From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Vetter Subject: Re: [Intel-gfx] [PATCH] drm/dp/mst: Remove port after removing connector. Date: Sat, 15 Aug 2015 21:12:37 +0200 Message-ID: <20150815191237.GG20434@phenom.ffwll.local> References: <1439279669-27058-1-git-send-email-maarten.lankhorst@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by gabe.freedesktop.org (Postfix) with ESMTPS id B840D6E2F2 for ; Sat, 15 Aug 2015 12:12:42 -0700 (PDT) Received: by wicja10 with SMTP id ja10so48335231wic.1 for ; Sat, 15 Aug 2015 12:12:40 -0700 (PDT) Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Dave Airlie Cc: Dave Airlie , "intel-gfx@lists.freedesktop.org" , dri-devel , stable@vger.kernel.org List-Id: dri-devel@lists.freedesktop.org T24gU2F0LCBBdWcgMTUsIDIwMTUgYXQgMDI6NTY6NTdQTSArMTAwMCwgRGF2ZSBBaXJsaWUgd3Jv dGU6Cj4gT24gMTEgQXVndXN0IDIwMTUgYXQgMTc6NTQsIE1hYXJ0ZW4gTGFua2hvcnN0Cj4gPG1h YXJ0ZW4ubGFua2hvcnN0QGxpbnV4LmludGVsLmNvbT4gd3JvdGU6Cj4gPiBUaGUgcG9ydCBpcyBy ZW1vdmVkIHN5bmNocm9ub3VzbHksIGJ1dCB0aGUgY29ubmVjdG9yIGRlbGF5ZWQuCj4gPiBUaGlz IGNhdXNlcyBhIHVzZSBhZnRlciBmcmVlIHdoaWNoIGNhbiBjYXVzZSBhIGtlcm5lbCBCVUcgd2l0 aAo+ID4gc2x1Z19kZWJ1Zz1GUFpVLiBUaGlzIGlzIGZpeGVkIGJ5IGZyZWVpbmcgdGhlIHBvcnQg YWZ0ZXIgdGhlCj4gPiBjb25uZWN0b3IuCj4gCj4gV2hlcmUgaXMgdGhlIHVzZSBhZnRlciBmcmVl IGJ0dz8gSSdtIG5vdCBzdXJlIEkgbGlrZSBkZWxheWluZyB0aGUgcG9ydAo+IGRlc3RydWN0aW9u LCB0aGVyZSBzaG91bGQgYmUgbm8gbmVlZCB0by4KPiAKPiBUaGUgY29ubmVjdG9yLT5wb3J0IHBv aW50ZXIgc2hvdWxkbid0IGJlIHVzZWQgd2l0aG91dCB2YWxpZGF0aW9uCj4gYW55d2hlcmUsIGFu ZCBpZiBpdCBpcyB0aGF0IGlzIGEgYnVnLgo+IAo+IEknZCBsaWtlIHRvIHJlcHJvZHVjZSB0aGlz IGJlZm9yZSBwdWxsaW5nIHRoaXMgaW4uCgpUaGUgcmVtb3ZlIGZ1bmN0aW9uIG5lZWRzIHRvIGxv Y2sgYXQgdGhlIGNvbm5lY3Rvci0+cG9ydCB0byBzaHV0IGRvd24gdGhlCmRwIG1zdCBsaW5rLiBC ZWZvcmUgeW91ciBwYXRjaCB0aGF0IHdhcyBkb25lIF9iZWZvcmVfIHRoZSBmaW5hbCBrZnJlZSBv bgp0aGUgcG9ydCwgYnV0IHdpdGggeW91ciBwYXRjaCB0aGF0J3Mgbm93IHRoZSBvdGhlciB3YXkg cm91bmQ6IEZpcnN0IHdlCnN5bmNocm9ub3VzbHkga2ZyZWUgdGhlIHBvcnQsIHRoZW4gd2UgY2Fs bCB0aGUgZHJpdmVyJ3MgY29ubmVjdG9yIGNsZWFudXAKZnVuY3Rpb24gYXN5bmNocm9ub3VzbHku IEFuZCB0aGF0IGlzIHZlcnkgdW5oYXBweSB0aGF0IHRoZSBwb3J0IGlzIG5vdwpnb25lLgoKU28g cGVyZmVjdGx5IG9rIHJlZ3Jlc3Npb24gZml4IGltbyB0byByZXN0b3JlIHRoZSBvcmRlcmluZyB3 ZSBoYWQgYmVmb3JlCnlvdXIgcGF0Y2ggaW4gdGhlIGNsZWFudXAgY29kZS4KLURhbmllbAotLSAK RGFuaWVsIFZldHRlcgpTb2Z0d2FyZSBFbmdpbmVlciwgSW50ZWwgQ29ycG9yYXRpb24KaHR0cDov L2Jsb2cuZmZ3bGwuY2gKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Au b3JnCmh0dHA6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2 ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f176.google.com ([209.85.212.176]:36723 "EHLO mail-wi0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752269AbbHOTMm (ORCPT ); Sat, 15 Aug 2015 15:12:42 -0400 Received: by wicja10 with SMTP id ja10so42281095wic.1 for ; Sat, 15 Aug 2015 12:12:40 -0700 (PDT) Date: Sat, 15 Aug 2015 21:12:37 +0200 From: Daniel Vetter To: Dave Airlie Cc: Maarten Lankhorst , Dave Airlie , "intel-gfx@lists.freedesktop.org" , stable@vger.kernel.org, dri-devel Subject: Re: [Intel-gfx] [PATCH] drm/dp/mst: Remove port after removing connector. Message-ID: <20150815191237.GG20434@phenom.ffwll.local> References: <1439279669-27058-1-git-send-email-maarten.lankhorst@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: stable-owner@vger.kernel.org List-ID: On Sat, Aug 15, 2015 at 02:56:57PM +1000, Dave Airlie wrote: > On 11 August 2015 at 17:54, Maarten Lankhorst > wrote: > > The port is removed synchronously, but the connector delayed. > > This causes a use after free which can cause a kernel BUG with > > slug_debug=FPZU. This is fixed by freeing the port after the > > connector. > > Where is the use after free btw? I'm not sure I like delaying the port > destruction, there should be no need to. > > The connector->port pointer shouldn't be used without validation > anywhere, and if it is that is a bug. > > I'd like to reproduce this before pulling this in. The remove function needs to lock at the connector->port to shut down the dp mst link. Before your patch that was done _before_ the final kfree on the port, but with your patch that's now the other way round: First we synchronously kfree the port, then we call the driver's connector cleanup function asynchronously. And that is very unhappy that the port is now gone. So perfectly ok regression fix imo to restore the ordering we had before your patch in the cleanup code. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch