diff options
| author | Emil Lundmark <lndmrk@chromium.org> | 2018-05-28 10:27:11 -0400 |
|---|---|---|
| committer | Sean Paul <seanpaul@chromium.org> | 2018-09-10 16:02:51 -0400 |
| commit | fcb74da1eb8edd3a4ef9b9724f88ed709d684227 (patch) | |
| tree | 52716b37501469dd909df77ad9587f03109b6f70 | |
| parent | 3510e7a7f91088159bfc67e8abdc9f9e77d28870 (diff) | |
drm: udl: Destroy framebuffer only if it was initialized
This fixes a NULL pointer dereference that can happen if the UDL
driver is unloaded before the framebuffer is initialized. This can
happen e.g. if the USB device is unplugged right after it was plugged
in.
As explained by Stéphane Marchesin:
It happens when fbdev is disabled (which is the case for Chrome OS).
Even though intialization of the fbdev part is optional (it's done in
udlfb_create which is the callback for fb_probe()), the teardown isn't
optional (udl_driver_unload -> udl_fbdev_cleanup ->
udl_fbdev_destroy).
Note that udl_fbdev_cleanup *tries* to be conditional (you can see it
does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is
always set during udl_fbdev_init.
Cc: stable@vger.kernel.org
Suggested-by: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Emil Lundmark <lndmrk@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20180528142711.142466-1-lndmrk@chromium.org
Signed-off-by: Sean Paul <seanpaul@chromium.org>
| -rw-r--r-- | drivers/gpu/drm/udl/udl_fb.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c index dbb62f6eb48a..dd9ffded223b 100644 --- a/drivers/gpu/drm/udl/udl_fb.c +++ b/drivers/gpu/drm/udl/udl_fb.c | |||
| @@ -432,9 +432,11 @@ static void udl_fbdev_destroy(struct drm_device *dev, | |||
| 432 | { | 432 | { |
| 433 | drm_fb_helper_unregister_fbi(&ufbdev->helper); | 433 | drm_fb_helper_unregister_fbi(&ufbdev->helper); |
| 434 | drm_fb_helper_fini(&ufbdev->helper); | 434 | drm_fb_helper_fini(&ufbdev->helper); |
| 435 | drm_framebuffer_unregister_private(&ufbdev->ufb.base); | 435 | if (ufbdev->ufb.obj) { |
| 436 | drm_framebuffer_cleanup(&ufbdev->ufb.base); | 436 | drm_framebuffer_unregister_private(&ufbdev->ufb.base); |
| 437 | drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); | 437 | drm_framebuffer_cleanup(&ufbdev->ufb.base); |
| 438 | drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base); | ||
| 439 | } | ||
| 438 | } | 440 | } |
| 439 | 441 | ||
| 440 | int udl_fbdev_init(struct drm_device *dev) | 442 | int udl_fbdev_init(struct drm_device *dev) |