From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oleksandr Andrushchenko Subject: [PATCH] drm: Fix possible race conditions while unplugging DRM device Date: Tue, 22 May 2018 17:13:04 +0300 Message-ID: <20180522141304.18646-1-andr2000@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) by gabe.freedesktop.org (Postfix) with ESMTPS id 05C586E18D for ; Tue, 22 May 2018 14:13:20 +0000 (UTC) Received: by mail-wm0-x244.google.com with SMTP id w194-v6so192309wmf.2 for ; Tue, 22 May 2018 07:13:19 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org, gustavo@padovan.org Cc: andr2000@gmail.com, Oleksandr Andrushchenko List-Id: dri-devel@lists.freedesktop.org RnJvbTogT2xla3NhbmRyIEFuZHJ1c2hjaGVua28gPG9sZWtzYW5kcl9hbmRydXNoY2hlbmtvQGVw YW0uY29tPgoKV2hlbiB1bnBsdWdnaW5nIGEgaG90cGx1Z2dhYmxlIERSTSBkZXZpY2Ugd2UgZmly c3QgdW5yZWdpc3RlciBpdAp3aXRoIGRybV9kZXZfdW5yZWdpc3RlciBhbmQgdGhlbiBzZXQgZHJt X2RldmljZS51bnBsdWdnZWQgZmxhZyB3aGljaAppcyB1c2VkIHRvIG1hcmsgZGV2aWNlIGNyaXRp Y2FsIHNlY3Rpb25zIHdpdGggZHJtX2Rldl9lbnRlcigpLwpkcm1fZGV2X2V4aXQoKSBwcmV2ZW50 aW5nIGFjY2VzcyB0byBkZXZpY2UgcmVzb3VyY2VzIHRoYXQgYXJlIG5vdAphdmFpbGFibGUgYWZ0 ZXIgdGhlIGRldmljZSBpcyBnb25lLgpCdXQgZHJtX2Rldl91bnJlZ2lzdGVyIG1heSBsZWFkIHRv IGhvdHBsdWcgdWV2ZW50KHMpIGZpcmVkIHRvCnVzZXItc3BhY2Ugb24gY2FyZCBhbmQvb3IgY29u bmVjdG9yIHJlbW92YWwsIHRodXMgbWFraW5nIGl0IHBvc3NpYmxlCmZvciB1c2VyLXNwYWNlIHRv IHRyeSBhY2Nlc3NpbmcgYSBkaXNjb25uZWN0ZWQgZGV2aWNlLgoKRml4IHRoaXMgYnkgZmlyc3Qg bWFraW5nIHN1cmUgZGV2aWNlIGlzIHByb3Blcmx5IG1hcmtlZCBhcwpkaXNjb25uZWN0ZWQgYW5k IG9ubHkgdGhlbiB1bnJlZ2lzdGVyIGl0LgoKRml4ZXM6IGJlZTMzMGYzZDY3MiAoImRybTogVXNl IHNyY3UgdG8gcHJvdGVjdCBkcm1fZGV2aWNlLnVucGx1Z2dlZCIpCgpTaWduZWQtb2ZmLWJ5OiBP bGVrc2FuZHIgQW5kcnVzaGNoZW5rbyA8b2xla3NhbmRyX2FuZHJ1c2hjaGVua29AZXBhbS5jb20+ ClJlcG9ydGVkLWJ5OiBBbmRyaWkgQ2hlcHVybnlpIDxhbmRyaWlfY2hlcHVybnlpQGVwYW0uY29t PgpDYzogIk5vcmFsZiBUcsO4bm5lcyIgPG5vcmFsZkB0cm9ubmVzLm9yZz4KLS0tCiBkcml2ZXJz L2dwdS9kcm0vZHJtX2Rydi5jIHwgMTQgKysrKysrKy0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA3 IGluc2VydGlvbnMoKyksIDcgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUv ZHJtL2RybV9kcnYuYyBiL2RyaXZlcnMvZ3B1L2RybS9kcm1fZHJ2LmMKaW5kZXggYjU1M2E2ZjJm ZjBlLi43YWY3NDhlZDFjNTggMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L2RybS9kcm1fZHJ2LmMK KysrIGIvZHJpdmVycy9ncHUvZHJtL2RybV9kcnYuYwpAQCAtMzY5LDEzICszNjksNiBAQCBFWFBP UlRfU1lNQk9MKGRybV9kZXZfZXhpdCk7CiAgKi8KIHZvaWQgZHJtX2Rldl91bnBsdWcoc3RydWN0 IGRybV9kZXZpY2UgKmRldikKIHsKLQlkcm1fZGV2X3VucmVnaXN0ZXIoZGV2KTsKLQotCW11dGV4 X2xvY2soJmRybV9nbG9iYWxfbXV0ZXgpOwotCWlmIChkZXYtPm9wZW5fY291bnQgPT0gMCkKLQkJ ZHJtX2Rldl9wdXQoZGV2KTsKLQltdXRleF91bmxvY2soJmRybV9nbG9iYWxfbXV0ZXgpOwotCiAJ LyoKIAkgKiBBZnRlciBzeW5jaHJvbml6aW5nIGFueSBjcml0aWNhbCByZWFkIHNlY3Rpb24gaXMg Z3VhcmFudGVlZCB0byBzZWUKIAkgKiB0aGUgbmV3IHZhbHVlIG9mIC0+dW5wbHVnZ2VkLCBhbmQg YW55IGNyaXRpY2FsIHNlY3Rpb24gd2hpY2ggbWlnaHQKQEAgLTM4NCw2ICszNzcsMTMgQEAgdm9p ZCBkcm1fZGV2X3VucGx1ZyhzdHJ1Y3QgZHJtX2RldmljZSAqZGV2KQogCSAqLwogCWRldi0+dW5w