Re: [PATCH 1/3] drm/i915/dp: Free the drm_dp_aux along with the encoder

From: Daniel Vetter <daniel@ffwll.ch>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: daniel.vetter@ffwll.ch, intel-gfx@lists.freedesktop.org
Subject: Re: [PATCH 1/3] drm/i915/dp: Free the drm_dp_aux along with the encoder
Date: Sun, 19 Jun 2016 10:38:24 +0200	[thread overview]
Message-ID: <20160619083824.GW23520@phenom.ffwll.local> (raw)
In-Reply-To: <1466178837-5888-2-git-send-email-chris@chris-wilson.co.uk>

On Fri, Jun 17, 2016 at 04:53:55PM +0100, Chris Wilson wrote:
> The drm_dp_ax object is stored on the encoder, and freeing it from the
> connector causes a use-after-free error since the encoder is destroy
> first:
> 
> [  112.356952] ==================================================================
> [  112.357065] BUG: KASAN: use-after-free in intel_dp_connector_destroy+0x68/0xb0 [i915] at addr ffff880386960168
> [  112.357130] Read of size 8 by task rmmod/6293
> [  112.357159] =============================================================================
> [  112.357221] BUG kmalloc-8192 (Tainted: G        W   E  ): kasan: bad access detected
> [  112.357268] -----------------------------------------------------------------------------
> [  112.357268]
> [  112.357333] Disabling lock debugging due to kernel taint
> [  112.357362] INFO: Allocated in 0xffff8803869642a8 age=18446744052234668220 cpu=0 pid=0
> [  112.357472] 	intel_ddi_init+0xea/0x540 [i915]
> [  112.357502] 	___slab_alloc+0x4a3/0x530
> [  112.357529] 	__slab_alloc+0x4c/0x90
> [  112.357571] 	kmem_cache_alloc+0x180/0x1c0
> [  112.357657] 	intel_ddi_init+0xea/0x540 [i915]
> [  112.357739] 	intel_modeset_init+0x1e51/0x2150 [i915]
> [  112.357806] 	__kms_init_async+0x33/0x50 [i915]
> [  112.357880] 	do_initcall_async+0x6e/0xa0 [i915]
> [  112.357918] 	async_run_entry_fn+0x60/0x230
> [  112.357947] 	process_one_work+0x315/0x6d0
> [  112.357989] 	worker_thread+0x86/0x780
> [  112.358017] 	kthread+0x141/0x160
> [  112.358065] 	ret_from_fork+0x1f/0x40
> [  112.358111] INFO: Freed in 0xfffef6db age=18446717049775278270 cpu=2173493056 pid=-1
> [  112.358212] 	intel_dp_encoder_destroy+0x2e/0xa0 [i915]
> [  112.358242] 	__slab_free+0x17a/0x310
> [  112.358268] 	kfree+0x164/0x170
> [  112.358361] 	intel_dp_encoder_destroy+0x2e/0xa0 [i915]
> [  112.358395] 	drm_mode_config_cleanup+0x63/0x370
> [  112.358481] 	intel_modeset_cleanup+0x65/0x90 [i915]
> [  112.358550] 	i915_driver_unload+0xbf/0x380 [i915]
> [  112.358624] 	i915_pci_remove+0x23/0x30 [i915]
> [  112.358663] 	pci_device_remove+0x5c/0x110
> [  112.358691] 	__device_release_driver+0xd6/0x1e0
> [  112.358734] 	driver_detach+0x112/0x120
> [  112.358761] 	bus_remove_driver+0x93/0x160
> [  112.358803] 	driver_unregister+0x3e/0x70
> [  112.358832] 	pci_unregister_driver+0x24/0xd0
> [  112.358932] 	i915_exit+0x1a/0x88c [i915]
> [  112.358961] 	SyS_delete_module+0x20a/0x250
> 
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> ---
>  drivers/gpu/drm/i915/intel_dp.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
> index be083519dac9..3ffedf472f35 100644
> --- a/drivers/gpu/drm/i915/intel_dp.c
> +++ b/drivers/gpu/drm/i915/intel_dp.c
> @@ -4496,6 +4496,9 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder)
>  			intel_dp->edp_notifier.notifier_call = NULL;
>  		}
>  	}
> +
> +	intel_dp_aux_fini(intel_dp);

Seems to miss the hunk to remove it from intel_dp_connector_unregister?
-Daniel

> +
>  	drm_encoder_cleanup(encoder);
>  	kfree(intel_dig_port);
>  }
> -- 
> 2.8.1
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx