[Intel-gfx] [PATCH v2] drm/i915/display: Fix a use-after-free when intel_edp_init_connector fails

Mon May 29 11:38:39 UTC 2023

From: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>

We enable the DP aux channel during probe, but may free the connector
soon afterwards. Ensure the DP aux display power put (and any other
async put for that matter) is completed before everything is freed, to
prevent a use-after-free in icl_aux_pw_to_phy(), called from
icl_combo_phy_aux_power_well_disable.

v2 by Jani:
- do a regular flush before freeing dig_port

Cc: Imre Deak <imre.deak at intel.com>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
Signed-off-by: Jani Nikula <jani.nikula at intel.com>

---

v2 of https://patchwork.freedesktop.org/patch/msgid/20221220094618.207126-1-maarten.lankhorst@linux.intel.com

The encoder cleanup paths could use some cleanup and unification, but do
what's needed here.
---
 drivers/gpu/drm/i915/display/g4x_dp.c    | 2 ++
 drivers/gpu/drm/i915/display/intel_ddi.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/i915/display/g4x_dp.c b/drivers/gpu/drm/i915/display/g4x_dp.c
index 112d91d81fdc..e8147c18fa93 100644
--- a/drivers/gpu/drm/i915/display/g4x_dp.c
+++ b/drivers/gpu/drm/i915/display/g4x_dp.c
@@ -1379,6 +1379,8 @@ bool g4x_dp_init(struct drm_i915_private *dev_priv,
 	return true;
 
 err_init_connector:
+	/* aync put accesses the dig_port, ensure it's done before free */
+	intel_display_power_flush_work(dev_priv);
 	drm_encoder_cleanup(encoder);
 err_encoder_init:
 	kfree(intel_connector);
diff --git a/drivers/gpu/drm/i915/display/intel_ddi.c b/drivers/gpu/drm/i915/display/intel_ddi.c
index d1a9a3cf94b5..dfa1c44dc442 100644
--- a/drivers/gpu/drm/i915/display/intel_ddi.c
+++ b/drivers/gpu/drm/i915/display/intel_ddi.c
@@ -4971,6 +4971,8 @@ void intel_ddi_init(struct drm_i915_private *dev_priv, enum port port)
 	return;
 
 err:
+	/* aync put accesses the dig_port, ensure it's done before free */
+	intel_display_power_flush_work(dev_priv);
 	drm_encoder_cleanup(&encoder->base);
 	kfree(dig_port);
 }
-- 
2.39.2

