drm/i915/fbdev: suspend HPD before fbdev unregistration
authorAndrzej Hajda <andrzej.hajda@intel.com>
Fri, 26 Aug 2022 14:19:28 +0000 (16:19 +0200)
committerImre Deak <imre.deak@intel.com>
Mon, 5 Sep 2022 13:21:43 +0000 (16:21 +0300)
HPD event after fbdev unregistration can cause registration of deferred
fbdev which will not be unregistered later, causing use-after-free.
To avoid it HPD handling should be suspended before fbdev unregistration.

It should fix following GPF:
[272.634530] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI
[272.634536] CPU: 0 PID: 6030 Comm: i915_selftest Tainted: G     U            5.18.0-rc5-CI_DRM_11603-g12dccf4f5eef+ #1
[272.634541] Hardware name: Intel Corporation Raptor Lake Client Platform/RPL-S ADP-S DDR5 UDIMM CRB, BIOS RPLSFWI1.R00.2397.A01.2109300731 09/30/2021
[272.634545] RIP: 0010:fb_do_apertures_overlap.part.14+0x26/0x60
...
[272.634582] Call Trace:
[272.634583]  <TASK>
[272.634585]  do_remove_conflicting_framebuffers+0x59/0xa0
[272.634589]  remove_conflicting_framebuffers+0x2d/0xc0
[272.634592]  remove_conflicting_pci_framebuffers+0xc8/0x110
[272.634595]  drm_aperture_remove_conflicting_pci_framebuffers+0x52/0x70
[272.634604]  i915_driver_probe+0x63a/0xdd0 [i915]

Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5329
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5510
Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Arun R Murthy <arun.r.murthy@intel.com>
Reviewed-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220826141929.189681-3-andrzej.hajda@intel.com
drivers/gpu/drm/i915/display/intel_fbdev.c

index c08ff6a5c2e9cc94ea08ad79ca75b9d2c69b554f..8642196155666729f203398d10d935dacb01a393 100644 (file)
@@ -573,7 +573,8 @@ void intel_fbdev_unregister(struct drm_i915_private *dev_priv)
        if (!ifbdev)
                return;
 
-       cancel_work_sync(&dev_priv->display.fbdev.suspend_work);
+       intel_fbdev_set_suspend(&dev_priv->drm, FBINFO_STATE_SUSPENDED, true);
+
        if (!current_is_async())
                intel_fbdev_sync(ifbdev);
 
@@ -618,7 +619,7 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous
        struct fb_info *info;
 
        if (!ifbdev || !ifbdev->vma)
-               return;
+               goto set_suspend;
 
        info = ifbdev->helper.fbdev;
 
@@ -661,6 +662,7 @@ void intel_fbdev_set_suspend(struct drm_device *dev, int state, bool synchronous
        drm_fb_helper_set_suspend(&ifbdev->helper, state);
        console_unlock();
 
+set_suspend:
        intel_fbdev_hpd_set_suspend(dev_priv, state);
 }