From patchwork Mon May 28 14:27:11 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Emil Lundmark <lndmrk@chromium.org>
X-Patchwork-Id: 10434487
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	69583602CC for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 29 May 2018 07:14:18 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 560172811E
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 29 May 2018 07:14:18 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 48CF22818E; Tue, 29 May 2018 07:14:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,HK_RANDOM_FROM,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CCD672818A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Tue, 29 May 2018 07:14:17 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 717A86E373;
	Tue, 29 May 2018 07:13:48 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wr0-x242.google.com (mail-wr0-x242.google.com
	[IPv6:2a00:1450:400c:c0c::242])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 327B36E123
	for <dri-devel@lists.freedesktop.org>;
	Mon, 28 May 2018 14:27:20 +0000 (UTC)
Received: by mail-wr0-x242.google.com with SMTP id d2-v6so5129847wrm.10
	for <dri-devel@lists.freedesktop.org>;
	Mon, 28 May 2018 07:27:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=HcJKhRStqlklrM9gCKdmcdegpxBhfxJrn2A3mCGImNY=;
	b=d6NYXFjtYcQs/4kliW8Z/apphXHKsFlVEiAaVqrKpVTTjkgQHu6bPnFATW1+iDs/mD
	kfEM/STWRvLc7Ezi5DOvw7cYaVESdr5FF6hNOhIh1wONmrdigXvdK4K65C5QBoGtsPAI
	Fqe66cpneHJ1f4klVOa0+THkpfbgW9/SvEOQhrp7GI7jgyfDPFh7chHVW0IhkXHhXOtu
	mkymx3YRky98iuLGZFI2LF66lkeWeaVSbKYpdI8IERfmWPEk4iKul9FG9K1nciK+K5tG
	Vl8jjuDu8asfwPy/Sn5czNb+zOZ1PCli2UEUFJ4wErGqJewxr1rszCdsy/x3k7xceuxx
	WOQQ==
X-Gm-Message-State: ALKqPwf/rvzLuljFKgjDmpfDV+9qhjYwwNPN0o9jjpe1Q1MseGMvIpUV
	3i4dHK0TDMAbAX6G93uBNF9ZJ2l9Ri4=
X-Google-Smtp-Source: 
 ADUXVKIxEG8xkTZug7dhFffp+qHpdPU+sgR5aQOdSxHm/dELNUWCxbIJcr4A177XlGgdrp7WM45ItA==
X-Received: by 2002:a19:949d:: with SMTP id
	o29-v6mr7285828lfk.56.1527517638507;
	Mon, 28 May 2018 07:27:18 -0700 (PDT)
Received: from osmium.lul.corp.google.com
	([2620:0:1043:1:87e6:358b:26fd:3e7])
	by smtp.gmail.com with ESMTPSA id
	q133-v6sm6885706lfe.27.2018.05.28.07.27.17
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 28 May 2018 07:27:17 -0700 (PDT)
From: Emil Lundmark <lndmrk@chromium.org>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH v2] drm: udl: Destroy framebuffer only if it was initialized
Date: Mon, 28 May 2018 16:27:11 +0200
Message-Id: <20180528142711.142466-1-lndmrk@chromium.org>
In-Reply-To: <20180420115001.161745-1-lndmrk@chromium.org>
References: <20180420115001.161745-1-lndmrk@chromium.org>
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 29 May 2018 07:13:42 +0000
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Cc: Emil Lundmark <lndmrk@chromium.org>, linux-kernel@vger.kernel.org,
	Dave Airlie <airlied@redhat.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This fixes a NULL pointer dereference that can happen if the UDL
driver is unloaded before the framebuffer is initialized. This can
happen e.g. if the USB device is unplugged right after it was plugged
in.

As explained by Stéphane Marchesin:

It happens when fbdev is disabled (which is the case for Chrome OS).
Even though intialization of the fbdev part is optional (it's done in
udlfb_create which is the callback for fb_probe()), the teardown isn't
optional (udl_driver_unload -> udl_fbdev_cleanup ->
udl_fbdev_destroy).

Note that udl_fbdev_cleanup *tries* to be conditional (you can see it
does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is
always set during udl_fbdev_init.

Suggested-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Emil Lundmark <lndmrk@chromium.org>
---
Changes in v2:
- Updated commit message with explanation from Stéphane Marchesin

 drivers/gpu/drm/udl/udl_fb.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
index 2ebdc6d5a76e..5754e37f741b 100644
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -426,9 +426,11 @@ static void udl_fbdev_destroy(struct drm_device *dev,
 {
 	drm_fb_helper_unregister_fbi(&ufbdev->helper);
 	drm_fb_helper_fini(&ufbdev->helper);
-	drm_framebuffer_unregister_private(&ufbdev->ufb.base);
-	drm_framebuffer_cleanup(&ufbdev->ufb.base);
-	drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base);
+	if (ufbdev->ufb.obj) {
+		drm_framebuffer_unregister_private(&ufbdev->ufb.base);
+		drm_framebuffer_cleanup(&ufbdev->ufb.base);
+		drm_gem_object_put_unlocked(&ufbdev->ufb.obj->base);
+	}
 }
 
 int udl_fbdev_init(struct drm_device *dev)