[PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback
@ 2021-06-17 11:19 Jonathan Liu
  2021-06-17 12:49 ` Marek Vasut
  2021-06-17 14:13 ` Laurent Pinchart
  0 siblings, 2 replies; 5+ messages in thread
From: Jonathan Liu @ 2021-06-17 11:19 UTC (permalink / raw)
  To: dri-devel, linux-kernel
  Cc: Jonathan Liu, Andrzej Hajda, Neil Armstrong, Robert Foss,
	Laurent Pinchart, Jonas Karlman, Jernej Skrabec, David Airlie,
	Daniel Vetter, Linus Walleij, Marek Vasut, Frieder Schrempf

If attach has not been called, unloading the driver can result in a null
pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned
yet.

Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
Signed-off-by: Jonathan Liu <net147@gmail.com>
---
 drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
index 750f2172ef08..8e9f45c5c7c1 100644
--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
@@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client)
 {
 	struct sn65dsi83 *ctx = i2c_get_clientdata(client);
 
-	mipi_dsi_detach(ctx->dsi);
-	mipi_dsi_device_unregister(ctx->dsi);
+	if (ctx->dsi) {
+		mipi_dsi_detach(ctx->dsi);
+		mipi_dsi_device_unregister(ctx->dsi);
+	}
+
 	drm_bridge_remove(&ctx->bridge);
 	of_node_put(ctx->host_node);
 
-- 
2.32.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback
  2021-06-17 11:19 [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback Jonathan Liu
@ 2021-06-17 12:49 ` Marek Vasut
  2021-06-17 14:13 ` Laurent Pinchart
  1 sibling, 0 replies; 5+ messages in thread
From: Marek Vasut @ 2021-06-17 12:49 UTC (permalink / raw)
  To: Jonathan Liu, dri-devel, linux-kernel
  Cc: Andrzej Hajda, Neil Armstrong, Robert Foss, Laurent Pinchart,
	Jonas Karlman, Jernej Skrabec, David Airlie, Daniel Vetter,
	Linus Walleij, Frieder Schrempf

On 6/17/21 1:19 PM, Jonathan Liu wrote:
> If attach has not been called, unloading the driver can result in a null
> pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned
> yet.
> 
> Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
> Signed-off-by: Jonathan Liu <net147@gmail.com>
> ---
>   drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> index 750f2172ef08..8e9f45c5c7c1 100644
> --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client)
>   {
>   	struct sn65dsi83 *ctx = i2c_get_clientdata(client);
>   
> -	mipi_dsi_detach(ctx->dsi);
> -	mipi_dsi_device_unregister(ctx->dsi);
> +	if (ctx->dsi) {
> +		mipi_dsi_detach(ctx->dsi);
> +		mipi_dsi_device_unregister(ctx->dsi);
> +	}
> +
>   	drm_bridge_remove(&ctx->bridge);
>   	of_node_put(ctx->host_node);

Looks OK to me.

Reviewed-by: Marek Vasut <marex@denx.de>

Thanks !

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback
  2021-06-17 11:19 [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback Jonathan Liu
  2021-06-17 12:49 ` Marek Vasut
@ 2021-06-17 14:13 ` Laurent Pinchart
  2021-06-18  3:06   ` Jonathan Liu
  1 sibling, 1 reply; 5+ messages in thread
From: Laurent Pinchart @ 2021-06-17 14:13 UTC (permalink / raw)
  To: Jonathan Liu
  Cc: dri-devel, linux-kernel, Andrzej Hajda, Neil Armstrong,
	Robert Foss, Jonas Karlman, Jernej Skrabec, David Airlie,
	Daniel Vetter, Linus Walleij, Marek Vasut, Frieder Schrempf

Hi Jonathan,

Thank you for the patch.

On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote:
> If attach has not been called, unloading the driver can result in a null
> pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned
> yet.

Shouldn't this be done in a brige .detach() operation instead ?

> Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
> Signed-off-by: Jonathan Liu <net147@gmail.com>
> ---
>  drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> index 750f2172ef08..8e9f45c5c7c1 100644
> --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client)
>  {
>  	struct sn65dsi83 *ctx = i2c_get_clientdata(client);
>  
> -	mipi_dsi_detach(ctx->dsi);
> -	mipi_dsi_device_unregister(ctx->dsi);
> +	if (ctx->dsi) {
> +		mipi_dsi_detach(ctx->dsi);
> +		mipi_dsi_device_unregister(ctx->dsi);
> +	}
> +
>  	drm_bridge_remove(&ctx->bridge);
>  	of_node_put(ctx->host_node);
>  

-- 
Regards,

Laurent Pinchart

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback
  2021-06-17 14:13 ` Laurent Pinchart
@ 2021-06-18  3:06   ` Jonathan Liu
  2021-06-18  5:40     ` Marek Vasut
  0 siblings, 1 reply; 5+ messages in thread
From: Jonathan Liu @ 2021-06-18  3:06 UTC (permalink / raw)
  To: Laurent Pinchart, Marek Vasut
  Cc: dri-devel, linux-kernel, Andrzej Hajda, Neil Armstrong,
	Robert Foss, Jonas Karlman, Jernej Skrabec, David Airlie,
	Daniel Vetter, Linus Walleij, Frieder Schrempf

Hi Marek,

On Fri, 18 Jun 2021 at 00:14, Laurent Pinchart
<laurent.pinchart@ideasonboard.com> wrote:
>
> Hi Jonathan,
>
> Thank you for the patch.
>
> On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote:
> > If attach has not been called, unloading the driver can result in a null
> > pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned
> > yet.
>
> Shouldn't this be done in a brige .detach() operation instead ?
>

Could you please take a look?
I don't have a working setup to test moving the code to detach.

> > Fixes: ceb515ba29ba6b ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver")
> > Signed-off-by: Jonathan Liu <net147@gmail.com>
> > ---
> >  drivers/gpu/drm/bridge/ti-sn65dsi83.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> > index 750f2172ef08..8e9f45c5c7c1 100644
> > --- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> > +++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
> > @@ -671,8 +671,11 @@ static int sn65dsi83_remove(struct i2c_client *client)
> >  {
> >       struct sn65dsi83 *ctx = i2c_get_clientdata(client);
> >
> > -     mipi_dsi_detach(ctx->dsi);
> > -     mipi_dsi_device_unregister(ctx->dsi);
> > +     if (ctx->dsi) {
> > +             mipi_dsi_detach(ctx->dsi);
> > +             mipi_dsi_device_unregister(ctx->dsi);
> > +     }
> > +
> >       drm_bridge_remove(&ctx->bridge);
> >       of_node_put(ctx->host_node);
> >

Thanks.

Regards,
Jonathan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback
  2021-06-18  3:06   ` Jonathan Liu
@ 2021-06-18  5:40     ` Marek Vasut
  0 siblings, 0 replies; 5+ messages in thread
From: Marek Vasut @ 2021-06-18  5:40 UTC (permalink / raw)
  To: Jonathan Liu, Laurent Pinchart
  Cc: dri-devel, linux-kernel, Andrzej Hajda, Neil Armstrong,
	Robert Foss, Jonas Karlman, Jernej Skrabec, David Airlie,
	Daniel Vetter, Linus Walleij, Frieder Schrempf

On 6/18/21 5:06 AM, Jonathan Liu wrote:
> Hi Marek,

Hi,

>> Hi Jonathan,
>>
>> Thank you for the patch.
>>
>> On Thu, Jun 17, 2021 at 09:19:25PM +1000, Jonathan Liu wrote:
>>> If attach has not been called, unloading the driver can result in a null
>>> pointer dereference in mipi_dsi_detach as ctx->dsi has not been assigned
>>> yet.
>>
>> Shouldn't this be done in a brige .detach() operation instead ?
>>
> 
> Could you please take a look?
> I don't have a working setup to test moving the code to detach.

I just replied to your other email regarding bringing the chip up, so 
please bring your setup up first, then test this patch again, and then 
let's revisit this topic.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-06-18  5:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-17 11:19 [PATCH] drm/bridge: ti-sn65dsi83: Fix null pointer dereference in remove callback Jonathan Liu
2021-06-17 12:49 ` Marek Vasut
2021-06-17 14:13 ` Laurent Pinchart
2021-06-18  3:06   ` Jonathan Liu
2021-06-18  5:40     ` Marek Vasut

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).