Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp5524378rwn;
        Mon, 12 Sep 2022 10:14:21 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5UB/hVyDV4YYRitP7uyEoFqZaNJ1jFEWJBanXk2Vdm/wGzIT3hQqpBAboxzz4L8GaG8p7v
X-Received: by 2002:a17:907:1c90:b0:77f:b1ae:9f44 with SMTP id nb16-20020a1709071c9000b0077fb1ae9f44mr958343ejc.304.1663002861505;
        Mon, 12 Sep 2022 10:14:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663002861; cv=none;
        d=google.com; s=arc-20160816;
        b=uBlxd9O6tESSq9ADx3jiAhVs0j07wfs0zuY2fQm7FiPNYblGfiJUrpCLRGGrwlNBRP
         diOmKY1CeKxzu6g02GsQakBe/g5Heg2KgnXQepPvA3kO811AysfzHrcKHMVHBIiEJw3s
         TgMtsxZrN1llROIxQv+aGsG4ZUhXjjWTSYdSdPjHAEF6iZMrAFPZPF5+Iiv5Hct0zAvG
         KrO+EQTmMNgItS6jYQn3XJLU4iaJP7IahR+7oknObOjbdjUqbrrXRDa/nyjq58HEuUy4
         ZHS0/vm2TvPzubpXa0+7X2uOpfN1NTuNHYAwfdMuOHL2JIV5DU4sROLkLZhjRznZoqds
         WW8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=Iv8qKl8exsTNqQvL9xoqmkA3Pw1r+M09k9/6mUv3Flk=;
        b=meOJCVxRxOsAmZxj4mW89dXMO4jid4LunrbuZuKVhAD/vf2fE2ITY/GC/52b2G+/FH
         7B1dDSx/eyYco+JxM4fU3j3chB+9Ta/KnGqPglXj1BsDcBeYizfVYaZXnw7nJ3YR23UN
         Ef29WaROLXhHiQMSi61BYCO3z00o0VicErTV7hhNMcaS/bgKXuUaJDVrpTMRxFYVcYsd
         9DjT3zfAY5MBe9SPUXijtiBXp0dYBd9FLdNID9NUQdzRUCFVn1Xr5imf8EC8sT7C8DlC
         cDlyhZzwQ1U3rbjm2MjQaeB84WC6n+5cqtS/blKJekDIWY0Rm6qqqy7Kd5Sx4t8x0onz
         XtOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Z1RcikfM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k17-20020a05640212d100b004511944f801si6572893edx.270.2022.09.12.10.13.30;
        Mon, 12 Sep 2022 10:14:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=Z1RcikfM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229929AbiILRMF (ORCPT <rfc822;android.linux@gmail.com>
        + 99 others); Mon, 12 Sep 2022 13:12:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41232 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229808AbiILRMB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Sep 2022 13:12:01 -0400
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E2CA23BEF;
        Mon, 12 Sep 2022 10:12:00 -0700 (PDT)
Received: from pps.filterd (m0279865.ppops.net [127.0.0.1])
        by mx0a-0031df01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28CFjec8000958;
        Mon, 12 Sep 2022 17:11:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=message-id : date :
 mime-version : subject : to : cc : references : from : in-reply-to :
 content-type : content-transfer-encoding; s=qcppdkim1;
 bh=Iv8qKl8exsTNqQvL9xoqmkA3Pw1r+M09k9/6mUv3Flk=;
 b=Z1RcikfMAhx0BTEaqwk8qeyWbXnckQXL1g440xEOPzYFNsYtEyUEf64IvxmHuIyRekfe
 uuurx/w8v6n+2pIj/YuoIZz098shiGz6+WN18qDp+QA7KnwmLFhiNH1Gvlp73yT2aKTr
 ljgZsqihjvO6xOA34B0tXF+mjYHl9dTwJmgBM4AUtu4feWaQLyWDadomN1vsEOSKkqCQ
 +nQKKYKPknfAguKvStGTqxtypHkpl4vPExVC9wx6FXWXo8ytDTxafQITHnp02es+sJRO
 BqFz4T1dw2xO+jtVTGr7T/Vi+3xVbzjB8ajVDrz2UZkvHMgWdGJaLeECc+6NSdHZRoRw xw== 
Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20])
        by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3jgk0ddq17-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 12 Sep 2022 17:11:39 +0000
Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196])
        by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 28CHBcBI013047
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 12 Sep 2022 17:11:39 GMT
Received: from [10.111.167.172] (10.80.80.8) by nalasex01a.na.qualcomm.com
 (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Mon, 12 Sep
 2022 10:11:35 -0700
Message-ID: <9a740a3b-30b6-05ab-e133-9b37186ba0db@quicinc.com>
Date:   Mon, 12 Sep 2022 10:11:32 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.2
Subject: Re: [PATCH 0/7] drm/msm: probe deferral fixes
Content-Language: en-US
To:     Johan Hovold <johan+linaro@kernel.org>,
        Douglas Anderson <dianders@chromium.org>,
        Dmitry Baryshkov <dmitry.baryshkov@linaro.org>,
        "Rob Clark" <robdclark@gmail.com>
CC:     Andrzej Hajda <andrzej.hajda@intel.com>,
        Neil Armstrong <neil.armstrong@linaro.org>,
        Robert Foss <robert.foss@linaro.org>,
        "Laurent Pinchart" <Laurent.pinchart@ideasonboard.com>,
        Jonas Karlman <jonas@kwiboo.se>,
        Jernej Skrabec <jernej.skrabec@gmail.com>,
        David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>, Sean Paul <sean@poorly.run>,
        Stephen Boyd <swboyd@chromium.org>,
        Bjorn Andersson <andersson@kernel.org>,
        Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
        <dri-devel@lists.freedesktop.org>, <linux-arm-msm@vger.kernel.org>,
        <freedreno@lists.freedesktop.org>, <linux-kernel@vger.kernel.org>,
        Kuogee Hsieh <quic_khsieh@quicinc.com>
References: <20220912154046.12900-1-johan+linaro@kernel.org>
From:   Abhinav Kumar <quic_abhinavk@quicinc.com>
In-Reply-To: <20220912154046.12900-1-johan+linaro@kernel.org>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085
X-Proofpoint-GUID: sbakWlb5mLpCHrY4wynzhCX1VSs1oa4F
X-Proofpoint-ORIG-GUID: sbakWlb5mLpCHrY4wynzhCX1VSs1oa4F
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1
 definitions=2022-09-12_12,2022-09-12_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 impostorscore=0
 suspectscore=0 bulkscore=0 adultscore=0 spamscore=0 mlxlogscore=999
 phishscore=0 priorityscore=1501 mlxscore=0 malwarescore=0
 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2207270000 definitions=main-2209120059
X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Adding kuogee to this series

