Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1775814imm; Thu, 27 Sep 2018 02:15:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV63Jcg0gk5zRYYFX0tZg1O2jqCn2FlJ4RmW4vzCwnKpJ3cVAoYLtRy16jwGrP5yNmCK+b9o4 X-Received: by 2002:a17:902:26c:: with SMTP id 99-v6mr9906015plc.341.1538039751535; Thu, 27 Sep 2018 02:15:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538039751; cv=none; d=google.com; s=arc-20160816; b=ptRpZQCpMzrLQSTwzXNHF11qCq9jiYsOxd9sIMBs+qVZxZ8KsWlQ5b/NvadYMefxNo 8Ry0p8rsS9zYk1G+YHcmzkGG4AA6W7Ie16OYkrp62Lp6n+LOYFoaHKFjZfGKMx3d3VbF kcQEaDIPFw6P9uSegTbFZ1BrwkHUIIaFJ4WezHNxrCkDWshZqQkH+ZJFOQ027J1dax/K CeMifSqpVpHOgYo3Ra0GOvUTNkEtnqdxoM2RBJcq2zbJJ490uxub8iE1fDJqczlnpFjH WrX6/XE0v6QodJ9Ssjw55FAPG2hcqB86ZOjq8iLGQnPGtcSgV71082KYVrLXujlvHXYm 5nJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=A3gqWLXAo+EllppTKWa41K6Gm4tym3bRb4kn2jmRhcs=; b=d7xCGKrASB7ji9q6AvgWpzBzN9hXthVqNLaQSaekZVzAfZO7+gKXsh4CKoZtxAb/kI ugfl+hE6eptPnwqNoXsuZ4KY+aVCSGR5iSjdKXWvEI4QkXkaxBZV5Exx6EEaNaiEivzt MASFB9TwdYYE1EnPuQJo6p/nM003KVinZXPwmgXsG6kYclRx2VXiQaoEgY5GhqEqtsu3 tbnMRX33pLpMKacCEeFHbP6bnkzsYnDan3+T94HUI56Es1Lfnpgue2IgU/MLmmtPhVpp ujyyLIuDRFb5Gx4EBQGH2Bc8ubBe/Zebci9Dc0kTUKxlyOnbA0zH7800pCoNVMQAM4MN jz+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r17-v6si1490192pgo.278.2018.09.27.02.15.36; Thu, 27 Sep 2018 02:15:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728653AbeI0Pan (ORCPT + 99 others); Thu, 27 Sep 2018 11:30:43 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55454 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727580AbeI0Pan (ORCPT ); Thu, 27 Sep 2018 11:30:43 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 84FD61117; Thu, 27 Sep 2018 09:13:26 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Paul , Daniel Vetter , Emil Lundmark Subject: [PATCH 4.18 72/88] drm: udl: Destroy framebuffer only if it was initialized Date: Thu, 27 Sep 2018 11:03:53 +0200 Message-Id: <20180927090309.373317978@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180927090300.631426620@linuxfoundation.org> References: <20180927090300.631426620@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Emil Lundmark commit fcb74da1eb8edd3a4ef9b9724f88ed709d684227 upstream. This fixes a NULL pointer dereference that can happen if the UDL driver is unloaded before the framebuffer is initialized. This can happen e.g. if the USB device is unplugged right after it was plugged in. As explained by Stéphane Marchesin: It happens when fbdev is disabled (which is the case for Chrome OS). Even though intialization of the fbdev part is optional (it's done in udlfb_create which is the callback for fb_probe()), the teardown isn't optional (udl_driver_unload -> udl_fbdev_cleanup -> udl_fbdev_destroy). Note that udl_fbdev_cleanup *tries* to be conditional (you can see it does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is always set during udl_fbdev_init. Cc: stable@vger.kernel.org Suggested-by: Sean Paul Reviewed-by: Sean Paul Acked-by: Daniel Vetter Signed-off-by: Emil Lundmark Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20180528142711.142466-1-lndmrk@chromium.org Signed-off-by: Sean Paul Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/udl/udl_fb.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/drivers/gpu/drm/udl/udl_fb.c +++ b/drivers/gpu/drm/udl/udl_fb.c @@ -432,9 +432,11 @@ static void udl_fbdev_destroy(struct drm { drm_fb_helper_unregister_fbi(&ufbdev->helper); drm_fb_helper_fini(&ufbdev->helper); - drm_framebuffer_unregister_private(&ufbdev->ufb.base); - drm_framebuffer_cleanup(&ufbdev->ufb.base); - drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); + if (ufbdev->ufb.obj) { + drm_framebuffer_unregister_private(&ufbdev->ufb.base); + drm_framebuffer_cleanup(&ufbdev->ufb.base); + drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); + } } int udl_fbdev_init(struct drm_device *dev)