From: Jeffy Chen <jeffy.chen@rock-chips.com>
To: linux-kernel@vger.kernel.org
Cc: briannorris@chromium.org, dianders@chromium.org, tfiga@chromium.org,
        seanpaul@chromium.org, zyw@rock-chips.com, marcheu@chromium.org,
        mark.yao@rock-chips.com, hshi@chromium.org,
        Jeffy Chen <jeffy.chen@rock-chips.com>,
        Daniel Vetter <daniel.vetter@intel.com>,
        Jani Nikula <jani.nikula@linux.intel.com>,
        dri-devel@lists.freedesktop.org, David Airlie <airlied@linux.ie>
Subject: [PATCH v8 2/2] drm: Prevent release fb after cleanup drm_mode_config
Date: Wed, 12 Apr 2017 10:55:30 +0800
Message-Id: <1491965730-31393-3-git-send-email-jeffy.chen@rock-chips.com>
In-Reply-To: <1491965730-31393-1-git-send-email-jeffy.chen@rock-chips.com>
References: <1491965730-31393-1-git-send-email-jeffy.chen@rock-chips.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1093
Lines: 43

We are freeing all framebuffers in drm_mode_config_cleanup without
sync the drm_file's fbs list.

So if someone try to unbind drm before release drm dev fd, the fbs
list would remain some invalid fb references. And that would cause
crash later in drm_fb_release.

Add a sanity check to prevent that.

Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>

---

Changes in v8: None
Changes in v7:
Update commit message.

Changes in v6: None
Changes in v5: None
Changes in v2: None

 drivers/gpu/drm/drm_framebuffer.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
index e8f9c13..03c1632 100644
--- a/drivers/gpu/drm/drm_framebuffer.c
+++ b/drivers/gpu/drm/drm_framebuffer.c
@@ -583,6 +583,11 @@ void drm_fb_release(struct drm_file *priv)
 {
 	struct drm_framebuffer *fb, *tfb;
 	struct drm_mode_rmfb_work arg;
+	struct drm_minor *minor = priv->minor;
+	struct drm_device *dev = minor->dev;
+
+	if (WARN_ON(!dev->mode_config.num_fb && !list_empty(&priv->fbs)))
+		return;
 
 	INIT_LIST_HEAD(&arg.fbs);
 
-- 
2.1.4