Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1317952yba; Tue, 2 Apr 2019 06:46:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqxNbgyriavti2FZ/A9QiuTKS1BGgaJyw8XinU6kETrIZdoP6ymlRcquWgGUYUrSrOf96MFr X-Received: by 2002:a65:484a:: with SMTP id i10mr19407653pgs.408.1554212817133; Tue, 02 Apr 2019 06:46:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554212817; cv=none; d=google.com; s=arc-20160816; b=VGJhf51ApJiRBBEWDixEZU1h4qSX1jGw7TdzDfubPiPP5s2bXMPgUH6pJ7kL3XJOjA JBSdqcogV9ztbKobmfe3ms2atfCCiNd3ZRUsuFeGMZ0yVLmJBuLTMyx4mZM3QWigpDTN ka44llWh7KhxzvYR0bvNNupVXybI0r7EepIpmsgkayQQH6IkmhXpKk8y/FAbTi0c+Vsx seLNIc2z5a4RbnhNAbbw5R+x24kD9A9Pz4I8/WXkbLy8puszYO85Nk5gF6RPA89lG+Cw Mz1pN1DWJqe2R/9r6uQJF3QfKGi3aBleQ8vmKeBYZQw7JwK9oIfE0QLChsk7a7Y1fpoU 9j1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=RsxUDgAbG+UTfZLOsedNCD6ZG7137lOZJOwnVfEYOLQ=; b=zgaZNg+klSBFDYPJxN54yGphL1Yj6GDlhp5V4WF5ehIdNIVGm98yTx3E19dS5GYaAU IpUwHM/Z3PPhiG0EF/2T3EobFACd7rEIPE8MMxpdG9jZwK9zSVKLgRVixqI45vPm7Kxz mtINKOEFre64biIeHhw26kvh8WNXl2NdY6CTUhPp9tR1uzE37mQpVe0Zwz+uIAoXhemK ZCkwVw6Vx5rMIko+eHsPM32mbcItB9WfWcVWNW8sLPhEEX/0/fl6MbPoFSnBthQmmf2H 93K+vBtDQUZ33Ppah1fYUBrQC9fTS18bqHzTilk+aadreELLqGEBtDAVSq3Yp9lsyb8f D6Cg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i6si11161570pgj.329.2019.04.02.06.46.41; Tue, 02 Apr 2019 06:46:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732000AbfDBNoQ (ORCPT + 99 others); Tue, 2 Apr 2019 09:44:16 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:43488 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731484AbfDBNkJ (ORCPT ); Tue, 2 Apr 2019 09:40:09 -0400 Received: from [167.98.27.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hBJe0-0002oR-Jc; Tue, 02 Apr 2019 14:40:04 +0100 Received: from ben by deadeye with local (Exim 4.92) (envelope-from ) id 1hBJdx-0004w6-A3; Tue, 02 Apr 2019 14:40:01 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "=?UTF-8?q?Noralf=20Tr=C3=B8nnes?=" , "Bartlomiej Zolnierkiewicz" , "Daniel Vetter" , "Mikulas Patocka" Date: Tue, 02 Apr 2019 14:38:28 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 70/99] fbdev: fbcon: Fix unregister crash when more than one framebuffer In-Reply-To: X-SA-Exim-Connect-IP: 167.98.27.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.65-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Noralf Trønnes commit 2122b40580dd9d0620398739c773d07a7b7939d0 upstream. When unregistering fbdev using unregister_framebuffer(), any bound console will unbind automatically. This is working fine if this is the only framebuffer, resulting in a switch to the dummy console. However if there is a fb0 and I unregister fb1 having a bound console, I eventually get a crash. The fastest way for me to trigger the crash is to do a reboot, resulting in this splat: [ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c [ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm] [ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4 [ 76.478933] Hardware name: BCM2835 [ 76.478949] Backtrace: [ 76.478995] [] (dump_backtrace) from [] (show_stack+0x20/0x24) [ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81 [ 76.479060] [] (show_stack) from [] (dump_stack+0x20/0x28) [ 76.479102] [] (dump_stack) from [] (__warn+0xec/0x12c) [ 76.479134] [] (__warn) from [] (warn_slowpath_null+0x4c/0x58) [ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84 [ 76.479197] [] (warn_slowpath_null) from [] (__queue_work+0x2d4/0x41c) [ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700 [ 76.479251] [] (__queue_work) from [] (queue_work_on+0x60/0x88) [ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00 [ 76.479298] r4:20000113 [ 76.479348] [] (queue_work_on) from [] (cursor_timer_handler+0x30/0x54) [ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc [ 76.479413] [] (cursor_timer_handler) from [] (call_timer_fn+0x100/0x230) [ 76.479435] r4:c0e9192f r3:d758a340 [ 76.479465] [] (call_timer_fn) from [] (expire_timers+0x10c/0x12c) [ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8 [ 76.479513] r4:d8a8fabc [ 76.479541] [] (expire_timers) from [] (run_timer_softirq+0xa8/0x184) [ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280 [ 76.479603] [] (run_timer_softirq) from [] (__do_softirq+0x1ac/0x3fc) [ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002 [ 76.479650] r4:c0eb65ec [ 76.479686] [] (__do_softirq) from [] (irq_exit+0xe8/0x168) [ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0 [ 76.479734] r4:00000000 [ 76.479764] [] (irq_exit) from [] (__handle_domain_irq+0x94/0xb0) [ 76.479793] [] (__handle_domain_irq) from [] (bcm2835_handle_irq+0x3c/0x48) [ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8 [ 76.479851] [] (bcm2835_handle_irq) from [] (__irq_svc+0x70/0x98) The problem is in the console rebinding in fbcon_fb_unbind(). It uses the virtual console index as the new framebuffer index to bind the console(s) to. The correct way is to use the con2fb_map lookup table to find the framebuffer index. Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer") Signed-off-by: Noralf Trønnes Reviewed-by: Mikulas Patocka Acked-by: Daniel Vetter Signed-off-by: Bartlomiej Zolnierkiewicz [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/video/console/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -3019,7 +3019,7 @@ static int fbcon_fb_unbind(int idx) for (i = first_fb_vc; i <= last_fb_vc; i++) { if (con2fb_map[i] != idx && con2fb_map[i] != -1) { - new_idx = i; + new_idx = con2fb_map[i]; break; } }