From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Date: Mon, 28 Jan 2019 16:23:41 +0000 Subject: [PATCH AUTOSEL 4.4 60/80] fbdev: fbcon: Fix unregister crash when more than one framebuffer Message-Id: <20190128162401.58841-60-sashal@kernel.org> List-Id: References: <20190128162401.58841-1-sashal@kernel.org> In-Reply-To: <20190128162401.58841-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Bartlomiej Zolnierkiewicz From: Noralf Trønnes [ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ] When unregistering fbdev using unregister_framebuffer(), any bound console will unbind automatically. This is working fine if this is the only framebuffer, resulting in a switch to the dummy console. However if there is a fb0 and I unregister fb1 having a bound console, I eventually get a crash. The fastest way for me to trigger the crash is to do a reboot, resulting in this splat: [ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c [ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm] [ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4 [ 76.478933] Hardware name: BCM2835 [ 76.478949] Backtrace: [ 76.478995] [] (dump_backtrace) from [] (show_stack+0x20/0x24) [ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81 [ 76.479060] [] (show_stack) from [] (dump_stack+0x20/0x28) [ 76.479102] [] (dump_stack) from [] (__warn+0xec/0x12c) [ 76.479134] [] (__warn) from [] (warn_slowpath_null+0x4c/0x58) [ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84 [ 76.479197] [] (warn_slowpath_null) from [] (__queue_work+0x2d4/0x41c) [ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700 [ 76.479251] [] (__queue_work) from [] (queue_work_on+0x60/0x88) [ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00 [ 76.479298] r4:20000113 [ 76.479348] [] (queue_work_on) from [] (cursor_timer_handler+0x30/0x54) [ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc [ 76.479413] [] (cursor_timer_handler) from [] (call_timer_fn+0x100/0x230) [ 76.479435] r4:c0e9192f r3:d758a340 [ 76.479465] [] (call_timer_fn) from [] (expire_timers+0x10c/0x12c) [ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8 [ 76.479513] r4:d8a8fabc [ 76.479541] [] (expire_timers) from [] (run_timer_softirq+0xa8/0x184) [ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280 [ 76.479603] [] (run_timer_softirq) from [] (__do_softirq+0x1ac/0x3fc) [ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002 [ 76.479650] r4:c0eb65ec [ 76.479686] [] (__do_softirq) from [] (irq_exit+0xe8/0x168) [ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0 [ 76.479734] r4:00000000 [ 76.479764] [] (irq_exit) from [] (__handle_domain_irq+0x94/0xb0) [ 76.479793] [] (__handle_domain_irq) from [] (bcm2835_handle_irq+0x3c/0x48) [ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8 [ 76.479851] [] (bcm2835_handle_irq) from [] (__irq_svc+0x70/0x98) The problem is in the console rebinding in fbcon_fb_unbind(). It uses the virtual console index as the new framebuffer index to bind the console(s) to. The correct way is to use the con2fb_map lookup table to find the framebuffer index. Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer") Signed-off-by: Noralf Trønnes Reviewed-by: Mikulas Patocka Acked-by: Daniel Vetter Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin --- drivers/video/console/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c index 4e3c78d88832..c03c5b9602bb 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -3032,7 +3032,7 @@ static int fbcon_fb_unbind(int idx) for (i = first_fb_vc; i <= last_fb_vc; i++) { if (con2fb_map[i] != idx && con2fb_map[i] != -1) { - new_idx = i; + new_idx = con2fb_map[i]; break; } } -- 2.19.1 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sasha Levin Subject: [PATCH AUTOSEL 4.4 60/80] fbdev: fbcon: Fix unregister crash when more than one framebuffer Date: Mon, 28 Jan 2019 11:23:41 -0500 Message-ID: <20190128162401.58841-60-sashal@kernel.org> References: <20190128162401.58841-1-sashal@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id 53D7F6E6E3 for ; Mon, 28 Jan 2019 16:25:47 +0000 (UTC) In-Reply-To: <20190128162401.58841-1-sashal@kernel.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sasha Levin , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Bartlomiej Zolnierkiewicz List-Id: dri-devel@lists.freedesktop.org RnJvbTogTm9yYWxmIFRyw7hubmVzIDxub3JhbGZAdHJvbm5lcy5vcmc+CgpbIFVwc3RyZWFtIGNv bW1pdCAyMTIyYjQwNTgwZGQ5ZDA2MjAzOTg3MzljNzczZDA3YTdiNzkzOWQwIF0KCldoZW4gdW5y ZWdpc3RlcmluZyBmYmRldiB1c2luZyB1bnJlZ2lzdGVyX2ZyYW1lYnVmZmVyKCksIGFueSBib3Vu ZApjb25zb2xlIHdpbGwgdW5iaW5kIGF1dG9tYXRpY2FsbHkuIFRoaXMgaXMgd29ya2luZyBmaW5l IGlmIHRoaXMgaXMgdGhlCm9ubHkgZnJhbWVidWZmZXIsIHJlc3VsdGluZyBpbiBhIHN3aXRjaCB0 byB0aGUgZHVtbXkgY29uc29sZS4gSG93ZXZlciBpZgp0aGVyZSBpcyBhIGZiMCBhbmQgSSB1bnJl Z2lzdGVyIGZiMSBoYXZpbmcgYSBib3VuZCBjb25zb2xlLCBJIGV2ZW50dWFsbHkKZ2V0IGEgY3Jh c2guIFRoZSBmYXN0ZXN0IHdheSBmb3IgbWUgdG8gdHJpZ2dlciB0aGUgY3Jhc2ggaXMgdG8gZG8g YQpyZWJvb3QsIHJlc3VsdGluZyBpbiB0aGlzIHNwbGF0OgoKWyAgIDc2LjQ3ODgyNV0gV0FSTklO RzogQ1BVOiAwIFBJRDogNTI3IGF0IGxpbnV4L2tlcm5lbC93b3JrcXVldWUuYzoxNDQyIF9fcXVl dWVfd29yaysweDJkNC8weDQxYwpbICAgNzYuNDc4ODQ5XSBNb2R1bGVzIGxpbmtlZCBpbjogcmFz cGJlcnJ5cGlfaHdtb24gZ3Bpb19iYWNrbGlnaHQgYmFja2xpZ2h0IGJjbTI4MzVfcm5nIHJuZ19j b3JlIFtsYXN0IHVubG9hZGVkOiB0aW55ZHJtXQpbICAgNzYuNDc4OTE2XSBDUFU6IDAgUElEOiA1 MjcgQ29tbTogc3lzdGVtZC11ZGV2ZCBOb3QgdGFpbnRlZCA0LjIwLjAtcmM0KyAjNApbICAgNzYu NDc4OTMzXSBIYXJkd2FyZSBuYW1lOiBCQ00yODM1ClsgICA3Ni40Nzg5NDldIEJhY2t0cmFjZToK WyAgIDc2LjQ3ODk5NV0gWzxjMDEwZDM4OD5dIChkdW1wX2JhY2t0cmFjZSkgZnJvbSBbPGMwMTBk NjcwPl0gKHNob3dfc3RhY2srMHgyMC8weDI0KQpbICAgNzYuNDc5MDIyXSAgcjY6MDAwMDAwMDAg cjU6YzBiYzczYmUgcjQ6MDAwMDAwMDAgcjM6NmZiNWJmODEKWyAgIDc2LjQ3OTA2MF0gWzxjMDEw ZDY1MD5dIChzaG93X3N0YWNrKSBmcm9tIFs8YzA4ZTgyZjQ+XSAoZHVtcF9zdGFjaysweDIwLzB4 MjgpClsgICA3Ni40NzkxMDJdIFs8YzA4ZTgyZDQ+XSAoZHVtcF9zdGFjaykgZnJvbSBbPGMwMTIw MDcwPl0gKF9fd2FybisweGVjLzB4MTJjKQpbICAgNzYuNDc5MTM0XSBbPGMwMTFmZjg0Pl0gKF9f d2FybikgZnJvbSBbPGMwMTIwMWU0Pl0gKHdhcm5fc2xvd3BhdGhfbnVsbCsweDRjLzB4NTgpClsg ICA3Ni40NzkxNjVdICByOTpjMGViNjk0NCByODowMDAwMDAwMSByNzpjMGU5MjdmOCByNjpjMGJj