https://github.com/torvalds/linux
Revision 34a35bddb9382fc2663e3137875ee58928f7d704 authored by Stanislaw Gruszka on 05 September 2008, 21:00:22 UTC, committed by Linus Torvalds on 05 September 2008, 21:39:38 UTC
If framebuffer registration failed in platform driver ->probe() callback, dev_get_drvdata() points to freed memory region, but ->remove() function try to use it and the following oops occurs: Unable to handle kernel NULL pointer dereference at virtual address 00000228 pgd = c3a20000 [00000228] *pgd=23a2b031, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] Modules linked in: atmel_lcdfb(-) cfbcopyarea cfbimgblt cfbfillrect [last unloaded: atmel_lcdfb] CPU: 0 Not tainted (2.6.27-rc2 #116) PC is at atmel_lcdfb_remove+0x14/0xf8 [atmel_lcdfb] LR is at platform_drv_remove+0x20/0x24 pc : [<bf006bc4>] lr : [<c0157d28>] psr: a0000013 sp : c3a45e84 ip : c3a45ea0 fp : c3a45e9c r10: 00000002 r9 : c3a44000 r8 : c0026c04 r7 : 00000880 r6 : c02bb228 r5 : 00000000 r4 : c02bb230 r3 : bf007e3c r2 : c02bb230 r1 : 00000004 r0 : c02bb228 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 0005317f Table: 23a20000 DAC: 00000015 Process rmmod (pid: 6799, stack limit = 0xc3a44260) Stack: (0xc3a45e84 to 0xc3a46000) 5e80: c02bb230 bf007e3c bf007e3c c3a45eac c3a45ea0 c0157d28 bf006bc0 5ea0: c3a45ec4 c3a45eb0 c0156d20 c0157d18 c02bb230 c02bb2d8 c3a45ee0 c3a45ec8 5ec0: c0156da8 c0156cb8 bf007e3c bf007ee0 c02c8e14 c3a45efc c3a45ee4 c0156018 5ee0: c0156d50 bf007e3c bf007ee0 00000000 c3a45f18 c3a45f00 c0157220 c0155f9c 5f00: 00000000 bf007ee0 bf008000 c3a45f28 c3a45f1c c0157e34 c01571ec c3a45f38 5f20: c3a45f2c bf006ba8 c0157e30 c3a45fa4 c3a45f3c c005772c bf006ba4 656d7461 5f40: 636c5f6c 00626664 c004c988 c3a45f80 c3a45f5c 00000000 c3a45fb0 00000000 5f60: ffffffff becaccd8 00000880 00000000 000a5e80 00000001 bf007ee0 00000880 5f80: c3a45f84 00000000 becaccd4 00000002 000003df 00000081 00000000 c3a45fa8 5fa0: c0026a60 c0057584 00000002 000003df 00900081 000a5e80 00000880 00000000 5fc0: becaccd4 00000002 000003df 00000000 000a5e80 00000001 00000002 0000005f 5fe0: 4004f5ec becacbe8 0001a158 4004f5fc 20000010 00900081 f9ffbadf 7bbfb2bb Backtrace: [<bf006bb0>] (atmel_lcdfb_remove+0x0/0xf8 [atmel_lcdfb]) from [<c0157d28>] (platform_drv_remove+0x20/0x24) r6:bf007e3c r5:bf007e3c r4:c02bb230 [<c0157d08>] (platform_drv_remove+0x0/0x24) from [<c0156d20>] (__device_release_driver+0x78/0x98) [<c0156ca8>] (__device_release_driver+0x0/0x98) from [<c0156da8>] (driver_detach+0x68/0x90) r5:c02bb2d8 r4:c02bb230 [<c0156d40>] (driver_detach+0x0/0x90) from [<c0156018>] (bus_remove_driver+0x8c/0xb4) r6:c02c8e14 r5:bf007ee0 r4:bf007e3c [<c0155f8c>] (bus_remove_driver+0x0/0xb4) from [<c0157220>] (driver_unregister+0x44/0x48) r6:00000000 r5:bf007ee0 r4:bf007e3c [<c01571dc>] (driver_unregister+0x0/0x48) from [<c0157e34>] (platform_driver_unregister+0x14/0x18) r6:bf008000 r5:bf007ee0 r4:00000000 [<c0157e20>] (platform_driver_unregister+0x0/0x18) from [<bf006ba8>] (atmel_lcdfb_exit+0x14/0x1c [atmel_lcdfb]) [<bf006b94>] (atmel_lcdfb_exit+0x0/0x1c [atmel_lcdfb]) from [<c005772c>] (sys_delete_module+0x1b8/0x22c) [<c0057574>] (sys_delete_module+0x0/0x22c) from [<c0026a60>] (ret_fast_syscall+0x0/0x2c) r7:00000081 r6:000003df r5:00000002 r4:becaccd4 Code: e92dd870 e24cb004 e59050c4 e1a06000 (e5954228) ---[ end trace 85476b184d9e68d8 ]--- This patch fixes the oops. Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl> Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com> Acked-by: Krzysztof Helt <krzysztof.h1@wp.pl> Cc: Haavard Skinnemoen <hskinnemoen@atmel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 3cb5599
