[PATCH 1/6] drm/fb-helper: Avoid NULL ptr dereference in fb_set_suspend()
Noralf Trønnes
noralf at tronnes.org
Sat Sep 2 12:46:50 UTC 2017
Den 31.08.2017 11.30, skrev Laurent Pinchart:
> Hello,
>
> On Tuesday, 29 August 2017 00:34:57 EEST Daniel Vetter wrote:
>> On Mon, Aug 28, 2017 at 07:17:43PM +0200, Noralf Trønnes wrote:
>>> drm_fb_helper_resume_worker() uses fb_helper->fbdev to call
>>> fb_set_suspend() which dereferences the pointer.
>>> Move sync-canceling of the resume worker in drm_fb_helper_fini() before
>>> setting fb_helper->fbdev to NULL.
>>>
>>> Signed-off-by: Noralf Trønnes <noralf at tronnes.org>
>>> ---
>>>
>>> drivers/gpu/drm/drm_fb_helper.c | 3 ++-
>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c
>>> b/drivers/gpu/drm/drm_fb_helper.c index 1b8f013..2e33467 100644
>>> --- a/drivers/gpu/drm/drm_fb_helper.c
>>> +++ b/drivers/gpu/drm/drm_fb_helper.c
>>> @@ -910,6 +910,8 @@ void drm_fb_helper_fini(struct drm_fb_helper
>>> *fb_helper)>
>>> if (!drm_fbdev_emulation || !fb_helper)
>>>
>>> return;
>>>
>>> + cancel_work_sync(&fb_helper->resume_work);
>>> +
>>>
>>> info = fb_helper->fbdev;
>>> if (info) {
>>>
>>> if (info->cmap.len)
>>>
>>> @@ -918,7 +920,6 @@ void drm_fb_helper_fini(struct drm_fb_helper
>>> *fb_helper)>
>>> }
>>> fb_helper->fbdev = NULL;
>>>
>>> - cancel_work_sync(&fb_helper->resume_work);
>>>
>>> cancel_work_sync(&fb_helper->dirty_work);
>> Hm, I would have moved both up, just for safety. Either way:
>>
>> Reviewed-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> I was going to mention the same, let's move both. With this changed,
>
> Reviewed-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
Thanks, applied to drm-misc with change.
Noralf.
>>> mutex_lock(&kernel_fb_helper_lock);
>
More information about the dri-devel
mailing list