Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3065306imm; Mon, 28 May 2018 23:47:22 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrVD5OAV6pZvToHGQ7Ua+s13qi4+BgTEkNoeNmGPCqFlS8LO3D0T8OXwO7hPZM3GtswryAR X-Received: by 2002:a62:a111:: with SMTP id b17-v6mr16189376pff.132.1527576442867; Mon, 28 May 2018 23:47:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527576442; cv=none; d=google.com; s=arc-20160816; b=pX9JlvoqtPB1sy6h1bNrY8wuWmFak+rFsKnp/g8kFpB/uin0ZensVOovj1/VMkusmI W0Kg1dpQPpv4DJl9ddjWLTKMG3BLX5DIO3PhC9m0Dpk8OfIGF45dTP5NkoEYd46N22Pp 5rw9C096RfjLS/rLqUuhxpNm4ovjRgy3wSBLbKvKfqVnWIlk67BSDeN4umCdY2WgpOSI 4B3duu4dxA07gmMyqI2z7daF9KQ0Dw0LMA9ptU07MfCN1ADsI+nwfj6OUHYP8iJDr2XK V9qGbfp2JRf65ZBiE6jWRRAXjhBZeYQ8D3Da+r9CPp8Kz3n4wePUpu67f7I84Riittbe uC8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=3mIwYzenHxd5JUn6jGGoGtUNVRV4CV+DTviH/ipAYTU=; b=cFKuSRlOke6J/kJyLefwPA8HZd8I//F3PnacAM5qwkXDQdcWcMUGlaPieKPG6SppT2 c6JbW6ec3uMwPY7vUt9U/mspJaCyyqCbP9xZLITtVJkf6S1SwQi0fX5fXTIozPPRNxUG 6Oy4HLwqYo6BStQndAM2Qcd+AQLlWOHQmEm8r7FYhKZplcGeJgkr5Z8YGsy0aeU4eNQo /qvkQGaJUK5FFFgyv7eE7dMwi0Vt17iNSzRtgjDe9GN0c1Ra6JPgcwB+JpMgSVwVLPBt hrnzWVM9vaL/jpRH/I5gV/kmFqD9u1Chjd93L1I09r6tYqvT8oajbsBI0oX4japrJiIU iOdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=VqtxyCC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9-v6si3546987pgr.287.2018.05.28.23.47.08; Mon, 28 May 2018 23:47:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@ffwll.ch header.s=google header.b=VqtxyCC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754679AbeE2GqV (ORCPT + 99 others); Tue, 29 May 2018 02:46:21 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:50360 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754466AbeE2GqU (ORCPT ); Tue, 29 May 2018 02:46:20 -0400 Received: by mail-wm0-f65.google.com with SMTP id t11-v6so37310231wmt.0 for ; Mon, 28 May 2018 23:46:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=sender:date:from:to:cc:subject:message-id:mail-followup-to :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=3mIwYzenHxd5JUn6jGGoGtUNVRV4CV+DTviH/ipAYTU=; b=VqtxyCC9zkNK3YTPzu3u9AVOfEhTSxSfrcb802gl7k1JPnoaPGMaGA1cOLCukBlguo u12EXtVZu0AvroLiQkQxmf516IVrDAjhl49C3alYalbbrgCHicEwb0o+rkypIPJFeVkU KSLYNUfDzbm+rajAEP8fP7PgmcQfZIMBbyw3Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=3mIwYzenHxd5JUn6jGGoGtUNVRV4CV+DTviH/ipAYTU=; b=OkkspxKtZFEDPz/3oWUS/LQy3m8biIZJwwoWtR9rm6c/jQJbgl9nnWrNBzRuiMHsrZ 7CP5YMKOamG1nkhgVMMGiDMPdS1ZTEemfzS1nZlmcnbJxw/MH4uhV6DgLhfevZXBbdyg jC2l57wZbrBwCZIUoM1T8sLotYq3QkQ4MyhKJ3hISpAw2OzNRobBaCJINSeblLaftRXF vigS53CWg5hJAZcxyySWmrs7AXA/IFyrK/pp0DOp7yX1sBk5mVH0rR6dJ9dTsyflzxEk A624livhT7rnwgA6qBdjo6u8OOLx4SIf7ywOmlr3yPmnz4uVwMlcb3smTBcMtQOpUbU0 sqxg== X-Gm-Message-State: ALKqPweD54LKMy1ZZRSSWEyJHl6XN8uShmcNULLESXLP/JsUCyCd7b5P /y32ECnPf8g+PEZ6suwX3Gotbg== X-Received: by 2002:a50:b8e5:: with SMTP id l92-v6mr17885853ede.5.1527576378910; Mon, 28 May 2018 23:46:18 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:5628:0:d0c7:bcda:eea:9e5d]) by smtp.gmail.com with ESMTPSA id o25-v6sm17173711edq.62.2018.05.28.23.46.