| Message ID | 20210617111925.162120-1-net147@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback | expand |
On 6/17/21 1:19 PM, Jonathan Liu wrote: > If attach has not been called, unloading the driver can result in a null > pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned > yet. > > Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") > Signed-off-by: Jonathan Liu <net147@gmail.com> > --- > drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > index 750f2172ef08..8e9f45c5c7c1 100644 > --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client) > { > struct sn65dsi83 *ctx = i2c_get_clientdata(client); > > - mipi_dsi_detach(ctx->dsi); > - mipi_dsi_device_unregister(ctx->dsi); > + if (ctx->dsi) { > + mipi_dsi_detach(ctx->dsi); > + mipi_dsi_device_unregister(ctx->dsi); > + } > + > drm_bridge_remove(&ctx->bridge); > of_node_put(ctx->host_node); Looks OK to me. Reviewed-by: Marek Vasut <marex@denx.de> Thanks !
Hi Jonathan, Thank you for the patch. On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote: > If attach has not been called, unloading the driver can result in a null > pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned > yet. Shouldn't this be done in a brige .detach() operation instead ? > Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") > Signed-off-by: Jonathan Liu <net147@gmail.com> > --- > drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > index 750f2172ef08..8e9f45c5c7c1 100644 > --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client) > { > struct sn65dsi83 *ctx = i2c_get_clientdata(client); > > - mipi_dsi_detach(ctx->dsi); > - mipi_dsi_device_unregister(ctx->dsi); > + if (ctx->dsi) { > + mipi_dsi_detach(ctx->dsi); > + mipi_dsi_device_unregister(ctx->dsi); > + } > + > drm_bridge_remove(&ctx->bridge); > of_node_put(ctx->host_node); >
Hi Marek, On Fri, 18 Jun 2021 at 00:14, Laurent Pinchart <laurent.pinchart@ideasonboard.com> wrote: > > Hi Jonathan, > > Thank you for the patch. > > On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote: > > If attach has not been called, unloading the driver can result in a null > > pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned > > yet. > > Shouldn't this be done in a brige .detach() operation instead ? > Could you please take a look? I don't have a working setup to test moving the code to detach. > > Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") > > Signed-off-by: Jonathan Liu <net147@gmail.com> > > --- > > drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > > index 750f2172ef08..8e9f45c5c7c1 100644 > > --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c > > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c > > @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client) > > { > > struct sn65dsi83 *ctx = i2c_get_clientdata(client); > > > > - mipi_dsi_detach(ctx->dsi); > > - mipi_dsi_device_unregister(ctx->dsi); > > + if (ctx->dsi) { > > + mipi_dsi_detach(ctx->dsi); > > + mipi_dsi_device_unregister(ctx->dsi); > > + } > > + > > drm_bridge_remove(&ctx->bridge); > > of_node_put(ctx->host_node); > > Thanks. Regards, Jonathan
On 6/18/21 5:06 AM, Jonathan Liu wrote: > Hi Marek, Hi, >> Hi Jonathan, >> >> Thank you for the patch. >> >> On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote: >>> If attach has not been called, unloading the driver can result in a null >>> pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned >>> yet. >> >> Shouldn't this be done in a brige .detach() operation instead ? >> > > Could you please take a look? > I don't have a working setup to test moving the code to detach. I just replied to your other email regarding bringing the chip up, so please bring your setup up first, then test this patch again, and then let's revisit this topic.
diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c index 750f2172ef08..8e9f45c5c7c1 100644 --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client) { struct sn65dsi83 *ctx = i2c_get_clientdata(client); - mipi_dsi_detach(ctx->dsi); - mipi_dsi_device_unregister(ctx->dsi); + if (ctx->dsi) { + mipi_dsi_detach(ctx->dsi); + mipi_dsi_device_unregister(ctx->dsi); + } + drm_bridge_remove(&ctx->bridge); of_node_put(ctx->host_node);
If attach has not been called, unloading the driver can result in a null pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned yet. Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") Signed-off-by: Jonathan Liu <net147@gmail.com> --- drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)