Commit 2e014d79 authored by Maarten Lankhorst's avatar Maarten Lankhorst Committed by Kamal Mostafa

drm/dp/mst: Remove port after removing connector.

commit 4772ff03 upstream.

The port is removed synchronously, but the connector delayed.
This causes a use after free which can cause a kernel BUG with
slug_debug=FPZU. This is fixed by freeing the port after the
connector.

This fixes a regression introduced with
6b8eeca6
"drm/dp/mst: close deadlock in connector destruction."

Cc: Dave Airlie <airlied@redhat.com>
Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent 319f5fe0
...@@ -869,9 +869,10 @@ static void drm_dp_destroy_port(struct kref *kref) ...@@ -869,9 +869,10 @@ static void drm_dp_destroy_port(struct kref *kref)
from an EDID retrieval */ from an EDID retrieval */
if (port->connector) { if (port->connector) {
mutex_lock(&mgr->destroy_connector_lock); mutex_lock(&mgr->destroy_connector_lock);
list_add(&port->connector->destroy_list, &mgr->destroy_connector_list); list_add(&port->next, &mgr->destroy_connector_list);
mutex_unlock(&mgr->destroy_connector_lock); mutex_unlock(&mgr->destroy_connector_lock);
schedule_work(&mgr->destroy_connector_work); schedule_work(&mgr->destroy_connector_work);
return;
} }
drm_dp_port_teardown_pdt(port, port->pdt); drm_dp_port_teardown_pdt(port, port->pdt);
...@@ -2641,7 +2642,7 @@ static void drm_dp_tx_work(struct work_struct *work) ...@@ -2641,7 +2642,7 @@ static void drm_dp_tx_work(struct work_struct *work)
static void drm_dp_destroy_connector_work(struct work_struct *work) static void drm_dp_destroy_connector_work(struct work_struct *work)
{ {
struct drm_dp_mst_topology_mgr *mgr = container_of(work, struct drm_dp_mst_topology_mgr, destroy_connector_work); struct drm_dp_mst_topology_mgr *mgr = container_of(work, struct drm_dp_mst_topology_mgr, destroy_connector_work);
struct drm_connector *connector; struct drm_dp_mst_port *port;
/* /*
* Not a regular list traverse as we have to drop the destroy * Not a regular list traverse as we have to drop the destroy
...@@ -2650,15 +2651,21 @@ static void drm_dp_destroy_connector_work(struct work_struct *work) ...@@ -2650,15 +2651,21 @@ static void drm_dp_destroy_connector_work(struct work_struct *work)
*/ */
for (;;) { for (;;) {
mutex_lock(&mgr->destroy_connector_lock); mutex_lock(&mgr->destroy_connector_lock);
connector = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_connector, destroy_list); port = list_first_entry_or_null(&mgr->destroy_connector_list, struct drm_dp_mst_port, next);
if (!connector) { if (!port) {
mutex_unlock(&mgr->destroy_connector_lock); mutex_unlock(&mgr->destroy_connector_lock);
break; break;
} }
list_del(&connector->destroy_list); list_del(&port->next);
mutex_unlock(&mgr->destroy_connector_lock); mutex_unlock(&mgr->destroy_connector_lock);
mgr->cbs->destroy_connector(mgr, connector); mgr->cbs->destroy_connector(mgr, port->connector);
drm_dp_port_teardown_pdt(port, port->pdt);
if (!port->input && port->vcpi.vcpi > 0)
drm_dp_mst_put_payload_id(mgr, port->vcpi.vcpi);
kfree(port);
} }
} }
......
...@@ -689,8 +689,6 @@ struct drm_connector { ...@@ -689,8 +689,6 @@ struct drm_connector {
uint8_t num_h_tile, num_v_tile; uint8_t num_h_tile, num_v_tile;
uint8_t tile_h_loc, tile_v_loc; uint8_t tile_h_loc, tile_v_loc;
uint16_t tile_h_size, tile_v_size; uint16_t tile_h_size, tile_v_size;
struct list_head destroy_list;
}; };
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment