From: Oleksandr Andrushchenko <andr2000@gmail.com>
To: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org,
gustavo@padovan.org
Cc: andr2000@gmail.com,
Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Subject: [PATCH] drm: Fix possible race conditions while unplugging DRM device
Date: Tue, 22 May 2018 17:13:04 +0300 [thread overview]
Message-ID: <20180522141304.18646-1-andr2000@gmail.com> (raw)
From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
When unplugging a hotpluggable DRM device we first unregister it
with drm_dev_unregister and then set drm_device.unplugged flag which
is used to mark device critical sections with drm_dev_enter()/
drm_dev_exit() preventing access to device resources that are not
available after the device is gone.
But drm_dev_unregister may lead to hotplug uevent(s) fired to
user-space on card and/or connector removal, thus making it possible
for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as
disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
Cc: "Noralf Trønnes" <noralf@tronnes.org>
---
drivers/gpu/drm/drm_drv.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index b553a6f2ff0e..7af748ed1c58 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
*/
void drm_dev_unplug(struct drm_device *dev)
{
- drm_dev_unregister(dev);
-
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
- drm_dev_put(dev);
- mutex_unlock(&drm_global_mutex);
-
/*
* After synchronizing any critical read section is guaranteed to see
* the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
*/
dev->unplugged = true;
synchronize_srcu(&drm_unplug_srcu);
+
+ drm_dev_unregister(dev);
+
+ mutex_lock(&drm_global_mutex);
+ if (dev->open_count == 0)
+ drm_dev_put(dev);
+ mutex_unlock(&drm_global_mutex);
}
EXPORT_SYMBOL(drm_dev_unplug);
--
2.17.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Oleksandr Andrushchenko <andr2000@gmail.com>
To: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org,
gustavo@padovan.org
Cc: andr2000@gmail.com,
"Oleksandr Andrushchenko" <oleksandr_andrushchenko@epam.com>,
"Noralf Trønnes" <noralf@tronnes.org>
Subject: [PATCH] drm: Fix possible race conditions while unplugging DRM device
Date: Tue, 22 May 2018 17:13:04 +0300 [thread overview]
Message-ID: <20180522141304.18646-1-andr2000@gmail.com> (raw)
From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
When unplugging a hotpluggable DRM device we first unregister it
with drm_dev_unregister and then set drm_device.unplugged flag which
is used to mark device critical sections with drm_dev_enter()/
drm_dev_exit() preventing access to device resources that are not
available after the device is gone.
But drm_dev_unregister may lead to hotplug uevent(s) fired to
user-space on card and/or connector removal, thus making it possible
for user-space to try accessing a disconnected device.
Fix this by first making sure device is properly marked as
disconnected and only then unregister it.
Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged")
Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
Reported-by: Andrii Chepurnyi <andrii_chepurnyi@epam.com>
Cc: "Noralf Trønnes" <noralf@tronnes.org>
---
drivers/gpu/drm/drm_drv.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index b553a6f2ff0e..7af748ed1c58 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit);
*/
void drm_dev_unplug(struct drm_device *dev)
{
- drm_dev_unregister(dev);
-
- mutex_lock(&drm_global_mutex);
- if (dev->open_count == 0)
- drm_dev_put(dev);
- mutex_unlock(&drm_global_mutex);
-
/*
* After synchronizing any critical read section is guaranteed to see
* the new value of ->unplugged, and any critical section which might
@@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev)
*/
dev->unplugged = true;
synchronize_srcu(&drm_unplug_srcu);
+
+ drm_dev_unregister(dev);
+
+ mutex_lock(&drm_global_mutex);
+ if (dev->open_count == 0)
+ drm_dev_put(dev);
+ mutex_unlock(&drm_global_mutex);
}
EXPORT_SYMBOL(drm_dev_unplug);
--
2.17.0
next reply other threads:[~2018-05-22 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-22 14:13 Oleksandr Andrushchenko [this message]
2018-05-22 14:13 ` [PATCH] drm: Fix possible race conditions while unplugging DRM device Oleksandr Andrushchenko
2018-05-29 6:25 ` Oleksandr Andrushchenko
2018-05-29 6:25 ` Oleksandr Andrushchenko
2018-05-29 7:02 ` Daniel Vetter
2018-05-29 7:02 ` Daniel Vetter
2018-05-29 7:09 ` Oleksandr Andrushchenko
2018-05-29 7:09 ` Oleksandr Andrushchenko
2018-05-29 7:49 ` Daniel Vetter
2018-05-29 7:49 ` Daniel Vetter
2018-05-31 7:48 ` Oleksandr Andrushchenko
2018-05-31 7:48 ` Oleksandr Andrushchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180522141304.18646-1-andr2000@gmail.com \
--to=andr2000@gmail.com \
--cc=airlied@linux.ie \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@padovan.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleksandr_andrushchenko@epam.com \
--cc=seanpaul@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.