[PATCH 1/2] drm/imx: fix use after free

Philipp Zabel p.zabel at pengutronix.de
Mon Jul 20 09:22:47 EDT 2020


On Thu, 2020-06-11 at 14:43 +0200, Marco Felsch wrote:
> From: Philipp Zabel <p.zabel at pengutronix.de>
> 
> Component driver structures allocated with devm_kmalloc() in bind() are
> freed automatically after unbind(). Since the contained drm structures
> are accessed afterwards in drm_mode_config_cleanup(), move the
> allocation into probe() to extend the driver structure's lifetime to the
> lifetime of the device. This should eventually be changed to use drm
> resource managed allocations with lifetime of the drm device.
> 
> We also need to ensure that all componets are available during the
> unbind() so we need to call component_unbind_all() before we free
> non-devres resources like planes.
> 
> Note this patch fixes the the use after free bug but introduces a
> possible boot loop issue. The issue is triggered if the HDMI support is
> enabled and a component driver always return -EPROBE_DEFER, see
> discussion [1] for more details.
> 
> [1] https://lkml.org/lkml/2020/3/24/1467
> 
> Fixes: 17b5001b5143 ("imx-drm: convert to componentised device support")
> Signed-off-by: Philipp Zabel <p.zabel at pengutronix.de>
> [m.felsch at pengutronix: fix imx_tve_probe()]
> [m.felsch at pengutronix: resort component_unbind_all())
> [m.felsch at pengutronix: adapt commit message]
> Signed-off-by: Marco Felsch <m.felsch at pengutronix.de>

Thank you, applied to imx-drm/next.

regards
Philipp



More information about the linux-arm-kernel mailing list