On 16.10.2018 18:09, Stefan Agner wrote: > This reverts commit 8e3b16e2117409625b89807de3912ff773aea354. > > Using the component framework requires all components to undo in > ->unbind what ->bind does. Unfortunately that particular commit > broke this rule. In particular, this is an issue if a single > component during probe fails. In that case, component_bind_all() > calls unbind on already succussfully bound components, and then > frees memory allocated using devm. If one of those components > registered e.g. an encoder with the framework then this leads to > use after free situations. > > Revert the commit to ensure that all components properly undo > what ->bind does. After Lucas comment mentioning HDMI unbind is not proper I looked through all the unbind again. The other unbind functions need some fixing too. I did not bother checking whether those were always broken or just because things changed (the commit this is reverting was in 2016).... Here is what I found: > > Link: > https://www.mail-archive.com/dri-devel@xxxxxxxxxxxxxxxxxxxxx/msg233327.html > Suggested-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxx> > Signed-off-by: Stefan Agner <stefan@xxxxxxxx> > --- > drivers/gpu/drm/imx/imx-drm-core.c | 4 ++-- > drivers/gpu/drm/imx/imx-ldb.c | 6 ++++++ > drivers/gpu/drm/imx/imx-tve.c | 3 +++ > drivers/gpu/drm/imx/parallel-display.c | 3 +++ > 4 files changed, 14 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/imx/imx-drm-core.c > b/drivers/gpu/drm/imx/imx-drm-core.c > index 5ea0c82f9957..caa6061a98ba 100644 > --- a/drivers/gpu/drm/imx/imx-drm-core.c > +++ b/drivers/gpu/drm/imx/imx-drm-core.c > @@ -305,11 +305,11 @@ static void imx_drm_unbind(struct device *dev) > > drm_fb_cma_fbdev_fini(drm); > > - drm_mode_config_cleanup(drm); > - > component_unbind_all(drm->dev, drm); > dev_set_drvdata(dev, NULL); > > + drm_mode_config_cleanup(drm); > + > drm_dev_put(drm); > } > > diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c > index 3bd0f8a18e74..592aabc4a262 100644 > --- a/drivers/gpu/drm/imx/imx-ldb.c > +++ b/drivers/gpu/drm/imx/imx-ldb.c > @@ -723,6 +723,12 @@ static void imx_ldb_unbind(struct device *dev, > struct device *master, > if (channel->panel) > drm_panel_detach(channel->panel); > > + if (!channel->connector.funcs) > + continue; > + > + channel->connector.funcs->destroy(&channel->connector); > + channel->encoder.funcs->destroy(&channel->encoder); There can be an encoder and bridge, or an encoder and connector. All of them should be properly cleaned up. So I guess this should look like this: if (channel->panel) drm_panel_detach(channel->panel); if (channel->bridge) drm_bridge_detach(channel->bridge); if (channel->connector.funcs) channel->connector.funcs->destroy(&channel->connector); if (channel->encoder.funcs) channel->encoder.funcs->destroy(&channel->encoder); kfree(channel->edid); i2c_put_adapter(channel->ddc); The last two functions following are only strictly necessary when connector is initialized. But its safe to call them with null, so I would just call them always. > + > kfree(channel->edid); > i2c_put_adapter(channel->ddc); > } > diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c > index cffd3310240e..8d6e89ce1edb 100644 > --- a/drivers/gpu/drm/imx/imx-tve.c > +++ b/drivers/gpu/drm/imx/imx-tve.c > @@ -673,6 +673,9 @@ static void imx_tve_unbind(struct device *dev, > struct device *master, > { > struct imx_tve *tve = dev_get_drvdata(dev); > > + tve->connector.funcs->destroy(&tve->connector); > + tve->encoder.funcs->destroy(&tve->encoder); > + Cleanup of tve->ddc missing. > if (!IS_ERR(tve->dac_reg)) > regulator_disable(tve->dac_reg); > } > diff --git a/drivers/gpu/drm/imx/parallel-display.c > b/drivers/gpu/drm/imx/parallel-display.c > index aefd04e18f93..6f11bffcde37 100644 > --- a/drivers/gpu/drm/imx/parallel-display.c > +++ b/drivers/gpu/drm/imx/parallel-display.c > @@ -258,6 +258,9 @@ static void imx_pd_unbind(struct device *dev, > struct device *master, > if (imxpd->panel) > drm_panel_detach(imxpd->panel); > And in this case a bridge detach is missing. Will send a v2 with that addressed. -- Stefan > + imxpd->encoder.funcs->destroy(&imxpd->encoder); > + imxpd->connector.funcs->destroy(&imxpd->connector); > + > kfree(imxpd->edid); > } _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
