On Fri, 5 Apr 2024 at 22:17, Ville Syrjälä ville.syrjala@linux.intel.com wrote:
On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote:
On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote:
From: Ville Syrjälä ville.syrjala@linux.intel.com
The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory.
Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 Signed-off-by: Ville Syrjälä ville.syrjala@linux.intel.com
Reviewed-by: Dmitry Baryshkov dmitry.baryshkov@linaro.org
I tried looking for the proper Fixes tag, but it looks like it might be something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.")
The history is rather messy. I think it was originally completely lockless and broken, and got fixed piecemeal later in these: commit 7394371d8569 ("drm: Take lock around probes for drm_fb_helper_hotplug_event") commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst setting up crtcs")
commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for internals") looks to me like where the race might have been re-introduced. But didn't do a thorough analysis so not 100% sure. It's all rather ancient history by now so a Fixes tag doesn't seem all that useful anyway.
Well, you have added stable to cc list, so you expect to have this patch backported. Then it should either have a kernel version as a 'starting' point or a Fixes tag to assist the sable team.