drm/fb-helper: Avoid NULL ptr dereference in fb_set_suspend()
authorNoralf Trønnes <noralf@tronnes.org>
Mon, 28 Aug 2017 17:17:43 +0000 (19:17 +0200)
committerNoralf Trønnes <noralf@tronnes.org>
Sat, 2 Sep 2017 12:37:59 +0000 (14:37 +0200)
drm_fb_helper_resume_worker() uses fb_helper->fbdev to call
fb_set_suspend() which dereferences the pointer.
Move sync-canceling of the resume worker in drm_fb_helper_fini() before
setting fb_helper->fbdev to NULL. Move dirty_work as well.

Signed-off-by: Noralf Trønnes <noralf@tronnes.org>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1503940668-25883-2-git-send-email-noralf@tronnes.org
drivers/gpu/drm/drm_fb_helper.c

index 1b8f013ffa6503ec960cee3bdb9cb7c3fa78d2bc..6a31d13f2f81deda566074ac75b12618ff9c75ec 100644 (file)
@@ -910,6 +910,9 @@ void drm_fb_helper_fini(struct drm_fb_helper *fb_helper)
        if (!drm_fbdev_emulation || !fb_helper)
                return;
 
+       cancel_work_sync(&fb_helper->resume_work);
+       cancel_work_sync(&fb_helper->dirty_work);
+
        info = fb_helper->fbdev;
        if (info) {
                if (info->cmap.len)
@@ -918,9 +921,6 @@ void drm_fb_helper_fini(struct drm_fb_helper *fb_helper)
        }
        fb_helper->fbdev = NULL;
 
-       cancel_work_sync(&fb_helper->resume_work);
-       cancel_work_sync(&fb_helper->dirty_work);
-
        mutex_lock(&kernel_fb_helper_lock);
        if (!list_empty(&fb_helper->kernel_fb_list)) {
                list_del(&fb_helper->kernel_fb_list);