NzNiZSByNTowMDAwMDVhMiByNDpjMDEzOWU4NApbICAgNzYuNDc5MTk3XSBbPGMwMTIwMTk4Pl0g KHdhcm5fc2xvd3BhdGhfbnVsbCkgZnJvbSBbPGMwMTM5ZTg0Pl0gKF9fcXVldWVfd29yaysweDJk NC8weDQxYykKWyAgIDc2LjQ3OTIyMl0gIHI2OmQ3NjY2YTAwIHI1OmMwZTkxOGVlIHI0OmRiYzRl NzAwClsgICA3Ni40NzkyNTFdIFs8YzAxMzliYjA+XSAoX19xdWV1ZV93b3JrKSBmcm9tIFs8YzAx M2EwMmM+XSAocXVldWVfd29ya19vbisweDYwLzB4ODgpClsgICA3Ni40NzkyODFdICByMTA6YzA0 OTZiZjggcjk6MDAwMDAxMDAgcjg6YzBlOTJhZTAgcjc6MDAwMDAwMDEgcjY6ZDk0MDM3MDAgcjU6 ZDc2NjZhMDAKWyAgIDc2LjQ3OTI5OF0gIHI0OjIwMDAwMTEzClsgICA3Ni40NzkzNDhdIFs8YzAx MzlmY2M+XSAocXVldWVfd29ya19vbikgZnJvbSBbPGMwNDk2YzI4Pl0gKGN1cnNvcl90aW1lcl9o YW5kbGVyKzB4MzAvMHg1NCkKWyAgIDc2LjQ3OTM3NF0gIHI3OmQ4YThmYWJjIHI2OmMwZTA4MDg4 IHI1OmQ4YWZkYzVjIHI0OmQ4YThmYWJjClsgICA3Ni40Nzk0MTNdIFs8YzA0OTZiZjg+XSAoY3Vy c29yX3RpbWVyX2hhbmRsZXIpIGZyb20gWzxjMDE3ODc0ND5dIChjYWxsX3RpbWVyX2ZuKzB4MTAw LzB4MjMwKQpbICAgNzYuNDc5NDM1XSAgcjQ6YzBlOTE5MmYgcjM6ZDc1OGEzNDAKWyAgIDc2LjQ3 OTQ2NV0gWzxjMDE3ODY0ND5dIChjYWxsX3RpbWVyX2ZuKSBmcm9tIFs8YzAxNzg5ODA+XSAoZXhw aXJlX3RpbWVycysweDEwYy8weDEyYykKWyAgIDc2LjQ3OTQ5NV0gIHIxMDo0MDAwMDAwMCByOTpj MGU5MTkyZiByODpjMGU5MmFlMCByNzpkOGFmZGNjYyByNjpjMGUxOTI4MCByNTpjMDQ5NmJmOApb ICAgNzYuNDc5NTEzXSAgcjQ6ZDhhOGZhYmMKWyAgIDc2LjQ3OTU0MV0gWzxjMDE3ODg3ND5dIChl eHBpcmVfdGltZXJzKSBmcm9tIFs8YzAxNzk2MzA+XSAocnVuX3RpbWVyX3NvZnRpcnErMHhhOC8w eDE4NCkKWyAgIDc2LjQ3OTU3MF0gIHI5OjAwMDAwMDAxIHI4OmMwZTE5MjgwIHI3OjAwMDAwMDAw IHI2OmMwZTA4MDg4IHI1OmMwZTFhM2UwIHI0OmMwZTE5MjgwClsgICA3Ni40Nzk2MDNdIFs8YzAx Nzk1ODg+XSAocnVuX3RpbWVyX3NvZnRpcnEpIGZyb20gWzxjMDEwMjQwND5dIChfX2RvX3NvZnRp cnErMHgxYWMvMHgzZmMpClsgICA3Ni40Nzk2MzJdICByMTA6YzBlOTE2ODAgcjk6ZDhhZmMwMjAg cjg6MDAwMDAwMGEgcjc6MDAwMDAxMDAgcjY6MDAwMDAwMDEgcjU6MDAwMDAwMDIKWyAgIDc2LjQ3 OTY1MF0gIHI0OmMwZWI2NWVjClsgICA3Ni40Nzk2ODZdIFs8YzAxMDIyNTg+XSAoX19kb19zb2Z0 aXJxKSBmcm9tIFs8YzAxMjRkMTA+XSAoaXJxX2V4aXQrMHhlOC8weDE2OCkKWyAgIDc2LjQ3OTcx Nl0gIHIxMDpkOGQxYTliMCByOTpkOGFmYzAwMCByODowMDAwMDAwMSByNzpkOTQ5YzAwMCByNjow MDAwMDAwMCByNTpjMGU4YjNmMApbICAgNzYuNDc5NzM0XSAgcjQ6MDAwMDAwMDAKWyAgIDc2LjQ3 OTc2NF0gWzxjMDEyNGMyOD5dIChpcnFfZXhpdCkgZnJvbSBbPGMwMTZiNzJjPl0gKF9faGFuZGxl X2RvbWFpbl9pcnErMHg5NC8weGIwKQpbICAgNzYuNDc5NzkzXSBbPGMwMTZiNjk4Pl0gKF9faGFu ZGxlX2RvbWFpbl9pcnEpIGZyb20gWzxjMDEwMjFkYz5dIChiY20yODM1X2hhbmRsZV9pcnErMHgz Yy8weDQ4KQpbICAgNzYuNDc5ODIzXSAgcjg6ZDhhZmRlYmMgcjc6ZDhhZmRkZmMgcjY6ZmZmZmZm ZmYgcjU6YzBlMDg5ZjggcjQ6ZDhhZmRkYzggcjM6ZDhhZmRkYzgKWyAgIDc2LjQ3OTg1MV0gWzxj MDEwMjFhMD5dIChiY20yODM1X2hhbmRsZV9pcnEpIGZyb20gWzxjMDEwMTlmMD5dIChfX2lycV9z dmMrMHg3MC8weDk4KQoKVGhlIHByb2JsZW0gaXMgaW4gdGhlIGNvbnNvbGUgcmViaW5kaW5nIGlu IGZiY29uX2ZiX3VuYmluZCgpLiBJdCB1c2VzIHRoZQp2aXJ0dWFsIGNvbnNvbGUgaW5kZXggYXMg dGhlIG5ldyBmcmFtZWJ1ZmZlciBpbmRleCB0byBiaW5kIHRoZSBjb25zb2xlKHMpCnRvLiBUaGUg Y29ycmVjdCB3YXkgaXMgdG8gdXNlIHRoZSBjb24yZmJfbWFwIGxvb2t1cCB0YWJsZSB0byBmaW5k IHRoZQpmcmFtZWJ1ZmZlciBpbmRleC4KCkZpeGVzOiBjZmFmY2E4MDY3YzYgKCJmYmRldjogZmJj b246IGNvbnNvbGUgdW5yZWdpc3RyYXRpb24gZnJvbSB1bnJlZ2lzdGVyX2ZyYW1lYnVmZmVyIikK U2lnbmVkLW9mZi1ieTogTm9yYWxmIFRyw7hubmVzIDxub3JhbGZAdHJvbm5lcy5vcmc+ClJldmll