Hi Johan

Thanks for posting this.

We will take a look at this, re-validate and give our reviews/tested-bys.

Thanks

Abhinav
On 9/12/2022 8:40 AM, Johan Hovold wrote:
> The MSM DRM is currently broken in multiple ways with respect to probe
> deferral. Not only does the driver currently fail to probe again after a
> late deferral, but due to a related use-after-free bug this also
> triggers NULL-pointer dereferences.
> 
> These bugs are not new but have become critical with the release of
> 5.19 where probe is deferred in case the aux-bus EP panel driver has not
> yet been loaded.
> 
> The underlying problem is lifetime issues due to careless use of
> device-managed resources.
> 
> Specifically, device-managed resources allocated post component bind
> must be tied to the lifetime of the aggregate DRM device or they will
> not necessarily be released when binding of the aggregate device is
> deferred.
> 
> The following call chain and pseudo code serves as an illustration of
> the problem:
> 
>   - platform_probe(pdev1)
>     - dp_display_probe()
>       - component_add()
> 
>   - platform_probe(pdev2) 				// last component
>     - dp_display_probe()					// d0
>         - component_add()
>           - try_to_bring_up_aggregate_device()
> 	   - devres_open_group(adev->parent)		// d1
> 
> 	   - msm_drm_bind()
> 	     - msm_drm_init()
> 	       - component_bind_all()
> 	         - for_each_component()
> 		   - component_bind()
> 		     - devres_open_group(&pdev->dev)	// d2
> 	             - dp_display_bind()
> 		       - devm_kzalloc(&pdev->dev)	// a1, OK
> 		     - devres_close_group(&pdev->dev)	// d3
> 
> 	       - dpu_kms_hw_init()
> 	         - for_each_panel()
> 	           - msm_dp_modeset_init()
> 		     - dp_display_request_irq()
> 		       - devm_request_irq(&pdev->dev)	// a2, BUG
> 		     - if (pdev == pdev2 && condition)
> 		       - return -EPROBE_DEFER;
> 
> 	      - if (error)
>   	        - component_unbind_all()
> 	          - for_each_component()
> 		    - component_unbind()
> 		      - dp_display_unbind()
> 		      - devres_release_group(&pdev->dev) // d4, only a1 is freed
> 
>             - if (error)
> 	     - devres_release_group(adev->parent)	// d5
> 
> The device-managed allocation a2 is buggy as its lifetime is tied to the
> component platform device and will not be released when the aggregate
> device bind fails (e.g. due to a probe deferral).
> 
> When pdev2 is later probed again, the attempt to allocate the IRQ a
> second time will fail for pdev1 (which is still bound to its platform
> driver).
> 
> This series fixes the lifetime issues by tying the lifetime of a2 (and
> similar allocations) to the lifetime of the aggregate device so that a2
> is released at d5.
> 
> In some cases, such has for the DP IRQ, the above situation can also be
> avoided by moving the allocation in question to the platform driver
> probe (d0) or component bind (between d2 and d3). But as doing so is not
> a general fix, this can be done later as a cleanup/optimisation.
> 
> Johan
> 
> 
> Johan Hovold (7):
>    drm/msm: fix use-after-free on probe deferral
>    drm/msm: fix memory corruption with too many bridges
>    drm/msm/dp: fix IRQ lifetime
>    drm/msm/dp: fix aux-bus EP lifetime
>    drm/msm/dp: fix bridge lifetime
>    drm/msm/hdmi: fix IRQ lifetime
>    drm/msm: drop modeset sanity checks
> 
>   drivers/gpu/drm/bridge/parade-ps8640.c   |  2 +-
>   drivers/gpu/drm/display/drm_dp_aux_bus.c |  5 +++--
>   drivers/gpu/drm/msm/dp/dp_display.c      | 16 +++++++++-------
>   drivers/gpu/drm/msm/dp/dp_parser.c       |  6 +++---
>   drivers/gpu/drm/msm/dp/dp_parser.h       |  5 +++--
>   drivers/gpu/drm/msm/dsi/dsi.c            |  9 +++++----
>   drivers/gpu/drm/msm/hdmi/hdmi.c          |  7 ++++++-
>   drivers/gpu/drm/msm/msm_drv.c            |  1 +
>   include/drm/display/drm_dp_aux_bus.h     |  6 +++---
>   9 files changed, 34 insertions(+), 23 deletions(-)
>