Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2403038imm; Mon, 28 May 2018 07:28:22 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJvMrgkG1eX/IiN+zQpSVxgZxGMiVRwAil41viloOgSxMB/GD0oJsTREsxx89UFoJXiAY10 X-Received: by 2002:a17:902:566:: with SMTP id 93-v6mr3550546plf.385.1527517702664; Mon, 28 May 2018 07:28:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527517702; cv=none; d=google.com; s=arc-20160816; b=MYv/nF912IOitmqkijZYTEIjMzoNf68zxByLxpVGM1u/uplKRsExoWr286My7TsA/o fPN9Hhn/U5zVL228I3P5ZMXdCLFnqgsZ/bh1fYLhVNwjRVzP/GzEYN7IuRhJPcFTuy9j 5HTA/kQ9BOu8HN16NJWAkHRPPcdEBGTkctx5UoJNL4A0UckhCYpUff7oYvWkF5YrdUza Yl/+nOOjkhtuo1DmQg4STftl7G5ENeBsdSTXkJns+eyvLcGT9XDN7D6SqgC6vQ/DPjEU vHvaG2ccSXNJQyqKNioK3ASMEVUjVw9XkxM+Suc7C35jkOeKI0BdbU/6S8HwNTXSmuiZ fg3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=HcJKhRStqlklrM9gCKdmcdegpxBhfxJrn2A3mCGImNY=; b=IfzECEZKV7THI2s9XszjvH6fLfxhy/FP5JjeDYYgIn4jPU9OigXCNKyrUQgBN30Z+t gRyZt24cYWeHbTpOJgv+ogNj+yJI6/+DuuAQ3PbnevViKf/bQmOaBScj0HoMl405PM6P /msK+enbAqDlo0VvrWPqIjUz7Vqwg/xouejAnJ8nVybB9X7VBUBVkHy/BXBRSUH316K1 RKeQsGpdkp9lxCUhxh4Xy+28wkLtSwsdd97NV8QxOi6OlA+cQIFK+AwMkTo1EWmB4loN 6sccuXXNufUkFXzvKD9FZb4dhldxcZ8f1QDTojlOkvoNbfnGv58a7LFWDlDtQ+85wSuL DJPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FM5rzFLR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l11-v6si15166836pgs.218.2018.05.28.07.28.07; Mon, 28 May 2018 07:28:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FM5rzFLR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1165709AbeE1O1Z (ORCPT + 99 others); Mon, 28 May 2018 10:27:25 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:36990 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161787AbeE1O1U (ORCPT ); Mon, 28 May 2018 10:27:20 -0400 Received: by mail-wr0-f194.google.com with SMTP id i12-v6so20612664wrc.4 for ; Mon, 28 May 2018 07:27:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=HcJKhRStqlklrM9gCKdmcdegpxBhfxJrn2A3mCGImNY=; b=FM5rzFLRhnMXhUD8eMlw6NVxAxyjiZmrAqPDZxWPOGtMmPRYQ6kKgTR1c7Ph8TqMEP g5284Mweh2umolIwSPAhmzrDTay/EU56N1QxMbKXrZWzO6ckhiQRIyfU1c7EBA7Vlxqy 0QZLK9ZLBN1c9PTG5bpBYykX8QzLZnCMoc4xg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HcJKhRStqlklrM9gCKdmcdegpxBhfxJrn2A3mCGImNY=; b=JhNzrioxyk6fEOgrNzQ9YY5YCqrpOLLlBjOXjHvnSqdonZNGOZ44DKuXUBiDmCCaov PwP3GU1u6I7aM7k6ozLBJmUfBfXZErEdeq+EAfdjCOqtkRa1NWGUvlxYhC4cMeWxaJM4 4bdhjsMT37CKWdsPl7vFq9rqiKnVUDsfHR2zAaVYBh3+miDRlvNJwDF3QInC/ZMqLaNl hZlVVk8rVg4rxPxPmDZU3K3pIO0L3WcNhO+wM5SvaYjpmbq9J0IvcVGJyi27ictHgJjw 0BEscqenwA8LpQIZOWGHRi9PNkJ4wMbNQIzcJNmrKNbh0RjHIwmBu/DVXm0Qy22kFrmM auEQ== X-Gm-Message-State: ALKqPwcliphF6CGoTs77ey5lX4ojMnvHGx1wMJ+Ybst6mHzJvBAM03pG H9KgJY4vRjL+vMWsEdAPUCNExnZIOEw= X-Received: by 2002:a19:949d:: with SMTP id o29-v6mr7285828lfk.56.1527517638507; Mon, 28 May 2018 07:27:18 -0700 (PDT) Received: from osmium.lul.corp.google.com ([2620:0:1043:1:87e6:358b:26fd:3e7]) by smtp.gmail.com with ESMTPSA id q133-v6sm6885706lfe.27.2018.05.28.07.27.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 May 2018 07:27:17 -0700 (PDT) From: Emil Lundmark To: dri-devel@lists.freedesktop.org Cc: Dave Airlie , Sean Paul , linux-kernel@vger.kernel.org, Emil Lundmark , Daniel Vetter , =?UTF-8?q?St=C3=A9phane=20Marchesin?= Subject: [PATCH v2] drm: udl: Destroy framebuffer only if it was initialized Date: Mon, 28 May 2018 16:27:11 +0200 Message-Id: <20180528142711.142466-1-lndmrk@chromium.org> In-Reply-To: <20180420115001.161745-1-lndmrk@chromium.org> References: <20180420115001.161745-1-lndmrk@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This fixes a NULL pointer dereference that can happen if the UDL driver is unloaded before the framebuffer is initialized. This can happen e.g. if the USB device is unplugged right after it was plugged in. As explained by Stéphane Marchesin: It happens when fbdev is disabled (which is the case for Chrome OS). Even though intialization of the fbdev part is optional (it's done in udlfb_create which is the callback for fb_probe()), the teardown isn't optional (udl_driver_unload -> udl_fbdev_cleanup -> udl_fbdev_destroy). Note that udl_fbdev_cleanup *tries* to be conditional (you can see it does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is always set during udl_fbdev_init. Suggested-by: Sean Paul Signed-off-by: Emil Lundmark --- Changes in v2: - Updated commit message with explanation from Stéphane Marchesin drivers/gpu/drm/udl/udl_fb.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c index 2ebdc6d5a76e..5754e37f741b 100644 --- a/drivers/gpu/drm/udl/udl_fb.c +++ b/drivers/gpu/drm/udl/udl_fb.c @@ -426,9 +426,11 @@ static void udl_fbdev_destroy(struct drm_device *dev, { drm_fb_helper_unregister_fbi(&ufbdev->helper); drm_fb_helper_fini(&ufbdev->helper); - drm_framebuffer_unregister_private(&ufbdev->ufb.base); - drm_framebuffer_cleanup(&ufbdev->ufb.base); - drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); + if (ufbdev->ufb.obj) { + drm_framebuffer_unregister_private(&ufbdev->ufb.base); + drm_framebuffer_cleanup(&ufbdev->ufb.base); + drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); + } } int udl_fbdev_init(struct drm_device *dev) -- 2.17.0.921.gf22659ad46-goog