d2VkLWJ5OiBNaWt1bGFzIFBhdG9ja2EgPG1wYXRvY2thQHJlZGhhdC5jb20+CkFja2VkLWJ5OiBE YW5pZWwgVmV0dGVyIDxkYW5pZWwudmV0dGVyQGZmd2xsLmNoPgpTaWduZWQtb2ZmLWJ5OiBCYXJ0 bG9taWVqIFpvbG5pZXJraWV3aWN6IDxiLnpvbG5pZXJraWVAc2Ftc3VuZy5jb20+ClNpZ25lZC1v ZmYtYnk6IFNhc2hhIExldmluIDxzYXNoYWxAa2VybmVsLm9yZz4KLS0tCiBkcml2ZXJzL3ZpZGVv L2NvbnNvbGUvZmJjb24uYyB8IDIgKy0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwg MSBkZWxldGlvbigtKQoKZGlmZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS9mYmNvbi5j IGIvZHJpdmVycy92aWRlby9jb25zb2xlL2ZiY29uLmMKaW5kZXggNGUzYzc4ZDg4ODMyLi5jMDNj NWI5NjAyYmIgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS9mYmNvbi5jCisrKyBi L2RyaXZlcnMvdmlkZW8vY29uc29sZS9mYmNvbi5jCkBAIC0zMDMyLDcgKzMwMzIsNyBAQCBzdGF0 aWMgaW50IGZiY29uX2ZiX3VuYmluZChpbnQgaWR4KQogCWZvciAoaSA9IGZpcnN0X2ZiX3ZjOyBp IDw9IGxhc3RfZmJfdmM7IGkrKykgewogCQlpZiAoY29uMmZiX21hcFtpXSAhPSBpZHggJiYKIAkJ ICAgIGNvbjJmYl9tYXBbaV0gIT0gLTEpIHsKLQkJCW5ld19pZHggPSBpOworCQkJbmV3X2lkeCA9 IGNvbjJmYl9tYXBbaV07CiAJCQlicmVhazsKIAkJfQogCX0KLS0gCjIuMTkuMQoKX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcg bGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRl c2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5001FC282C8 for ; Mon, 28 Jan 2019 16:35:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 204EA20811 for ; Mon, 28 Jan 2019 16:35:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548693327; bh=cUSZ554jTVwLWBG8Ynnuel+5uzSFthPCg5PlxWNAFOI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=GjPmEGbMTgv3g4Gl6mGtOyVdLf4IhO2bm8SBBUKZC6a8Dz7w+MTTDFhSXl2vFErw0 wq2pmXa+FzsRLPiEB+zbOg7qZC82JdQ0nR4h5J+ycdYrohlBja5ZI+rfWVpYeU0bWQ nP7yzg+PiPLOG1BCudereTsUpp3W9R+fixJHb1pE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390470AbfA1QfZ (ORCPT ); Mon, 28 Jan 2019 11:35:25 -0500 Received: from mail.kernel.org ([198.145.29.99]:34782 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390030AbfA1QZs (ORCPT ); Mon, 28 Jan 2019 11:25:48 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5FA472147A; Mon, 28 Jan 2019 16:25:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548692747; bh=cUSZ554jTVwLWBG8Ynnuel+5uzSFthPCg5PlxWNAFOI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OVHqHbrVJKY5fDTWEr1USaJ9sNZykV7C+nSbKFhPX9XuTdKM2Wu1FAt5ws0ce32H2 p4fHhRUQQuSpJRVklIdqJi39YJO9J11ShGDi7x9x6HcVNZ7sCpHvmtBQ/IXR6q60au 093IMWVkaptJCFjQ6wyLsVqMy2ej2gBtpMwqInFo= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= , Bartlomiej Zolnierkiewicz , Sasha Levin , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.4 60/80] fbdev: fbcon: Fix unregister crash when more than one framebuffer Date: Mon, 28 Jan 2019 11:23:41 -0500 Message-Id: <20190128162401.58841-60-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190128162401.58841-1-sashal@kernel.org> References: <20190128162401.58841-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Noralf Trønnes [ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ] When unregistering fbdev using unregister_framebuffer(), any bound console will unbind automatically. This is working