diff mbox series

drm/bridge: adv7511: fix race condition bug in adv7511_remove due to unfinished work

Message ID 20230308173433.2788833-1-zyytlz.wz@163.com
State New
Headers
Series drm/bridge: adv7511: fix race condition bug in adv7511_remove due to unfinished work |

Commit Message

Zheng Wang March 8, 2023, 5:34 p.m. UTC 
  In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
If we call adv7511_remove with a unfinished work. There may be a 
race condition where bridge->hpd_mutex was destroyed by 
drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.

Fix it by canceling the work before cleanup in adv7511_remove.

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
---
 drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Neil Armstrong March 15, 2023, 9:08 a.m. UTC | #1 
Hi,

On 08/03/2023 18:34, Zheng Wang wrote:
> In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
> If we call adv7511_remove with a unfinished work. There may be a
> race condition where bridge->hpd_mutex was destroyed by
> drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.
> 
> Fix it by canceling the work before cleanup in adv7511_remove.
> 

Can you add the relevant Fixes tag ?

Thanks,
Neil

> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> ---
>   drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> index ddceafa7b637..9bf72dd6c1d3 100644
> --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> @@ -1349,6 +1349,7 @@ static void adv7511_remove(struct i2c_client *i2c)
>   {
>   	struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
>   
> +	cancel_work_sync(&adv7511->hpd_work);
>   	adv7511_uninit_regulators(adv7511);
>   
>   	drm_bridge_remove(&adv7511->bridge);
Zheng Hacker March 15, 2023, 9:20 a.m. UTC | #2 
<neil.armstrong@linaro.org> 于2023年3月15日周三 17:08写道:
>
> Hi,
>
> On 08/03/2023 18:34, Zheng Wang wrote:
> > In adv7511_probe, adv7511->hpd_work is bound with adv7511_hpd_work.
> > If we call adv7511_remove with a unfinished work. There may be a
> > race condition where bridge->hpd_mutex was destroyed by
> > drm_bridge_remove and used in adv7511_hpd_work in drm_bridge_hpd_notify.
> >
> > Fix it by canceling the work before cleanup in adv7511_remove.
> >
>
> Can you add the relevant Fixes tag ?
>

Hi Neil,

Thanks for your reply and kind reminder. Sorry for my mistake. I'll
append more messages in the next version of patch.

Best regards,
Zheng

> Thanks,
> Neil
>
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > ---
> >   drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
> >   1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > index ddceafa7b637..9bf72dd6c1d3 100644
> > --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
> > @@ -1349,6 +1349,7 @@ static void adv7511_remove(struct i2c_client *i2c)
> >   {
> >       struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
> >
> > +     cancel_work_sync(&adv7511->hpd_work);
> >       adv7511_uninit_regulators(adv7511);
> >
> >       drm_bridge_remove(&adv7511->bridge);
>
diff mbox series

Patch

diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index ddceafa7b637..9bf72dd6c1d3 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1349,6 +1349,7 @@  static void adv7511_remove(struct i2c_client *i2c)
 {
 	struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
 
+	cancel_work_sync(&adv7511->hpd_work);
 	adv7511_uninit_regulators(adv7511);
 
 	drm_bridge_remove(&adv7511->bridge);