drm: safely free connectors from connector_iter

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In

commit 613051dac40da1751ab269572766d3348d45a197
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Wed Dec 14 00:08:06 2016 +0100

drm: locking&new iterators for connector_list

we've went to extreme lengths to make sure connector iterations works
in any context, without introducing any additional locking context.
This worked, except for a small fumble in the implementation:

When we actually race with a concurrent connector unplug event, and
our temporary connector reference turns out to be the final one, then
everything breaks: We call the connector release function from
whatever context we happen to be in, which can be an irq/atomic
context. And connector freeing grabs all kinds of locks and stuff.

Fix this by creating a specially safe put function for connetor_iter,
which (in this rare case) punts the cleanup to a worker.

Reported-by: Ben Widawsky <ben@bwidawsk.net>
Cc: Ben Widawsky <ben@bwidawsk.net>
Fixes: 613051dac40d ("drm: locking&new iterators for connector_list")
Cc: Dave Airlie <airlied@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: <stable@vger.kernel.org> # v4.11+
Reviewed-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171204204818.24745-1-daniel.vetter@ffwll.ch

Daniel Vetter 8 years ago a703c550 ae64f9bd

+36 -2

3 changed files

expand all

drivers

gpu

drm

drm_connector.c

drm_mode_config.c

include

drm

drm_connector.h

+26 -2

drivers/gpu/drm/drm_connector.c

··· 152 152 connector->funcs->destroy(connector); 153 153 } 154 154 155 + static void drm_connector_free_work_fn(struct work_struct *work) 156 + { 157 + struct drm_connector *connector = 158 + container_of(work, struct drm_connector, free_work); 159 + struct drm_device *dev = connector->dev; 160 + 161 + drm_mode_object_unregister(dev, &connector->base); 162 + connector->funcs->destroy(connector); 163 + } 164 + 155 165 /** 156 166 * drm_connector_init - Init a preallocated connector 157 167 * @dev: DRM device ··· 190 180 false, drm_connector_free); 191 181 if (ret) 192 182 return ret; 183 + 184 + INIT_WORK(&connector->free_work, drm_connector_free_work_fn); 193 185 194 186 connector->base.properties = &connector->properties; 195 187 connector->dev = dev; ··· 541 529 } 542 530 EXPORT_SYMBOL(drm_connector_list_iter_begin); 543 531 532 + /* 533 + * Extra-safe connector put function that works in any context. Should only be 534 + * used from the connector_iter functions, where we never really expect to 535 + * actually release the connector when dropping our final reference. 536 + */ 537 + static void 538 + drm_connector_put_safe(struct drm_connector *conn) 539 + { 540 + if (refcount_dec_and_test(&conn->base.refcount.refcount)) 541 + schedule_work(&conn->free_work); 542 + } 543 + 544 544 /** 545 545 * drm_connector_list_iter_next - return next connector 546 546 * @iter: connectr_list iterator ··· 585 561 spin_unlock_irqrestore(&config->connector_list_lock, flags); 586 562 587 563 if (old_conn) 588 - drm_connector_put(old_conn); 564 + drm_connector_put_safe(old_conn); 589 565 590 566 return iter->conn; 591 567 } ··· 604 580 { 605 581 iter->dev = NULL; 606 582 if (iter->conn) 607 - drm_connector_put(iter->conn); 583 + drm_connector_put_safe(iter->conn); 608 584 lock_release(&connector_list_iter_dep_map, 0, _RET_IP_); 609 585 } 610 586 EXPORT_SYMBOL(drm_connector_list_iter_end);

drivers/gpu/drm/drm_mode_config.c

··· 431 431 drm_connector_put(connector); 432 432 } 433 433 drm_connector_list_iter_end(&conn_iter); 434 + /* connector_iter drops references in a work item. */ 435 + flush_scheduled_work(); 434 436 if (WARN_ON(!list_empty(&dev->mode_config.connector_list))) { 435 437 drm_connector_list_iter_begin(dev, &conn_iter); 436 438 drm_for_each_connector_iter(connector, &conn_iter)

include/drm/drm_connector.h

··· 916 916 uint8_t num_h_tile, num_v_tile; 917 917 uint8_t tile_h_loc, tile_v_loc; 918 918 uint16_t tile_h_size, tile_v_size; 919 + 920 + /** 921 + * @free_work: 922 + * 923 + * Work used only by &drm_connector_iter to be able to clean up a 924 + * connector from any context. 925 + */ 926 + struct work_struct free_work; 919 927 }; 920 928 921 929 #define obj_to_connector(x) container_of(x, struct drm_connector, base)