fine if this is the only framebuffer, resulting in a switch to the dummy console. However if there is a fb0 and I unregister fb1 having a bound console, I eventually get a crash. The fastest way for me to trigger the crash is to do a reboot, resulting in this splat: [ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c [ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm] [ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4 [ 76.478933] Hardware name: BCM2835 [ 76.478949] Backtrace: [ 76.478995] [] (dump_backtrace) from [] (show_stack+0x20/0x24) [ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81 [ 76.479060] [] (show_stack) from [] (dump_stack+0x20/0x28) [ 76.479102] [] (dump_stack) from [] (__warn+0xec/0x12c) [ 76.479134] [] (__warn) from [] (warn_slowpath_null+0x4c/0x58) [ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84 [ 76.479197] [] (warn_slowpath_null) from [] (__queue_work+0x2d4/0x41c) [ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700 [ 76.479251] [] (__queue_work) from [] (queue_work_on+0x60/0x88) [ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00 [ 76.479298] r4:20000113 [ 76.479348] [] (queue_work_on) from [] (cursor_timer_handler+0x30/0x54) [ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc [ 76.479413] [] (cursor_timer_handler) from [] (call_timer_fn+0x100/0x230) [ 76.479435] r4:c0e9192f r3:d758a340 [ 76.479465] [] (call_timer_fn) from [] (expire_timers+0x10c/0x12c) [ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8 [ 76.479513] r4:d8a8fabc [ 76.479541] [] (expire_timers) from [] (run_timer_softirq+0xa8/0x184) [ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280 [ 76.479603] [] (run_timer_softirq) from [] (__do_softirq+0x1ac/0x3fc) [ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002 [ 76.479650] r4:c0eb65ec [ 76.479686] [] (__do_softirq) from [] (irq_exit+0xe8/0x168) [ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0 [ 76.479734] r4:00000000 [ 76.479764] [] (irq_exit) from [] (__handle_domain_irq+0x94/0xb0) [ 76.479793] [] (__handle_domain_irq) from [] (bcm2835_handle_irq+0x3c/0x48) [ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8 [ 76.479851] [] (bcm2835_handle_irq) from [] (__irq_svc+0x70/0x98) The problem is in the console rebinding in fbcon_fb_unbind(). It uses the virtual console index as the new framebuffer index to bind the console(s) to. The correct way is to use the con2fb_map lookup table to find the framebuffer index. Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer") Signed-off-by: Noralf Trønnes Reviewed-by: Mikulas Patocka Acked-by: Daniel Vetter Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin --- drivers/video/console/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c index 4e3c78d88832..c03c5b9602bb 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -3032,7 +3032,7 @@ static int fbcon_fb_unbind(int idx) for (i = first_fb_vc; i <= last_fb_vc; i++) { if (con2fb_map[i] != idx && con2fb_map[i] != -1) { - new_idx = i; + new_idx = con2fb_map[i]; break; } } -- 2.19.1