In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
If we call adv7511_remove with a unfinished work. There may be a
race condition where bridge->hpd_mutex was destroyed by
drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.
Fix it by canceling the work before cleanup in adv7511_remove.
Signed-off-by: Zheng Wang <[email protected]>
---
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index ddceafa7b637..9bf72dd6c1d3 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1349,6 +1349,7 @@ static void adv7511_remove(struct i2c_client *i2c)
{
struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+ cancel_work_sync(&adv7511->hpd_work);
adv7511_uninit_regulators(adv7511);
drm_bridge_remove(&adv7511->bridge);
--
2.25.1
Hi,
On 08/03/2023 18:34, Zheng Wang wrote:
> In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
> If we call adv7511_remove with a unfinished work. There may be a
> race condition where bridge->hpd_mutex was destroyed by
> drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.
>
> Fix it by canceling the work before cleanup in adv7511_remove.
>
Can you add the relevant Fixes tag ?
Thanks,
Neil
> Signed-off-by: Zheng Wang <[email protected]>
> ---
> drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> index ddceafa7b637..9bf72dd6c1d3 100644
> --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> @@ -1349,6 +1349,7 @@ static void adv7511_remove(struct i2c_client *i2c)
> {
> struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
>
> + cancel_work_sync(&adv7511->hpd_work);
> adv7511_uninit_regulators(adv7511);
>
> drm_bridge_remove(&adv7511->bridge);
<[email protected]> 于2023年3月15日周三 17:08写道:
>
> Hi,
>
> On 08/03/2023 18:34, Zheng Wang wrote:
> > In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
> > If we call adv7511_remove with a unfinished work. There may be a
> > race condition where bridge->hpd_mutex was destroyed by
> > drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.
> >
> > Fix it by canceling the work before cleanup in adv7511_remove.
> >
>
> Can you add the relevant Fixes tag ?
>
Hi Neil,
Thanks for your reply and kind reminder. Sorry for my mistake. I'll
append more messages in the next version of patch.
Best regards,
Zheng
> Thanks,
> Neil
>
> > Signed-off-by: Zheng Wang <[email protected]>
> > ---
> > drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > index ddceafa7b637..9bf72dd6c1d3 100644
> > --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > @@ -1349,6 +1349,7 @@ static void adv7511_remove(struct i2c_client *i2c)
> > {
> > struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
> >
> > + cancel_work_sync(&adv7511->hpd_work);
> > adv7511_uninit_regulators(adv7511);
> >
> > drm_bridge_remove(&adv7511->bridge);
>