoder);
 	kfree(intel_dig_port);
 }
-- 
2.8.1

More information about the Intel-gfx-trybot mailing list