On Sat, Aug 15, 2015 at 02:56:57PM +1000, Dave Airlie wrote: > On 11 August 2015 at 17:54, Maarten Lankhorst > <maarten.lankhorst@xxxxxxxxxxxxxxx> wrote: > > The port is removed synchronously, but the connector delayed. > > This causes a use after free which can cause a kernel BUG with > > slug_debug=FPZU. This is fixed by freeing the port after the > > connector. > > Where is the use after free btw? I'm not sure I like delaying the port > destruction, there should be no need to. > > The connector->port pointer shouldn't be used without validation > anywhere, and if it is that is a bug. > > I'd like to reproduce this before pulling this in. The remove function needs to lock at the connector->port to shut down the dp mst link. Before your patch that was done _before_ the final kfree on the port, but with your patch that's now the other way round: First we synchronously kfree the port, then we call the driver's connector cleanup function asynchronously. And that is very unhappy that the port is now gone. So perfectly ok regression fix imo to restore the ordering we had before your patch in the cleanup code. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html