• Philipp Zabel's avatar
    drm/imx: fix use after free · ba807c94
    Philipp Zabel authored
    Component driver structures allocated with devm_kmalloc() in bind() are
    freed automatically after unbind(). Since the contained drm structures
    are accessed afterwards in drm_mode_config_cleanup(), move the
    allocation into probe() to extend the driver structure's lifetime to the
    lifetime of the device. This should eventually be changed to use drm
    resource managed allocations with lifetime of the drm device.
    
    We also need to ensure that all componets are available during the
    unbind() so we need to call component_unbind_all() before we free
    non-devres resources like planes.
    
    Note this patch fixes the the use after free bug but introduces a
    possible boot loop issue. The issue is triggered if the HDMI support is
    enabled and a component driver always return -EPROBE_DEFER, see
    discussion [1] for more details.
    
    [1] https://lkml.org/lkml/2020/3/24/1467
    
    Fixes: 17b5001b ("imx-drm: convert to componentised device support")
    Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
    [m.felsch@pengutronix: fix imx_tve_probe()]
    [m.felsch@pengutronix: resort component_unbind_all())
    [m.felsch@pengutronix: adapt commit message]
    Signed-off-by: default avatarMarco Felsch <m.felsch@pengutronix.de>
    Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
    ba807c94
imx-drm-core.c 8.95 KB