Skip to content

Commit

Permalink
drm/dp/mst: Remove port after removing connector.
Browse files Browse the repository at this point in the history 
The port is removed synchronously, but the connector delayed.
This causes a use after free which can cause a kernel BUG with
slug_debug=FPZU. This is fixed by freeing the port after the
connector.

This fixes a regression introduced with
6b8eeca
"drm/dp/mst: close deadlock in connector destruction."

Cc: stable@vger.kernel.org
Cc: Dave Airlie <airlied@redhat.com>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
  • Loading branch information
Maarten Lankhorst authored and Jani Nikula committed Aug 11, 2015
1 parent 5677d67 commit 4772ff0
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
19 changes: 13 additions & 6 deletions drivers/gpu/drm/drm_dp_mst_topology.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -873,9 +873,10 @@ static void drm_dp_destroy_port(struct kref *kref)
from an EDID retrieval */
if (port->connector) {
mutex_lock(&mgr->destroy_connector_lock);
list_add(&port->connector->destroy_list, &mgr->destroy_connector_list);
list_add(&port->next, &mgr->destroy_connector_list);
mutex_unlock(&mgr->destroy_connector_lock);
schedule_work(&mgr->destroy_connector_work);
return;
}
drm_dp_port_teardown_pdt(port, port->pdt);

Expand Down Expand Up @@ -2660,7 +2661,7 @@ static void drm_dp_tx_work(struct work_struct *work)
static void drm_dp_destroy_connector_work(struct work_struct *work)
{
struct drm_dp_mst_topology_mgr *mgr = container_of(work, struct drm_dp_mst_topology_mgr, destroy_connector_work);
struct drm_connector *connector;
struct drm_dp_mst_port *port;

/*
* Not a regular list traverse as we have to drop the destroy
Expand All @@ -2669,15 +2670,21 @@ static void drm_dp_destroy_connector_work(struct work_struct *work)
*/
for (;;) {
mutex_lock(&mgr->destroy_connector_lock);
connector = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_connector, destroy_list);
if (!connector) {
port = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_dp_mst_port, next);
if (!port) {
mutex_unlock(&mgr->destroy_connector_lock);
break;
}
list_del(&connector->destroy_list);
list_del(&port->next);
mutex_unlock(&mgr->destroy_connector_lock);

mgr->cbs->destroy_connector(mgr, connector);
mgr->cbs->destroy_connector(mgr, port->connector);

drm_dp_port_teardown_pdt(port, port->pdt);

if (!port->input && port->vcpi.vcpi > 0)
drm_dp_mst_put_payload_id(mgr, port->vcpi.vcpi);
kfree(port);
}
}

Expand Down
2 changes: 0 additions & 2 deletions include/drm/drm_crtc.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -743,8 +743,6 @@ struct drm_connector {
uint8_t num_h_tile, num_v_tile;
uint8_t tile_h_loc, tile_v_loc;
uint16_t tile_h_size, tile_v_size;

struct list_head destroy_list;
};

/**
Expand Down

0 comments on commit 4772ff0

Please sign in to comment.