Patch "drm: mxsfb: Fix NULL pointer dereference crash on unload" has been added to the 5.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 24 Oct 2021 14:12:19 +0200

This is a note to let you know that I've just added the patch titled

    drm: mxsfb: Fix NULL pointer dereference crash on unload

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a Mon Sep 17 00:00:00 2001
From: Marek Vasut <marex@xxxxxxx>
Date: Sat, 16 Oct 2021 23:04:46 +0200
Subject: drm: mxsfb: Fix NULL pointer dereference crash on unload

From: Marek Vasut <marex@xxxxxxx>

commit 3cfc183052c3dbf8eae57b6c1685dab00ed3db4a upstream.

The mxsfb->crtc.funcs may already be NULL when unloading the driver,
in which case calling mxsfb_irq_disable() via drm_irq_uninstall() from
mxsfb_unload() leads to NULL pointer dereference.

Since all we care about is masking the IRQ and mxsfb->base is still
valid, just use that to clear and mask the IRQ.

Fixes: ae1ed00932819 ("drm: mxsfb: Stop using DRM simple display pipeline helper")
Signed-off-by: Marek Vasut <marex@xxxxxxx>
Cc: Daniel Abrecht <public@xxxxxxxxxxxxxxxx>
Cc: Emil Velikov <emil.l.velikov@xxxxxxxxx>
Cc: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
Cc: Sam Ravnborg <sam@xxxxxxxxxxxx>
Cc: Stefan Agner <stefan@xxxxxxxx>
Signed-off-by: Sam Ravnborg <sam@xxxxxxxxxxxx>
Link: https://patchwork.freedesktop.org/patch/msgid/20211016210446.171616-1-marex@xxxxxxx
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/gpu/drm/mxsfb/mxsfb_drv.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c
+++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c
@@ -268,7 +268,11 @@ static void mxsfb_irq_disable(struct drm
 	struct mxsfb_drm_private *mxsfb = drm->dev_private;
 
 	mxsfb_enable_axi_clk(mxsfb);
-	mxsfb->crtc.funcs->disable_vblank(&mxsfb->crtc);
+
+	/* Disable and clear VBLANK IRQ */
+	writel(CTRL1_CUR_FRAME_DONE_IRQ_EN, mxsfb->base + LCDC_CTRL1 + REG_CLR);
+	writel(CTRL1_CUR_FRAME_DONE_IRQ, mxsfb->base + LCDC_CTRL1 + REG_CLR);
+
 	mxsfb_disable_axi_clk(mxsfb);
 }
 


Patches currently in stable-queue which might be from marex@xxxxxxx are

queue-5.14/drm-mxsfb-fix-null-pointer-dereference-crash-on-unload.patch