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 28 May 2018 23:46:18 -0700 (PDT) Date: Tue, 29 May 2018 08:46:16 +0200 From: Daniel Vetter To: Emil Lundmark Cc: dri-devel@lists.freedesktop.org, Dave Airlie , Sean Paul , linux-kernel@vger.kernel.org, Daniel Vetter , =?iso-8859-1?Q?St=E9phane?= Marchesin Subject: Re: [PATCH v2] drm: udl: Destroy framebuffer only if it was initialized Message-ID: <20180529064616.GS3438@phenom.ffwll.local> Mail-Followup-To: Emil Lundmark , dri-devel@lists.freedesktop.org, Dave Airlie , Sean Paul , linux-kernel@vger.kernel.org, =?iso-8859-1?Q?St=E9phane?= Marchesin References: <20180420115001.161745-1-lndmrk@chromium.org> <20180528142711.142466-1-lndmrk@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180528142711.142466-1-lndmrk@chromium.org> X-Operating-System: Linux phenom 4.15.0-3-amd64 User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 28, 2018 at 04:27:11PM +0200, Emil Lundmark wrote: > This fixes a NULL pointer dereference that can happen if the UDL > driver is unloaded before the framebuffer is initialized. This can > happen e.g. if the USB device is unplugged right after it was plugged > in. > > As explained by St?phane Marchesin: > > It happens when fbdev is disabled (which is the case for Chrome OS). > Even though intialization of the fbdev part is optional (it's done in > udlfb_create which is the callback for fb_probe()), the teardown isn't > optional (udl_driver_unload -> udl_fbdev_cleanup -> > udl_fbdev_destroy). > > Note that udl_fbdev_cleanup *tries* to be conditional (you can see it > does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is > always set during udl_fbdev_init. > > Suggested-by: Sean Paul > Signed-off-by: Emil Lundmark You lost the r-b from Sean when resending, I'll leave that to Sean to readd when he merges. Anyway, lgtm now with the more detailed explanation. Acked-by: Daniel Vetter > --- > Changes in v2: > - Updated commit message with explanation from St?phane Marchesin > > drivers/gpu/drm/udl/udl_fb.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c > index 2ebdc6d5a76e..5754e37f741b 100644 > --- a/drivers/gpu/drm/udl/udl_fb.c > +++ b/drivers/gpu/drm/udl/udl_fb.c > @@ -426,9 +426,11 @@ static void udl_fbdev_destroy(struct drm_device *dev, > { > drm_fb_helper_unregister_fbi(&ufbdev->helper); > drm_fb_helper_fini(&ufbdev->helper); > - drm_framebuffer_unregister_private(&ufbdev->ufb.base); > - drm_framebuffer_cleanup(&ufbdev->ufb.base); > - drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); > + if (ufbdev->ufb.obj) { > + drm_framebuffer_unregister_private(&ufbdev->ufb.base); > + drm_framebuffer_cleanup(&ufbdev->ufb.base); > + drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); > + } > } > > int udl_fbdev_init(struct drm_device *dev) > -- > 2.17.0.921.gf22659ad46-goog > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch