From: "Dixit, Ashutosh" <ashutosh.dixit@intel.com>
To: Armin Wolf <W_Armin@gmx.de>
Cc: intel-gfx@lists.freedesktop.org,
"Badal Nilawar" <badal.nilawar@intel.com>,
"Andi Shyti" <andi.shyti@intel.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
linux-hwmon@vger.kernel.org
Subject: Re: [PATCH] drm/i915/hwmon: Get rid of devm
Date: Mon, 15 Apr 2024 16:21:12 -0700 [thread overview]
Message-ID: <85bk6atdp3.wl-ashutosh.dixit@intel.com> (raw)
In-Reply-To: <55e00433-71a6-4b41-a65b-0a8871398cdc@gmx.de>
On Sat, 13 Apr 2024 07:43:50 -0700, Armin Wolf wrote:
>
Hi Armin,
> Am 13.04.24 um 02:10 schrieb Ashutosh Dixit:
>
> > When both hwmon and hwmon drvdata (on which hwmon depends) are device
> > managed resources, the expectation, on device unbind, is that hwmon will be
> > released before the drvdata. However, it appears devres does not do this
> > consistently, so that we occasionally see drvdata being released before
> > hwmon itself. This results in a uaf if hwmon sysfs is accessed during
> > device unbind.
> >
> > The only way out of this seems to be do get rid of devm_ and release/free
> > everything explicitly during device unbind.
>
> could it be that the underlying cause for this is the fact that you are using
> devres on a DRM device?
>
> The documentation states that:
>
> devres managed resources like devm_kmalloc() can only be used for resources
> directly related to the underlying hardware device, and only used in code
> paths fully protected by drm_dev_enter() and drm_dev_exit().
I just posted v2 of the patch and updated
https://gitlab.freedesktop.org/drm/intel/-/issues/10366. The updates do
include stack traces for two separate code paths in i915 which release
devres.
Actually I am not sure if this is due to using devres on a DRM device. I
was thinking the PCI device would be more appropriate, but looks like DRM
drivers don't have the parent PCI device available in their data structs.
> That said, since the i915 driver is already removing the hwmon device manually
> with i915_hwmon_unregister(),
Well previously i915_hwmon_unregister() was almost empty (and could
actually be eliminated).
> i agree that not using devres in this case seems to be the solution.
Yeah that seems to me too to be the easiest way out of this situation.
Thanks.
--
Ashutosh
next prev parent reply other threads:[~2024-04-15 23:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-13 0:10 [PATCH] drm/i915/hwmon: Get rid of devm Ashutosh Dixit
2024-04-13 14:43 ` Armin Wolf
2024-04-15 23:21 ` Dixit, Ashutosh [this message]
2024-04-14 23:23 ` Dixit, Ashutosh
-- strict thread matches above, loose matches on Subject: below --
2024-04-16 3:55 Ashutosh Dixit
2024-04-17 14:56 Ashutosh Dixit
2024-04-18 21:56 ` Andi Shyti
2024-04-19 1:05 ` Dixit, Ashutosh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=85bk6atdp3.wl-ashutosh.dixit@intel.com \
--to=ashutosh.dixit@intel.com \
--cc=W_Armin@gmx.de \
--cc=andi.shyti@intel.com \
--cc=badal.nilawar@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).