The destroy function in drm_mode_config_cleanup will remove the objects
in ipu-drm-core by calling its destroy functions if the bind function
fails. The drm_crtc is also part of the devres allocated ipu_crtc
object. The ipu_crtc object will already be cleaned up if the bind for
the crtc fails. This leads drm_crtc_cleanup try to clean already freed
memory.
We fix this issue by adding the devres action ipu_crtc_remove_head which
will remove its head from the objects in ipu-drm-core which then never
calls its destroy function anymore.
Signed-off-by: Michael Grzeschik <m.grzesc...@pengutronix.de>
---
drivers/gpu/drm/imx/ipuv3-crtc.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
index ec3602ebbc1cd..fa1ee33a43d77 100644
--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
+++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
@@ -429,6 +429,14 @@ static int ipu_crtc_init(struct ipu_crtc *ipu_crtc,
return ret;
}
+static void ipu_crtc_remove_head(void *data)
+{
+ struct ipu_crtc *ipu_crtc = data;
+ struct drm_crtc *crtc = &ipu_crtc->base;
+
+ list_del(&crtc->head);
+}
+
static int ipu_drm_bind(struct device *dev, struct device *master, void *data)
{
struct ipu_client_platformdata *pdata = dev->platform_data;
@@ -440,6 +448,10 @@ static int ipu_drm_bind(struct device *dev, struct device
*master, void *data)
if (!ipu_crtc)
return -ENOMEM;
+ ret = devm_add_action(dev, ipu_crtc_remove_head, ipu_crtc);
+ if (ret)
+ return ret;
+
ipu_crtc->dev = dev;
ret = ipu_crtc_init(ipu_crtc, pdata, drm);
--
2.20.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
