drm/i915: fix use after free during eDP encoder destroying
authorImre Deak <imre.deak@intel.com>
Fri, 12 Dec 2014 15:57:38 +0000 (17:57 +0200)
committerDaniel Vetter <daniel.vetter@ffwll.ch>
Tue, 16 Dec 2014 09:38:55 +0000 (10:38 +0100)
After

commit a18c0af171bfb875012da26f23df051004726973
uthor: Thierry Reding <treding@nvidia.com>
Date:   Wed Dec 10 11:38:49 2014 +0100

    drm: Zero out DRM object memory upon cleanup

we will use the eDP encoder during destroying it. Fix this by calling
drm_encoder_cleanup() at a point when the encoder is not used any more.
This caused a NULL pointer dereference in pps_lock(), I can't see that
it caused any other problem.

All the other encoders seem to call drm_encoder_cleanup() at a safe
place.

Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
drivers/gpu/drm/i915/intel_dp.c

index 8e276c41d4d2593495a73d394612fb97db10bbd9..8b31e01b054b74e426ca6a4b1338cfa89eabb8f5 100644 (file)
@@ -4310,7 +4310,6 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder)
 
        drm_dp_aux_unregister(&intel_dp->aux);
        intel_dp_mst_encoder_cleanup(intel_dig_port);
-       drm_encoder_cleanup(encoder);
        if (is_edp(intel_dp)) {
                cancel_delayed_work_sync(&intel_dp->panel_vdd_work);
                /*
@@ -4326,6 +4325,7 @@ void intel_dp_encoder_destroy(struct drm_encoder *encoder)
                        intel_dp->edp_notifier.notifier_call = NULL;
                }
        }
+       drm_encoder_cleanup(encoder);
        kfree(intel_dig_port);
 }