Tip revision: 34a35bddb9382fc2663e3137875ee58928f7d704 authored by Stanislaw Gruszka on 05 September 2008, 21:00:22 UTC
atmel_lcdfb: fix oops in rmmod when framebuffer fails to register
atmel_lcdfb: fix oops in rmmod when framebuffer fails to register
Tip revision: 34a35bd
| File | Mode | Size |
|---|---|---|
| a.out-core.h | -rw-r--r-- | 695 bytes |
| a.out.h | -rw-r--r-- | 179 bytes |
| alternative-asm.h | -rw-r--r-- | 109 bytes |
| alternative.h | -rw-r--r-- | 97 bytes |
| apic.h | -rw-r--r-- | 48 bytes |
| archparam-i386.h | -rw-r--r-- | 686 bytes |
| archparam-ppc.h | -rw-r--r-- | 144 bytes |
| archparam-x86_64.h | -rw-r--r-- | 625 bytes |
| asm.h | -rw-r--r-- | 73 bytes |
| atomic.h | -rw-r--r-- | 204 bytes |
| auxvec.h | -rw-r--r-- | 52 bytes |
| bitops.h | -rw-r--r-- | 168 bytes |
| boot.h | -rw-r--r-- | 76 bytes |
| bug.h | -rw-r--r-- | 76 bytes |
| bugs.h | -rw-r--r-- | 72 bytes |
| byteorder.h | -rw-r--r-- | 91 bytes |
| cache.h | -rw-r--r-- | 444 bytes |
| cacheflush.h | -rw-r--r-- | 94 bytes |
| calling.h | -rw-r--r-- | 167 bytes |
| checksum.h | -rw-r--r-- | 86 bytes |
| cmpxchg.h | -rw-r--r-- | 85 bytes |
| cobalt.h | -rw-r--r-- | 82 bytes |
| common.lds.S | -rw-r--r-- | 2.2 KB |
| cpufeature.h | -rw-r--r-- | 94 bytes |
| cputime.h | -rw-r--r-- | 109 bytes |
| current.h | -rw-r--r-- | 240 bytes |
| delay.h | -rw-r--r-- | 495 bytes |
| desc.h | -rw-r--r-- | 434 bytes |
| device.h | -rw-r--r-- | 129 bytes |
| div64.h | -rw-r--r-- | 77 bytes |
| dma-mapping.h | -rw-r--r-- | 2.3 KB |
| dma.h | -rw-r--r-- | 141 bytes |
| dwarf2.h | -rw-r--r-- | 187 bytes |
| elf-i386.h | -rw-r--r-- | 4.8 KB |
| elf-ppc.h | -rw-r--r-- | 1.1 KB |
| elf-x86_64.h | -rw-r--r-- | 3.6 KB |
| emergency-restart.h | -rw-r--r-- | 149 bytes |
| errno.h | -rw-r--r-- | 79 bytes |
| fcntl.h | -rw-r--r-- | 79 bytes |
| fixmap.h | -rw-r--r-- | 3.0 KB |
| floppy.h | -rw-r--r-- | 82 bytes |
| frame.h | -rw-r--r-- | 79 bytes |
| futex.h | -rw-r--r-- | 82 bytes |
| hardirq.h | -rw-r--r-- | 592 bytes |
| highmem.h | -rw-r--r-- | 224 bytes |
| host_ldt-i386.h | -rw-r--r-- | 881 bytes |
| host_ldt-x86_64.h | -rw-r--r-- | 1.0 KB |
| hw_irq.h | -rw-r--r-- | 107 bytes |
| ide.h | -rw-r--r-- | 73 bytes |
| io.h | -rw-r--r-- | 1.3 KB |
| ioctl.h | -rw-r--r-- | 79 bytes |
| ioctls.h | -rw-r--r-- | 82 bytes |
| ipcbuf.h | -rw-r--r-- | 82 bytes |
| irq.h | -rw-r--r-- | 454 bytes |
| irq_regs.h | -rw-r--r-- | 34 bytes |
| irq_vectors.h | -rw-r--r-- | 515 bytes |
| irqflags.h | -rw-r--r-- | 77 bytes |
| kdebug.h | -rw-r--r-- | 32 bytes |
| kmap_types.h | -rw-r--r-- | 490 bytes |
| ldt.h | -rw-r--r-- | 715 bytes |
| linkage.h | -rw-r--r-- | 93 bytes |
| local.h | -rw-r--r-- | 79 bytes |
| locks.h | -rw-r--r-- | 79 bytes |
| mca_dma.h | -rw-r--r-- | 85 bytes |
