On Sat, Aug 15, 2015 at 02:56:57PM +1000, Dave Airlie wrote:
On 11 August 2015 at 17:54, Maarten Lankhorst maarten.lankhorst@linux.intel.com wrote:
The port is removed synchronously, but the connector delayed. This causes a use after free which can cause a kernel BUG with slug_debug=FPZU. This is fixed by freeing the port after the connector.
Where is the use after free btw? I'm not sure I like delaying the port destruction, there should be no need to.
The connector->port pointer shouldn't be used without validation anywhere, and if it is that is a bug.
I'd like to reproduce this before pulling this in.
The remove function needs to lock at the connector->port to shut down the dp mst link. Before your patch that was done _before_ the final kfree on the port, but with your patch that's now the other way round: First we synchronously kfree the port, then we call the driver's connector cleanup function asynchronously. And that is very unhappy that the port is now gone.
So perfectly ok regression fix imo to restore the ordering we had before your patch in the cleanup code. -Daniel