From: Lyude Paul <lyude@redhat.com>
To: dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org, amd-gfx@lists.freedesktop.org
Cc: Daniel Vetter <daniel@ffwll.ch>, Dave Airlie <airlied@gmail.com>,
Harry Wentland <harry.wentland@amd.com>,
Jerry Zuo <Jerry.Zuo@amd.com>, Ben Skeggs <bskeggs@redhat.com>,
David Airlie <airlied@linux.ie>,
Sean Paul <seanpaul@chromium.org>,
Karol Herbst <karolherbst@gmail.com>,
Ilia Mirkin <imirkin@alum.mit.edu>,
linux-kernel@vger.kernel.org
Subject: [WIP PATCH 09/15] drm/nouveau: Fix potential use-after-frees for MSTCs
Date: Thu, 13 Dec 2018 20:25:38 -0500 [thread overview]
Message-ID: <20181214012604.13746-10-lyude@redhat.com> (raw)
In-Reply-To: <20181214012604.13746-1-lyude@redhat.com>
Now that we finally have a sane way to keep port allocations around, use
it to fix the potential unchecked ->port accesses that nouveau makes by
making sure we keep the mst port allocated for as long as it's
drm_connector is accessible.
Additionally, now that we've guaranteed that mstc->port is allocated for
as long as we keep mstc around we can remove the connector registration
checks for codepaths which release payloads, allowing us to release
payloads on active topologies properly. These registration checks were
only required before in order to avoid situations where mstc->port could
technically be pointing at freed memory.
Signed-off-by: Lyude Paul <lyude@redhat.com>
---
drivers/gpu/drm/nouveau/dispnv50/disp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c
index 0f7d72518604..982054bbcc8b 100644
--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
@@ -964,7 +964,11 @@ static void
nv50_mstc_destroy(struct drm_connector *connector)
{
struct nv50_mstc *mstc = nv50_mstc(connector);
+
drm_connector_cleanup(&mstc->connector);
+ if (mstc->port)
+ drm_dp_mst_put_port_malloc(mstc->port);
+
kfree(mstc);
}
@@ -1012,6 +1016,7 @@ nv50_mstc_new(struct nv50_mstm *mstm, struct drm_dp_mst_port *port,
drm_object_attach_property(&mstc->connector.base, dev->mode_config.path_property, 0);
drm_object_attach_property(&mstc->connector.base, dev->mode_config.tile_property, 0);
drm_connector_set_path_property(&mstc->connector, path);
+ drm_dp_mst_get_port_malloc(port);
return 0;
}
@@ -1077,6 +1082,7 @@ nv50_mstm_destroy_connector(struct drm_dp_mst_topology_mgr *mgr,
drm_fb_helper_remove_one_connector(&drm->fbcon->helper, &mstc->connector);
drm_modeset_lock(&drm->dev->mode_config.connection_mutex, NULL);
+ drm_dp_mst_put_port_malloc(mstc->port);
mstc->port = NULL;
drm_modeset_unlock(&drm->dev->mode_config.connection_mutex);
--
2.19.2
next prev parent reply other threads:[~2018-12-14 1:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-14 1:25 [WIP PATCH 00/15] MST refcounting/atomic helpers cleanup Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 01/15] drm/dp_mst: Remove bogus conditional in drm_dp_update_payload_part1() Lyude Paul
2018-12-14 8:42 ` Daniel Vetter
2018-12-17 20:09 ` Wentland, Harry
2018-12-14 1:25 ` [WIP PATCH 02/15] drm/dp_mst: Refactor drm_dp_update_payload_part1() Lyude Paul
2018-12-14 8:47 ` Daniel Vetter
2018-12-17 20:27 ` Wentland, Harry
2018-12-14 1:25 ` [WIP PATCH 03/15] drm/dp_mst: Introduce new refcounting scheme for mstbs and ports Lyude Paul
2018-12-14 9:29 ` Daniel Vetter
2018-12-18 21:27 ` Lyude Paul
2018-12-19 12:48 ` Daniel Vetter
2018-12-19 18:36 ` Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 04/15] drm/dp_mst: Stop releasing VCPI when removing ports from topology Lyude Paul
2018-12-14 9:40 ` Daniel Vetter
2018-12-14 1:25 ` [WIP PATCH 05/15] drm/dp_mst: Fix payload deallocation on hotplugs using malloc refs Lyude Paul
2018-12-14 9:38 ` Daniel Vetter
2018-12-18 22:02 ` Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 06/15] drm/i915: Keep malloc references to MST ports Lyude Paul
2018-12-14 9:32 ` Daniel Vetter
2018-12-18 21:52 ` Lyude Paul
2018-12-19 13:20 ` Daniel Vetter
2018-12-14 1:25 ` [WIP PATCH 07/15] drm/nouveau: Remove bogus cleanup in nv50_mstm_add_connector() Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 08/15] drm/nouveau: Remove unnecessary VCPI checks in nv50_msto_cleanup() Lyude Paul
2018-12-14 1:25 ` Lyude Paul [this message]
2018-12-14 1:25 ` [WIP PATCH 10/15] drm/nouveau: Stop unsetting mstc->port, use malloc refs Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 11/15] drm/nouveau: Grab payload lock in nv50_msto_payload() Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 12/15] drm/dp_mst: Add some atomic state iterator macros Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 13/15] drm/dp_mst: Start tracking per-port VCPI allocations Lyude Paul
2018-12-14 16:37 ` Daniel Vetter
2018-12-14 1:25 ` [WIP PATCH 14/15] drm/dp_mst: Check payload count in drm_dp_mst_atomic_check() Lyude Paul
2018-12-14 1:25 ` [WIP PATCH 15/15] drm/nouveau: Use atomic VCPI helpers for MST Lyude Paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181214012604.13746-10-lyude@redhat.com \
--to=lyude@redhat.com \
--cc=Jerry.Zuo@amd.com \
--cc=airlied@gmail.com \
--cc=airlied@linux.ie \
--cc=amd-gfx@lists.freedesktop.org \
--cc=bskeggs@redhat.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=imirkin@alum.mit.edu \
--cc=intel-gfx@lists.freedesktop.org \
--cc=karolherbst@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nouveau@lists.freedesktop.org \
--cc=seanpaul@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).