From: Jani Nikula <jani.nikula@linux.intel.com>
To: Hans Verkuil <hverkuil@xs4all.nl>,
Randy Dunlap <rdunlap@infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
intel-gfx <intel-gfx@lists.freedesktop.org>
Cc: "Neil Armstrong" <narmstrong@baylibre.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>
Subject: Re: [Intel-gfx] BUG: KASAN: use-after-free in intel_hdmi_destroy+0x79/0x80
Date: Mon, 25 Feb 2019 16:58:13 +0200 [thread overview]
Message-ID: <87va17rk3e.fsf@intel.com> (raw)
In-Reply-To: <0df373d6-99e0-7509-1404-f3eadd9f23f7@xs4all.nl>
On Mon, 25 Feb 2019, Hans Verkuil <hverkuil@xs4all.nl> wrote:
> Hi Jani,
>
> On 2/25/19 2:40 PM, Jani Nikula wrote:
>> On Fri, 22 Feb 2019, Randy Dunlap <rdunlap@infradead.org> wrote:
>>> This is 5.0-rc7 on an old Toshiba Portege laptop.
>>> No hdmi or other external video.
>>>
>>> Linux dragon.dunlab 5.0.0-rc7mod #3 SMP PREEMPT Wed Feb 20 00:05:17 PST 2019 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> on openSUSE LEAP 15.0 distro.
>>>
>>> Full boot log is attached.
>>
>> On a hunch, caused by 9c229127aee2 ("drm/i915: hdmi: add CEC notifier to
>> intel_hdmi") referencing the encoder in connector destroy hook. We
>> should probably move the cec_notifier_put() call in the encoder destroy
>> hook.
>
> So the intel_encoder_destroy function is/can be called before the
> intel_hdmi_destroy function? Sounds odd. I would expect that the
> connectors are destroyed before the encoders.
>
> In any case, I am happy to try it in another destroy hook, but I need
> advice which hook I should use and how I get to the cec_notifier from
> whatever structure pointer I have in that destroy hook.
>
> I tried to figure it out, but I became very confused :-)
It's... hairy.
Looks like in this case the destroy hook gets called via
drm_connector_free_work_fn() and __drm_connector_put_safe() the
documentation of which says, "Should only be used from the
connector_iter functions, where we never really expect to actually
release the connector when dropping our final reference."
Can and does happen anyway it seems. :/
BR,
Jani.
--
Jani Nikula, Intel Open Source Graphics Center
prev parent reply other threads:[~2019-02-25 14:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-23 1:11 BUG: KASAN: use-after-free in intel_hdmi_destroy+0x79/0x80 Randy Dunlap
2019-02-25 13:41 ` [Intel-gfx] " Jani Nikula
2019-02-25 14:43 ` Hans Verkuil
2019-02-25 14:58 ` Jani Nikula [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87va17rk3e.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=daniel.vetter@ffwll.ch \
--cc=hverkuil@xs4all.nl \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-kernel@vger.kernel.org \
--cc=narmstrong@baylibre.com \
--cc=rdunlap@infradead.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.