On Fri, Feb 25, 2011 at 03:56:20AM +0200, Anca Emanuel wrote:

On Fri, Feb 25, 2011 at 3:47 AM, Anca Emanuel [off-list ref] wrote:

quoted

On Fri, Feb 25, 2011 at 3:14 AM, Dave Airlie [off-list ref] wrote:

quoted

On Thu, 2011-02-24 at 16:54 -0800, Linus Torvalds wrote:

quoted

On Thu, Feb 24, 2011 at 4:48 PM, Anca Emanuel [off-list ref] wrote:

quoted

diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
index e2bf953..e8f8925 100644
--- a/drivers/video/fbmem.c
+++ b/drivers/video/fbmem.c

@@ -1511,6 +1511,7 @@ void remove_conflicting_framebuffers(struct

apertures_struct *a,
                              "%s vs %s - removing generic driver\n",
                              name, registered_fb[i]->fix.id);
                       unregister_framebuffer(registered_fb[i]);
+                       registered_fb[i] = NULL;

Tested the patch, and now I get this:
dmesg: http://pastebin.com/ieMNrA7C

[   12.252328] BUG: unable to handle kernel NULL pointer dereference
at 00000000000003b8
[   12.252342] IP: [<ffffffff81311178>] fb_mmap+0x58/0x1d0

Ok, goodie.

Or not so goodie, but it does make it clear that yeah, the fb code
seems to be using stale pointers from that registered_fb[] array, and
the whole unregistration process is just racing with people using it.

Herton had that much bigger patch, can you test it?

I think Andy's patch worked, not sure why it fell between the cracks,
either didn't appear on lkml or in my inbox at all.

if we can get Herton to repost it properly + a tested by I'm happy for
it to go in.

Dave.

Tested Andy's patch and it works !
http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-natty.git;a=commit;h=c5a742b5f78e161d6a13853a7e3e6e1dfa429e69

Tested-by: Anca Emanuel <redacted>

link to patch: http://is.gd/otIfGc

Adding Andy on CC (btw he is away for today, may get some time to answer).

Andy, can you repost the patch?

--
[]'s
Herton