www.infradead.org Git - users/dwmw2/linux.git/commit

author	Emil Lundmark <lndmrk@chromium.org>
	Mon, 28 May 2018 14:27:11 +0000 (16:27 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 29 Sep 2018 09:56:00 +0000 (02:56 -0700)
commit	4cd5d680d8154ee3a061f6b36f1a4df6efa2da6c
tree	4403fb2de8b4c185a7d11f14c637c4c3f71d11fb	tree
parent	934df3d13fc60d8987f0b3e4920785355edf53fa	commit \| diff

drm: udl: Destroy framebuffer only if it was initialized

commit fcb74da1eb8edd3a4ef9b9724f88ed709d684227 upstream.

This fixes a NULL pointer dereference that can happen if the UDL
driver is unloaded before the framebuffer is initialized. This can
happen e.g. if the USB device is unplugged right after it was plugged
in.

As explained by Stéphane Marchesin:

It happens when fbdev is disabled (which is the case for Chrome OS).
Even though intialization of the fbdev part is optional (it's done in
udlfb_create which is the callback for fb_probe()), the teardown isn't
optional (udl_driver_unload -> udl_fbdev_cleanup ->
udl_fbdev_destroy).

Note that udl_fbdev_cleanup *tries* to be conditional (you can see it
does if (!udl->fbdev)) but that doesn't work, because udl->fbdev is
always set during udl_fbdev_init.

Cc: stable@vger.kernel.org
Suggested-by: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Emil Lundmark <lndmrk@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20180528142711.142466-1-lndmrk@chromium.org
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>