From: "Dixit, Ashutosh" <ashutosh.dixit@intel.com>
To: Armin Wolf <W_Armin@gmx.de>
Cc: intel-gfx@lists.freedesktop.org,
"Badal Nilawar" <badal.nilawar@intel.com>,
"Andi Shyti" <andi.shyti@intel.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
linux-hwmon@vger.kernel.org
Subject: Re: [PATCH] drm/i915/hwmon: Get rid of devm
Date: Mon, 15 Apr 2024 16:21:12 -0700 [thread overview]
Message-ID: <85bk6atdp3.wl-ashutosh.dixit@intel.com> (raw)
In-Reply-To: <55e00433-71a6-4b41-a65b-0a8871398cdc@gmx.de>
On Sat, 13 Apr 2024 07:43:50 -0700, Armin Wolf wrote:
>
Hi Armin,
> Am 13.04.24 um 02:10 schrieb Ashutosh Dixit:
>
> > When both hwmon and hwmon drvdata (on which hwmon depends) are device
> > managed resources, the expectation, on device unbind, is that hwmon will be
> > released before the drvdata. However, it appears devres does not do this
> > consistently, so that we occasionally see drvdata being released before
> > hwmon itself. This results in a uaf if hwmon sysfs is accessed during
> > device unbind.
> >
> > The only way out of this seems to be do get rid of devm_ and release/free
> > everything explicitly during device unbind.
>
> could it be that the underlying cause for this is the fact that you are using
> devres on a DRM device?
>
> The documentation states that:
>
> devres managed resources like devm_kmalloc() can only be used for resources
> directly related to the underlying hardware device, and only used in code
> paths fully protected by drm_dev_enter() and drm_dev_exit().
I just posted v2 of the patch and updated
https://gitlab.freedesktop.org/drm/intel/-/issues/10366. The updates do
include stack traces for two separate code paths in i915 which release
devres.
Actually I am not sure if this is due to using devres on a DRM device. I
was thinking the PCI device would be more appropriate, but looks like DRM
drivers don't have the parent PCI device available in their data structs.
> That said, since the i915 driver is already removing the hwmon device manually
> with i915_hwmon_unregister(),
Well previously i915_hwmon_unregister() was almost empty (and could
actually be eliminated).
> i agree that not using devres in this case seems to be the solution.
Yeah that seems to me too to be the easiest way out of this situation.
Thanks.
--
Ashutosh
next prev parent reply other threads:[~2024-04-15 23:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-13 0:10 [PATCH] drm/i915/hwmon: Get rid of devm Ashutosh Dixit
2024-04-13 14:43 ` Armin Wolf
2024-04-15 23:21 ` Dixit, Ashutosh [this message]
2024-04-14 23:23 ` Dixit, Ashutosh
2024-04-15 20:34 ` ✓ Fi.CI.BAT: success for " Patchwork
-- strict thread matches above, loose matches on Subject: below --
2024-04-16 3:55 [PATCH] " Ashutosh Dixit
2024-04-17 14:56 Ashutosh Dixit
2024-04-18 21:56 ` Andi Shyti
2024-04-19 1:05 ` Dixit, Ashutosh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85bk6atdp3.wl-ashutosh.dixit@intel.com \
--to=ashutosh.dixit@intel.com \
--cc=W_Armin@gmx.de \
--cc=andi.shyti@intel.com \
--cc=badal.nilawar@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.