From a703c55004e1c5076d57e43771b3e11117796ea0 Mon Sep 17 00:00:00 2001 From: Daniel Vetter Date: Mon, 4 Dec 2017 21:48:18 +0100 Subject: drm: safely free connectors from connector_iter In commit 613051dac40da1751ab269572766d3348d45a197 Author: Daniel Vetter Date: Wed Dec 14 00:08:06 2016 +0100 drm: locking&new iterators for connector_list we've went to extreme lengths to make sure connector iterations works in any context, without introducing any additional locking context. This worked, except for a small fumble in the implementation: When we actually race with a concurrent connector unplug event, and our temporary connector reference turns out to be the final one, then everything breaks: We call the connector release function from whatever context we happen to be in, which can be an irq/atomic context. And connector freeing grabs all kinds of locks and stuff. Fix this by creating a specially safe put function for connetor_iter, which (in this rare case) punts the cleanup to a worker. Reported-by: Ben Widawsky Cc: Ben Widawsky Fixes: 613051dac40d ("drm: locking&new iterators for connector_list") Cc: Dave Airlie Cc: Chris Wilson Cc: Sean Paul Cc: # v4.11+ Reviewed-by: Dave Airlie Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20171204204818.24745-1-daniel.vetter@ffwll.ch --- include/drm/drm_connector.h | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'include') diff --git a/include/drm/drm_connector.h b/include/drm/drm_connector.h index df9807a3caae..a4649c56ca2f 100644 --- a/include/drm/drm_connector.h +++ b/include/drm/drm_connector.h @@ -916,6 +916,14 @@ struct drm_connector { uint8_t num_h_tile, num_v_tile; uint8_t tile_h_loc, tile_v_loc; uint16_t tile_h_size, tile_v_size; + + /** + * @free_work: + * + * Work used only by &drm_connector_iter to be able to clean up a + * connector from any context. + */ + struct work_struct free_work; }; #define obj_to_connector(x) container_of(x, struct drm_connector, base) -- cgit v1.2.3