| Message ID | 20220615054254.16352-1-samuel@sholland.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | drm/sun4i: Fix crash during suspend after component bind failure | expand |
Dne sreda, 15. junij 2022 ob 07:42:53 CEST je Samuel Holland napisal(a): > If the component driver fails to bind, or is unbound, the driver data > for the top-level platform device points to a freed drm_device. If the > system is then suspended, the driver passes this dangling pointer to > drm_mode_config_helper_suspend(), which crashes. > > Fix this by only setting the driver data while the platform driver holds > a reference to the drm_device. > > Fixes: 624b4b48d9d8 ("drm: sun4i: Add support for suspending the display driver") > Signed-off-by: Samuel Holland <samuel@sholland.org> Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com> Best regards, Jernej
Hi, On Wed, Jun 15, 2022 at 12:42:53AM -0500, Samuel Holland wrote: > If the component driver fails to bind, or is unbound, the driver data > for the top-level platform device points to a freed drm_device. If the > system is then suspended, the driver passes this dangling pointer to > drm_mode_config_helper_suspend(), which crashes. > > Fix this by only setting the driver data while the platform driver holds > a reference to the drm_device. > > Fixes: 624b4b48d9d8 ("drm: sun4i: Add support for suspending the display driver") > Signed-off-by: Samuel Holland <samuel@sholland.org> Yeah, it's far from the only issue regarding structure lifetimes in the driver. We should convert as much as possible to the DRM-managed functions to fix those. Maxime
On Wed, 15 Jun 2022 00:42:53 -0500, Samuel Holland wrote: > If the component driver fails to bind, or is unbound, the driver data > for the top-level platform device points to a freed drm_device. If the > system is then suspended, the driver passes this dangling pointer to > drm_mode_config_helper_suspend(), which crashes. > > Fix this by only setting the driver data while the platform driver holds > a reference to the drm_device. > > [...] Applied to drm/drm-misc (drm-misc-fixes). Thanks! Maxime
diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c index 275f7e4a03ae..8841dba989ee 100644 --- a/drivers/gpu/drm/sun4i/sun4i_drv.c +++ b/drivers/gpu/drm/sun4i/sun4i_drv.c @@ -73,7 +73,6 @@ static int sun4i_drv_bind(struct device *dev) goto free_drm; } - dev_set_drvdata(dev, drm); drm->dev_private = drv; INIT_LIST_HEAD(&drv->frontend_list); INIT_LIST_HEAD(&drv->engine_list); @@ -114,6 +113,8 @@ static int sun4i_drv_bind(struct device *dev) drm_fbdev_generic_setup(drm, 32); + dev_set_drvdata(dev, drm); + return 0; finish_poll: @@ -130,6 +131,7 @@ static void sun4i_drv_unbind(struct device *dev) { struct drm_device *drm = dev_get_drvdata(dev); + dev_set_drvdata(dev, NULL); drm_dev_unregister(drm); drm_kms_helper_poll_fini(drm); drm_atomic_helper_shutdown(drm);
If the component driver fails to bind, or is unbound, the driver data for the top-level platform device points to a freed drm_device. If the system is then suspended, the driver passes this dangling pointer to drm_mode_config_helper_suspend(), which crashes. Fix this by only setting the driver data while the platform driver holds a reference to the drm_device. Fixes: 624b4b48d9d8 ("drm: sun4i: Add support for suspending the display driver") Signed-off-by: Samuel Holland <samuel@sholland.org> --- drivers/gpu/drm/sun4i/sun4i_drv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)