Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1529143imu; Thu, 13 Dec 2018 17:28:48 -0800 (PST) X-Google-Smtp-Source: AFSGD/XCF9n1LkhlR3pqvmiwpvDpcYzUhrrn6x6MvaLXJzqLc5N5IbAlU9Y8Iz5WcknTceLH9Wyu X-Received: by 2002:a62:5182:: with SMTP id f124mr991537pfb.238.1544750928756; Thu, 13 Dec 2018 17:28:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544750928; cv=none; d=google.com; s=arc-20160816; b=shNiuNYjlT7VHmG4nl0/uhr++AvRJ9BjF9Xo8Q/L8FVPdVJQaLQxh70VQfm56I82Oa qHHRsvz5XsXwaAradYKne6//FCWp+PO8ieOeXJU1svir7XDAKUFDLZIMPn1bNskrOa0q 8nZFWX7JB5Uk7nhM7tzKuhN1LBzqHxUODuiWzvD8bvy886gx7sGoRY8nRIzfdLh2h6ZW bpBkGg4tgRSSX+OL8evDgTqsbQTqMgh8tij2HMtz7acvOWHoF2uRzddqfk1fpJNhuyQ+ CA+NzFoRzOTR4wUOajWGdaFDtqB9zgOFf4xOgwK8PLYwM7CE1xILuZli4AMZ4s+dSryS 3U5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=7wR9gDmgBpGkhDJEPnekxIHg/GRD26TbFmsYjUa0p38=; b=XYlHDXGke6I4vKfF+ZKgpWzERCLn9PWscM31zk2Ju1TOdHf4OrBu6KoLwePXsLVhEv qY043x2A1iDccPbCibJ4XTcV+MxZzezJazZ8Z7DHS1wwB12dfVA4695m8EruwXh/yh8p +ehTTMFESJlAaaOOwu8DZpgBOLZkKbZlKnmIjqqxSeJfm1a5i0SJEvEwu/65SyTG5Yx+ KTICCPFOwKm7TmjYUQsBgYrveqXcDWX+qfBs8IiZB3vw+0FQNe+OYkz8TmIdrsSenQZq rfzJzeZBAwHgdImxmhvAukywblMzsdjwaWnB3oN5zHOmMTwt6eajijJ9RKAXLJvlYvCt t8Ow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u5si2751071pgi.146.2018.12.13.17.28.33; Thu, 13 Dec 2018 17:28:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729554AbeLNB1C (ORCPT + 99 others); Thu, 13 Dec 2018 20:27:02 -0500 Received: from mx1.redhat.com ([209.132.183.28]:60990 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729014AbeLNB1A (ORCPT ); Thu, 13 Dec 2018 20:27:00 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6D259307D922; Fri, 14 Dec 2018 01:27:00 +0000 (UTC) Received: from malachite.bss.redhat.com (dhcp-10-20-1-11.bss.redhat.com [10.20.1.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id 45A6B6012B; Fri, 14 Dec 2018 01:26:53 +0000 (UTC) From: Lyude Paul To: dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, amd-gfx@lists.freedesktop.org Cc: Daniel Vetter , Dave Airlie , Harry Wentland , Jerry Zuo , Ben Skeggs , David Airlie , Sean Paul , Karol Herbst , Ilia Mirkin , linux-kernel@vger.kernel.org Subject: [WIP PATCH 09/15] drm/nouveau: Fix potential use-after-frees for MSTCs Date: Thu, 13 Dec 2018 20:25:38 -0500 Message-Id: <20181214012604.13746-10-lyude@redhat.com> In-Reply-To: <20181214012604.13746-1-lyude@redhat.com> References: <20181214012604.13746-1-lyude@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Fri, 14 Dec 2018 01:27:00 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Now that we finally have a sane way to keep port allocations around, use it to fix the potential unchecked ->port accesses that nouveau makes by making sure we keep the mst port allocated for as long as it's drm_connector is accessible. Additionally, now that we've guaranteed that mstc->port is allocated for as long as we keep mstc around we can remove the connector registration checks for codepaths which release payloads, allowing us to release payloads on active topologies properly. These registration checks were only required before in order to avoid situations where mstc->port could technically be pointing at freed memory. Signed-off-by: Lyude Paul --- drivers/gpu/drm/nouveau/dispnv50/disp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c index 0f7d72518604..982054bbcc8b 100644 --- a/drivers/gpu/drm/nouveau/dispnv50/disp.c +++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c @@ -964,7 +964,11 @@ static void nv50_mstc_destroy(struct drm_connector *connector) { struct nv50_mstc *mstc = nv50_mstc(connector); + drm_connector_cleanup(&mstc->connector); + if (mstc->port) + drm_dp_mst_put_port_malloc(mstc->port); + kfree(mstc); } @@ -1012,6 +1016,7 @@ nv50_mstc_new(struct nv50_mstm *mstm, struct drm_dp_mst_port *port, drm_object_attach_property(&mstc->connector.base, dev->mode_config.path_property, 0); drm_object_attach_property(&mstc->connector.base, dev->mode_config.tile_property, 0); drm_connector_set_path_property(&mstc->connector, path); + drm_dp_mst_get_port_malloc(port); return 0; } @@ -1077,6 +1082,7 @@ nv50_mstm_destroy_connector(struct drm_dp_mst_topology_mgr *mgr, drm_fb_helper_remove_one_connector(&drm->fbcon->helper, &mstc->connector); drm_modeset_lock(&drm->dev->mode_config.connection_mutex, NULL); + drm_dp_mst_put_port_malloc(mstc->port); mstc->port = NULL; drm_modeset_unlock(&drm->dev->mode_config.connection_mutex); -- 2.19.2