From: Chris Wilson Date: Mon, 20 Jun 2016 08:29:17 +0000 (+0100) Subject: drm/i915: Avoid use-after-free of intel_encoder in intel_dp_connector_destrpy X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=996818869c9cc25581e81ff809d790651129cb4a;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git drm/i915: Avoid use-after-free of intel_encoder in intel_dp_connector_destrpy The drm_dp_aux is associated with the intel_dp encoder and not the connector. Since the encoder is destroyed before the connector, attempting to free the drm_dp_aux from inside the connector cleanup causes a use-after-free. This was applied to the patch that CI was happy with, but in the confusion of so many series trying to make CI happy, the unready patch was plucked. Fixes: c191eca110a3 ("drm/i915: Move intel_connector->unregister to connector->early_unregister") Signed-off-by: Chris Wilson Cc: Daniel Vetter Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/1466411357-730-1-git-send-email-chris@chris-wilson.co.uk --- diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c index 2e4b66c9ee3e..0b84f8e5df50 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c @@ -4463,8 +4463,6 @@ intel_dp_connector_destroy(struct drm_connector *connector) if (!IS_ERR_OR_NULL(intel_connector->edid)) kfree(intel_connector->edid); - intel_dp_aux_fini(intel_attached_dp(connector)); - /* Can't call is_edp() since the encoder may have been destroyed * already. */ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) @@ -4495,6 +4493,9 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder) intel_dp->edp_notifier.notifier_call = NULL; } } + + intel_dp_aux_fini(intel_dp); + drm_encoder_cleanup(encoder); kfree(intel_dig_port); }