drm/mediatek: Clean dangling pointer on bind error path

Message ID	20221121223717.3429913-1-nfraprado@collabora.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> sender: nfraprado) by madras.collabora.co.uk (Postfix) with ESMTPSA id 58A616602A54; Mon, 21 Nov 2022 22:37:20 +0000 (GMT) From: =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= <nfraprado@collabora.com> To: Chun-Kuang Hu <chunkuang.hu@kernel.org> Cc: kernel@collabora.com, AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>, "Nancy . Lin" <nancy.lin@mediatek.com>, =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4g?= =?utf-8?b?UHJhZG8=?= <nfraprado@collabora.com>, Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@gmail.com>, Matthias Brugger <matthias.bgg@gmail.com>, Philipp Zabel <p.zabel@pengutronix.de>, dri-devel@lists.freedesktop.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org Subject: [PATCH] drm/mediatek: Clean dangling pointer on bind error path Date: Mon, 21 Nov 2022 17:37:17 -0500 Message-Id: <20221121223717.3429913-1-nfraprado@collabora.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	drm/mediatek: Clean dangling pointer on bind error path \| expand drm/mediatek: Clean dangling pointer on bind error path

Message ID

20221121223717.3429913-1-nfraprado@collabora.com (mailing list archive)

State

New, archived

Headers

From: =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4gUHJhZG8=?= <nfraprado@collabora.com>
To: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Cc: kernel@collabora.com,
 AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>,
 "Nancy . Lin" <nancy.lin@mediatek.com>, =?utf-8?b?TsOtY29sYXMgRi4gUi4gQS4g?=
	=?utf-8?b?UHJhZG8=?= <nfraprado@collabora.com>,
 Daniel Vetter <daniel@ffwll.ch>, David Airlie <airlied@gmail.com>,
 Matthias Brugger <matthias.bgg@gmail.com>,
 Philipp Zabel <p.zabel@pengutronix.de>, dri-devel@lists.freedesktop.org,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-mediatek@lists.infradead.org
Subject: [PATCH] drm/mediatek: Clean dangling pointer on bind error path
Date: Mon, 21 Nov 2022 17:37:17 -0500
Message-Id: <20221121223717.3429913-1-nfraprado@collabora.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Series

drm/mediatek: Clean dangling pointer on bind error path | expand

Commit Message

Nícolas F. R. A. Prado Nov. 21, 2022, 10:37 p.m. UTC

mtk_drm_bind() can fail, in which case drm_dev_put() is called,
destroying the drm_device object. However a pointer to it was still
being held in the private object, and that pointer would be passed along
to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that
point, resulting in a panic. Clean the pointer when destroying the
object in the error path to prevent this from happening.

Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>

---

 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
 1 file changed, 1 insertion(+)

Comments

AngeloGioacchino Del Regno Nov. 22, 2022, 9:12 a.m. UTC | #1

Il 21/11/22 23:37, Nícolas F. R. A. Prado ha scritto:
> mtk_drm_bind() can fail, in which case drm_dev_put() is called,
> destroying the drm_device object. However a pointer to it was still
> being held in the private object, and that pointer would be passed along
> to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that
> point, resulting in a panic. Clean the pointer when destroying the
> object in the error path to prevent this from happening.
> 
> Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
> 

Fixes tag please! :-)

Cheers,
Angelo

> ---
> 
>   drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> index 39a42dc8fb85..a21ff1b3258c 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
> @@ -514,6 +514,7 @@ static int mtk_drm_bind(struct device *dev)
>   err_deinit:
>   	mtk_drm_kms_deinit(drm);
>   err_free:
> +	private->drm = NULL;
>   	drm_dev_put(drm);
>   	return ret;
>   }

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
index 39a42dc8fb85..a21ff1b3258c 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -514,6 +514,7 @@  static int mtk_drm_bind(struct device *dev)
 err_deinit:
 	mtk_drm_kms_deinit(drm);
 err_free:
+	private->drm = NULL;
 	drm_dev_put(drm);
 	return ret;
 }

drm/mediatek: Clean dangling pointer on bind error path

Commit Message

Comments

Patch