bHVnZ2VkID0gdHJ1ZTsKIAlzeW5jaHJvbml6ZV9zcmN1KCZkcm1fdW5wbHVnX3NyY3UpOworCisJ ZHJtX2Rldl91bnJlZ2lzdGVyKGRldik7CisKKwltdXRleF9sb2NrKCZkcm1fZ2xvYmFsX211dGV4 KTsKKwlpZiAoZGV2LT5vcGVuX2NvdW50ID09IDApCisJCWRybV9kZXZfcHV0KGRldik7CisJbXV0 ZXhfdW5sb2NrKCZkcm1fZ2xvYmFsX211dGV4KTsKIH0KIEVYUE9SVF9TWU1CT0woZHJtX2Rldl91 bnBsdWcpOwogCi0tIAoyLjE3LjAKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVk ZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZv L2RyaS1kZXZlbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751598AbeEVONV (ORCPT ); Tue, 22 May 2018 10:13:21 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:34687 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751236AbeEVONU (ORCPT ); Tue, 22 May 2018 10:13:20 -0400 X-Google-Smtp-Source: AB8JxZpzpp7Z2RV5AuE/2Rt46Sz4VeCpPI3gQ+B1j0Om171QF9/A/ZvOBKc7uJJw/4Am73dZgFCLUQ== From: Oleksandr Andrushchenko To: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org, gustavo@padovan.org Cc: andr2000@gmail.com, Oleksandr Andrushchenko , =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= Subject: [PATCH] drm: Fix possible race conditions while unplugging DRM device Date: Tue, 22 May 2018 17:13:04 +0300 Message-Id: <20180522141304.18646-1-andr2000@gmail.com> X-Mailer: git-send-email 2.17.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleksandr Andrushchenko When unplugging a hotpluggable DRM device we first unregister it with drm_dev_unregister and then set drm_device.unplugged flag which is used to mark device critical sections with drm_dev_enter()/ drm_dev_exit() preventing access to device resources that are not available after the device is gone. But drm_dev_unregister may lead to hotplug uevent(s) fired to user-space on card and/or connector removal, thus making it possible for user-space to try accessing a disconnected device. Fix this by first making sure device is properly marked as disconnected and only then unregister it. Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged") Signed-off-by: Oleksandr Andrushchenko Reported-by: Andrii Chepurnyi Cc: "Noralf Trønnes" --- drivers/gpu/drm/drm_drv.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b553a6f2ff0e..7af748ed1c58 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -369,13 +369,6 @@ EXPORT_SYMBOL(drm_dev_exit); */ void drm_dev_unplug(struct drm_device *dev) { - drm_dev_unregister(dev); - - mutex_lock(&drm_global_mutex); - if (dev->open_count == 0) - drm_dev_put(dev); - mutex_unlock(&drm_global_mutex); - /* * After synchronizing any critical read section is guaranteed to see * the new value of ->unplugged, and any critical section which might @@ -384,6 +377,13 @@ void drm_dev_unplug(struct drm_device *dev) */ dev->unplugged = true; synchronize_srcu(&drm_unplug_srcu); + + drm_dev_unregister(dev); + + mutex_lock(&drm_global_mutex); + if (dev->open_count == 0) + drm_dev_put(dev); + mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_dev_unplug); -- 2.17.0