The drm_dp_ax object is stored on the encoder, and freeing it from the connector causes a use-after-free error since the encoder is destroy first: [ 112.356952] ================================================================== [ 112.357065] BUG: KASAN: use-after-free in intel_dp_connector_destroy+0x68/0xb0 [i915] at addr ffff880386960168 [ 112.357130] Read of size 8 by task rmmod/6293 [ 112.357159] ============================================================================= [ 112.357221] BUG kmalloc-8192 (Tainted: G W E ): kasan: bad access detected [ 112.357268] ----------------------------------------------------------------------------- [ 112.357268] [ 112.357333] Disabling lock debugging due to kernel taint [ 112.357362] INFO: Allocated in 0xffff8803869642a8 age=18446744052234668220 cpu=0 pid=0 [ 112.357472] intel_ddi_init+0xea/0x540 [i915] [ 112.357502] ___slab_alloc+0x4a3/0x530 [ 112.357529] __slab_alloc+0x4c/0x90 [ 112.357571] kmem_cache_alloc+0x180/0x1c0 [ 112.357657] intel_ddi_init+0xea/0x540 [i915] [ 112.357739] intel_modeset_init+0x1e51/0x2150 [i915] [ 112.357806] __kms_init_async+0x33/0x50 [i915] [ 112.357880] do_initcall_async+0x6e/0xa0 [i915] [ 112.357918] async_run_entry_fn+0x60/0x230 [ 112.357947] process_one_work+0x315/0x6d0 [ 112.357989] worker_thread+0x86/0x780 [ 112.358017] kthread+0x141/0x160 [ 112.358065] ret_from_fork+0x1f/0x40 [ 112.358111] INFO: Freed in 0xfffef6db age=18446717049775278270 cpu=2173493056 pid=-1 [ 112.358212] intel_dp_encoder_destroy+0x2e/0xa0 [i915] [ 112.358242] __slab_free+0x17a/0x310 [ 112.358268] kfree+0x164/0x170 [ 112.358361] intel_dp_encoder_destroy+0x2e/0xa0 [i915] [ 112.358395] drm_mode_config_cleanup+0x63/0x370 [ 112.358481] intel_modeset_cleanup+0x65/0x90 [i915] [ 112.358550] i915_driver_unload+0xbf/0x380 [i915] [ 112.358624] i915_pci_remove+0x23/0x30 [i915] [ 112.358663] pci_device_remove+0x5c/0x110 [ 112.358691] __device_release_driver+0xd6/0x1e0 [ 112.358734] driver_detach+0x112/0x120 [ 112.358761] bus_remove_driver+0x93/0x160 [ 112.358803] driver_unregister+0x3e/0x70 [ 112.358832] pci_unregister_driver+0x24/0xd0 [ 112.358932] i915_exit+0x1a/0x88c [i915] [ 112.358961] SyS_delete_module+0x20a/0x250 Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> --- drivers/gpu/drm/i915/intel_dp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c index 86b0f7870adf..1f9d2bdc7d59 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c @@ -4460,8 +4460,6 @@ intel_dp_connector_destroy(struct drm_connector *connector) if (!IS_ERR_OR_NULL(intel_connector->edid)) kfree(intel_connector->edid); - intel_dp_aux_fini(intel_attached_dp(connector)); - /* Can't call is_edp() since the encoder may have been destroyed * already. */ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) @@ -4492,6 +4490,9 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder) intel_dp->edp_notifier.notifier_call = NULL; } } + + intel_dp_aux_fini(intel_dp); + drm_encoder_cleanup(encoder); kfree(intel_dig_port); } -- 2.8.1 _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
