This still has the bug that I originally reported at: https://github.com/AsahiLinux/linux/issues/258 On Sun, Nov 24, 2024 at 11:29:25PM +0100, Sasha Finkelstein via B4 Relay wrote: > +static int adp_probe(struct platform_device *pdev) > +{ > + struct adp_drv_private *adp; > + int err; > + > + adp = devm_drm_dev_alloc(&pdev->dev, &adp_driver, struct adp_drv_private, drm); > + if (IS_ERR(adp)) > + return PTR_ERR(adp); Here a child device of pdev->dev is created. It is not a MIPI DSI device. > + > + spin_lock_init(&adp->irq_lock); > + > + dev_set_drvdata(&pdev->dev, &adp->drm); > + > + err = adp_parse_of(pdev, adp); > + if (err < 0) > + return err; > + > + adp->dsi.dev = &pdev->dev; > + adp->dsi.ops = &adp_dsi_host_ops; > + err = mipi_dsi_host_register(&adp->dsi); Here a MIPI DSI host is registered, with its device set to pdev->dev. It is expected that the child devices of a DSI host device are all MIPI DSI devices — see mipi_dsi_host_unregister() and mipi_dsi_remove_device_fn(). This means that, when mipi_dsi_host_unregister() is called, which it will be as part of unloading adpdrm, it will try to find the MIPI DSI device for adp using container_of() (via to_mipi_dsi_device()), but there isn't one, so it interprets some other memory as a struct mipi_dsi_device. For me, this causes a null pointer dereference. > + if (err < 0) > + return err; > + > + adp_disable_vblank(adp); > + writel(ADP_CTRL_FIFO_ON | ADP_CTRL_VBLANK_ON, adp->fe + ADP_CTRL); > + > + err = adp_setup_mode_config(adp); > + if (err < 0) > + return err; > + > + err = devm_request_irq(&pdev->dev, adp->fe_irq, adp_fe_irq, 0, > + "adp-fe", adp); > + if (err) > + return err; > + > + err = drm_dev_register(&adp->drm, 0); > + if (err) > + return err; > + return 0; > +}
Attachment:
signature.asc
Description: PGP signature