| mman.h | -rw-r--r-- | 76 bytes |
| mmu.h | -rw-r--r-- | 514 bytes |
| mmu_context.h | -rw-r--r-- | 1.3 KB |
| module-generic.h | -rw-r--r-- | 98 bytes |
| module-i386.h | -rw-r--r-- | 196 bytes |
| module-x86_64.h | -rw-r--r-- | 638 bytes |
| msgbuf.h | -rw-r--r-- | 82 bytes |
| mtrr.h | -rw-r--r-- | 76 bytes |
| mutex.h | -rw-r--r-- | 308 bytes |
| nops.h | -rw-r--r-- | 76 bytes |
| page.h | -rw-r--r-- | 3.4 KB |
| page_offset.h | -rw-r--r-- | 38 bytes |
| param.h | -rw-r--r-- | 403 bytes |
| paravirt.h | -rw-r--r-- | 88 bytes |
| pci.h | -rw-r--r-- | 120 bytes |
| pda.h | -rw-r--r-- | 636 bytes |
| percpu.h | -rw-r--r-- | 82 bytes |
| pgalloc.h | -rw-r--r-- | 1.8 KB |
| pgtable-2level.h | -rw-r--r-- | 1.5 KB |
| pgtable-3level.h | -rw-r--r-- | 3.6 KB |
| pgtable.h | -rw-r--r-- | 9.4 KB |
| poll.h | -rw-r--r-- | 76 bytes |
| posix_types.h | -rw-r--r-- | 97 bytes |
| prctl.h | -rw-r--r-- | 79 bytes |
| processor-generic.h | -rw-r--r-- | 2.8 KB |
| processor-i386.h | -rw-r--r-- | 1.8 KB |
| processor-ppc.h | -rw-r--r-- | 206 bytes |
| processor-x86_64.h | -rw-r--r-- | 1.2 KB |
| ptrace-generic.h | -rw-r--r-- | 1.5 KB |
| ptrace-i386.h | -rw-r--r-- | 1.8 KB |
| ptrace-x86_64.h | -rw-r--r-- | 2.4 KB |
| required-features.h | -rw-r--r-- | 172 bytes |
| resource.h | -rw-r--r-- | 88 bytes |
| rwlock.h | -rw-r--r-- | 82 bytes |
| rwsem.h | -rw-r--r-- | 83 bytes |
| scatterlist.h | -rw-r--r-- | 97 bytes |
| sections.h | -rw-r--r-- | 122 bytes |
| segment.h | -rw-r--r-- | 246 bytes |
| sembuf.h | -rw-r--r-- | 82 bytes |
| serial.h | -rw-r--r-- | 82 bytes |
| setup.h | -rw-r--r-- | 234 bytes |
| shmbuf.h | -rw-r--r-- | 82 bytes |
| shmparam.h | -rw-r--r-- | 88 bytes |
| sigcontext-generic.h | -rw-r--r-- | 110 bytes |
| sigcontext-i386.h | -rw-r--r-- | 107 bytes |
| sigcontext-ppc.h | -rw-r--r-- | 150 bytes |
| sigcontext-x86_64.h | -rw-r--r-- | 546 bytes |
| siginfo.h | -rw-r--r-- | 85 bytes |
| signal.h | -rw-r--r-- | 746 bytes |
| smp.h | -rw-r--r-- | 567 bytes |
| socket.h | -rw-r--r-- | 82 bytes |
| sockios.h | -rw-r--r-- | 85 bytes |
| spinlock.h | -rw-r--r-- | 88 bytes |
| spinlock_types.h | -rw-r--r-- | 106 bytes |
| stat.h | -rw-r--r-- | 76 bytes |
| statfs.h | -rw-r--r-- | 80 bytes |
| string.h | -rw-r--r-- | 109 bytes |
| suspend.h | -rw-r--r-- | 54 bytes |
| system-generic.h | -rw-r--r-- | 1.3 KB |
| system-i386.h | -rw-r--r-- | 99 bytes |
| system-ppc.h | -rw-r--r-- | 178 bytes |
| system-x86_64.h | -rw-r--r-- | 537 bytes |
| termbits.h | -rw-r--r-- | 88 bytes |
| termios.h | -rw-r--r-- | 85 bytes |
| thread_info.h | -rw-r--r-- | 2.3 KB |
| timex.h | -rw-r--r-- | 170 bytes |
| tlb.h | -rw-r--r-- | 3.2 KB |
| tlbflush.h | -rw-r--r-- | 978 bytes |
| topology.h | -rw-r--r-- | 97 bytes |
| types.h | -rw-r--r-- | 79 bytes |
| uaccess.h | -rw-r--r-- | 2.6 KB |
| ucontext.h | -rw-r--r-- | 94 bytes |
| unaligned.h | -rw-r--r-- | 123 bytes |
| unistd.h | -rw-r--r-- | 1.1 KB |
| user.h | -rw-r--r-- | 76 bytes |
| vga.h | -rw-r--r-- | 73 bytes |
| vm-flags-i386.h | -rw-r--r-- | 311 bytes |
| vm-flags-x86_64.h | -rw-r--r-- | 925 bytes |
| vm86.h | -rw-r--r-- | 76 bytes |
| xor.h | -rw-r--r-- | 76 bytes |
Computing file changes ...
