On Wed, Apr 28, 2021 at 11:52:49PM +0200, Hans de Goede wrote: > Userspace could hold open a reference to the connector->kdev device, > through e.g. holding a sysfs-atrtribute open after > drm_sysfs_connector_remove() has been called. In this case the connector > could be free-ed while the connector->kdev device's drvdata is still > pointing to it. > > Give drm_connector devices there own device type, which allows > us to specify our own release function and make drm_sysfs_connector_add() > take a reference on the connector object, and have the new release > function put the reference when the device is released. > > Giving drm_connector devices there own device type, will also allow > checking if a device is a drm_connector device with a > "if (device->type == &drm_sysfs_device_connector)" check. > > Note that the setting of the name member of the device_type struct will > cause udev events for drm_connector-s to now contain DEVTYPE=drm_connector > as extra info. So this extends the uevent part of the userspace API. > > Signed-off-by: Hans de Goede <hdegoede@xxxxxxxxxx> Are you sure? I thought sysfs is supposed to flush out any pending operations (they complete fast) and handle open fd internally? Also I'd assume this creates a loop since the connector holds a reference on the kdev? -Daniel > --- > drivers/gpu/drm/drm_sysfs.c | 54 +++++++++++++++++++++++++++++++------ > 1 file changed, 46 insertions(+), 8 deletions(-) > > diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c > index f0336c804639..c344c6d5e738 100644 > --- a/drivers/gpu/drm/drm_sysfs.c > +++ b/drivers/gpu/drm/drm_sysfs.c > @@ -50,6 +50,10 @@ static struct device_type drm_sysfs_device_minor = { > .name = "drm_minor" > }; > > +static struct device_type drm_sysfs_device_connector = { > + .name = "drm_connector", > +}; > + > struct class *drm_class; > > static char *drm_devnode(struct device *dev, umode_t *mode) > @@ -271,30 +275,64 @@ static const struct attribute_group *connector_dev_groups[] = { > NULL > }; > > +static void drm_sysfs_connector_release(struct device *dev) > +{ > + struct drm_connector *connector = to_drm_connector(dev); > + > + drm_connector_put(connector); > + kfree(dev); > +} > + > int drm_sysfs_connector_add(struct drm_connector *connector) > { > struct drm_device *dev = connector->dev; > + struct device *kdev; > + int r; > > if (connector->kdev) > return 0; > > - connector->kdev = > - device_create_with_groups(drm_class, dev->primary->kdev, 0, > - connector, connector_dev_groups, > - "card%d-%s", dev->primary->index, > - connector->name); > + kdev = kzalloc(sizeof(*kdev), GFP_KERNEL); > + if (!kdev) > + return -ENOMEM; > + > + device_initialize(kdev); > + kdev->class = drm_class; > + kdev->type = &drm_sysfs_device_connector; > + kdev->parent = dev->primary->kdev; > + kdev->groups = connector_dev_groups; > + kdev->release = drm_sysfs_connector_release; > + dev_set_drvdata(kdev, connector); > + > + r = dev_set_name(kdev, "card%d-%s", dev->primary->index, connector->name); > + if (r) > + goto err_free; > + > DRM_DEBUG("adding \"%s\" to sysfs\n", > connector->name); > > - if (IS_ERR(connector->kdev)) { > - DRM_ERROR("failed to register connector device: %ld\n", PTR_ERR(connector->kdev)); > - return PTR_ERR(connector->kdev); > + r = device_add(kdev); > + if (r) { > + DRM_ERROR("failed to register connector device: %d\n", r); > + goto err_free; > } > > + /* > + * Ensure the connector object does not get free-ed if userspace still has > + * references open to the device through e.g. the connector sysfs-attributes. > + */ > + drm_connector_get(connector); > + > + connector->kdev = kdev; > + > if (connector->ddc) > return sysfs_create_link(&connector->kdev->kobj, > &connector->ddc->dev.kobj, "ddc"); > return 0; > + > +err_free: > + put_device(kdev); > + return r; > } > > void drm_sysfs_connector_remove(struct drm_connector *connector) > -- > 2.31.1 > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch