In situations where a component fails to bind, a previously
successfully bound component might already registered itself
with the DRM framework (e.g. an encoder). When the master
component then calls drm_mode_config_cleanup, we end up in a
use after free sitution.
Use the cleanup callback to make sure all framework level
cleanup is done by the time we unbind components.
Signed-off-by: Stefan Agner <stefan@xxxxxxxx>
---
drivers/gpu/drm/imx/imx-drm-core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c
index 5ea0c82f9957..b174a0ca9acb 100644
--- a/drivers/gpu/drm/imx/imx-drm-core.c
+++ b/drivers/gpu/drm/imx/imx-drm-core.c
@@ -288,8 +288,8 @@ static int imx_drm_bind(struct device *dev)
err_unbind:
#endif
component_unbind_all(drm->dev, drm);
-err_kms:
drm_mode_config_cleanup(drm);
+err_kms:
drm_dev_put(drm);
return ret;
@@ -313,9 +313,17 @@ static void imx_drm_unbind(struct device *dev)
drm_dev_put(drm);
}
+static void imx_drm_cleanup(struct device *dev)
+{
+ struct drm_device *drm = dev_get_drvdata(dev);
+
+ drm_mode_config_cleanup(drm);
+}
+
static const struct component_master_ops imx_drm_ops = {
.bind = imx_drm_bind,
.unbind = imx_drm_unbind,
+ .cleanup = imx_drm_cleanup,
};
static int imx_drm_platform_probe(struct platform_device *pdev)
--
2.19.1
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
