releases/3.16.62/drm-udl-destroy-framebuffer-only-if-it-was-initialized.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Emil Lundmark <lndmrk@chromium.org>
 Date: Mon, 28 May 2018 16:27:11 +0200
 Subject: drm: udl: Destroy framebuffer only if it was initialized
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 commit fcb74da1eb8edd3a4ef9b9724f88ed709d684227 upstream.

 This fixes a NULL pointer dereference that can happen if the UDL
 driver is unloaded before the framebuffer is initialized. This can
 happen e.g. if the USB device is unplugged right after it was plugged
 in.

 As explained by Stéphane Marchesin:

 It happens when fbdev is disabled (which is the case for Chrome OS).
 Even though intialization of the fbdev part is optional (it's done in
 udlfb_create which is the callback for fb_probe()), the teardown isn't
 optional (udl_driver_unload -> udl_fbdev_cleanup ->
 udl_fbdev_destroy).

 Note that udl_fbdev_cleanup *tries* to be conditional (you can see it
 does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is
 always set during udl_fbdev_init.

 Suggested-by: Sean Paul <seanpaul@chromium.org>
 Reviewed-by: Sean Paul <seanpaul@chromium.org>
 Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
 Signed-off-by: Emil Lundmark <lndmrk@chromium.org>
 Signed-off-by: Sean Paul <seanpaul@chromium.org>
 Link: https://patchwork.freedesktop.org/patch/msgid/20180528142711.142466-1-lndmrk@chromium.org
 Signed-off-by: Sean Paul <seanpaul@chromium.org>
 [bwh: Backported to 3.16: adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  drivers/gpu/drm/udl/udl_fb.c | 8 +++++---
  1 file changed, 5 insertions(+), 3 deletions(-)

 --- a/drivers/gpu/drm/udl/udl_fb.c
 +++ b/drivers/gpu/drm/udl/udl_fb.c
 @@ -574,9 +574,11 @@ static void udl_fbdev_destroy(struct drm
  		framebuffer_release(info);
  	}
  	drm_fb_helper_fini(&ufbdev->helper);
 -	drm_framebuffer_unregister_private(&ufbdev->ufb.base);
 -	drm_framebuffer_cleanup(&ufbdev->ufb.base);
 -	drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
 +	if (ufbdev->ufb.obj) {
 +		drm_framebuffer_unregister_private(&ufbdev->ufb.base);
 +		drm_framebuffer_cleanup(&ufbdev->ufb.base);
 +		drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
 +	}
  }

  int udl_fbdev_init(struct drm_device *dev)
	From: Emil Lundmark <lndmrk@chromium.org>
	Date: Mon, 28 May 2018 16:27:11 +0200
	Subject: drm: udl: Destroy framebuffer only if it was initialized
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	commit fcb74da1eb8edd3a4ef9b9724f88ed709d684227 upstream.

	This fixes a NULL pointer dereference that can happen if the UDL
	driver is unloaded before the framebuffer is initialized. This can
	happen e.g. if the USB device is unplugged right after it was plugged
	in.

	As explained by Stéphane Marchesin:

	It happens when fbdev is disabled (which is the case for Chrome OS).
	Even though intialization of the fbdev part is optional (it's done in
	udlfb_create which is the callback for fb_probe()), the teardown isn't
	optional (udl_driver_unload -> udl_fbdev_cleanup ->
	udl_fbdev_destroy).

	Note that udl_fbdev_cleanup tries to be conditional (you can see it
	does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is
	always set during udl_fbdev_init.

	Suggested-by: Sean Paul <seanpaul@chromium.org>
	Reviewed-by: Sean Paul <seanpaul@chromium.org>
	Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
	Signed-off-by: Emil Lundmark <lndmrk@chromium.org>
	Signed-off-by: Sean Paul <seanpaul@chromium.org>
	Link: https://patchwork.freedesktop.org/patch/msgid/20180528142711.142466-1-lndmrk@chromium.org
	Signed-off-by: Sean Paul <seanpaul@chromium.org>
	[bwh: Backported to 3.16: adjust context]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	drivers/gpu/drm/udl/udl_fb.c \| 8 +++++---
	1 file changed, 5 insertions(+), 3 deletions(-)

	--- a/drivers/gpu/drm/udl/udl_fb.c
	+++ b/drivers/gpu/drm/udl/udl_fb.c
	@@ -574,9 +574,11 @@ static void udl_fbdev_destroy(struct drm
	framebuffer_release(info);
	}
	drm_fb_helper_fini(&ufbdev->helper);
	- drm_framebuffer_unregister_private(&ufbdev->ufb.base);
	- drm_framebuffer_cleanup(&ufbdev->ufb.base);
	- drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
	+ if (ufbdev->ufb.obj) {
	+ drm_framebuffer_unregister_private(&ufbdev->ufb.base);
	+ drm_framebuffer_cleanup(&ufbdev->ufb.base);
	+ drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
	+ }
	}

	int udl_fbdev_init(struct drm_device *dev)