Hi,
On 4/29/21 1:40 PM, Daniel Vetter wrote:
On Wed, Apr 28, 2021 at 11:52:49PM +0200, Hans de Goede wrote:
Userspace could hold open a reference to the connector->kdev device, through e.g. holding a sysfs-atrtribute open after drm_sysfs_connector_remove() has been called. In this case the connector could be free-ed while the connector->kdev device's drvdata is still pointing to it.
Give drm_connector devices there own device type, which allows us to specify our own release function and make drm_sysfs_connector_add() take a reference on the connector object, and have the new release function put the reference when the device is released.
Giving drm_connector devices there own device type, will also allow checking if a device is a drm_connector device with a "if (device->type == &drm_sysfs_device_connector)" check.
Note that the setting of the name member of the device_type struct will cause udev events for drm_connector-s to now contain DEVTYPE=drm_connector as extra info. So this extends the uevent part of the userspace API.
Signed-off-by: Hans de Goede hdegoede@redhat.com
Are you sure? I thought sysfs is supposed to flush out any pending operations (they complete fast) and handle open fd internally?
So I did some digging in fs/kernfs and it looks like you right, once the file has been removed from sysfs any accesses through an open fd will fail with -ENODEV, interesting I did not know this.
We still need this change though to make sure that the "drm/connector: Add drm_connector_find_by_fwnode() function" does not end up following a dangling drvdat pointer from one if the drm_connector kdev-s.
The class_dev_iter_init() in drm_connector_find_by_fwnode() gets a reference on all devices and between getting that reference and it calling drm_connector_get() - drm_connector_unregister() may run and drop the possibly last reference to the drm_connector object, freeing it and leaving the kdev's drvdata as a dangling pointer.
But I obviously need to rewrite the commit message of this commit as it currently is completely wrong.
Maybe I should even squash this into the commit adding drm_connector_find_by_fwnode() ?
Note sure about that though I personally think this is best kept as a new preparation patch but with a new commit msg.
Also I'd assume this creates a loop since the connector holds a reference on the kdev?
So I was wondering the same thing when working on this code and I checked. the reference on the kdev is dropped from: drm_connector_unregister() -> drm_sysfs_connector_remove() and then happens independent of the reference count on the connector-drm-obj dropping to 0.
So what this change does is it keeps a reference to the drm_connector obj as long as someone is keeping a reference to the connnector->kdev device around after drm_connector_unregister() but as soon as that kdev device ref is dropped, so will the drm_connector's obj reference.
I also tested this using a dock with DP MST, which dynamically adds/removes connectors on plug-in / plug-out of the dock-cable and I added a printk to the new drm_sysfs_connector_release() this adds and that printk triggered pretty much immediately on unplug as expected, releasing the extra drm_connector obj as soon as drm_connector_unregister() got called.
Regards,
Hans
-Daniel
drivers/gpu/drm/drm_sysfs.c | 54 +++++++++++++++++++++++++++++++------ 1 file changed, 46 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/drm_sysfs.c b/drivers/gpu/drm/drm_sysfs.c index f0336c804639..c344c6d5e738 100644 --- a/drivers/gpu/drm/drm_sysfs.c +++ b/drivers/gpu/drm/drm_sysfs.c @@ -50,6 +50,10 @@ static struct device_type drm_sysfs_device_minor = { .name = "drm_minor" };
+static struct device_type drm_sysfs_device_connector = {
- .name = "drm_connector",
+};
struct class *drm_class;
static char *drm_devnode(struct device *dev, umode_t *mode) @@ -271,30 +275,64 @@ static const struct attribute_group *connector_dev_groups[] = { NULL };
+static void drm_sysfs_connector_release(struct device *dev) +{
- struct drm_connector *connector = to_drm_connector(dev);
- drm_connector_put(connector);
- kfree(dev);
+}
int drm_sysfs_connector_add(struct drm_connector *connector) { struct drm_device *dev = connector->dev;
struct device *kdev;
int r;
if (connector->kdev) return 0;
- connector->kdev =
device_create_with_groups(drm_class, dev->primary->kdev, 0,connector, connector_dev_groups,"card%d-%s", dev->primary->index,connector->name);
- kdev = kzalloc(sizeof(*kdev), GFP_KERNEL);
- if (!kdev)
return -ENOMEM;- device_initialize(kdev);
- kdev->class = drm_class;
- kdev->type = &drm_sysfs_device_connector;
- kdev->parent = dev->primary->kdev;
- kdev->groups = connector_dev_groups;
- kdev->release = drm_sysfs_connector_release;
- dev_set_drvdata(kdev, connector);
- r = dev_set_name(kdev, "card%d-%s", dev->primary->index, connector->name);
- if (r)
goto err_free;- DRM_DEBUG("adding "%s" to sysfs\n", connector->name);
- if (IS_ERR(connector->kdev)) {
DRM_ERROR("failed to register connector device: %ld\n", PTR_ERR(connector->kdev));return PTR_ERR(connector->kdev);
r = device_add(kdev);
if (r) {
DRM_ERROR("failed to register connector device: %d\n", r);goto err_free;}
/*
* Ensure the connector object does not get free-ed if userspace still has* references open to the device through e.g. the connector sysfs-attributes.*/drm_connector_get(connector);
connector->kdev = kdev;
if (connector->ddc) return sysfs_create_link(&connector->kdev->kobj, &connector->ddc->dev.kobj, "ddc"); return 0;
+err_free:
- put_device(kdev);
- return r;
}
void drm_sysfs_connector_remove(struct drm_connector *connector)
2.31.1