[PATCH] drm/vc4: fix NULL dereference in vc4_hvs_unbind

[PATCH] drm/vc4: fix NULL dereference in vc4_hvs_unbind

[Thorsten Blum]

With 'dtoverlay=vc4-kms-v3d,noaudio' and 'hdmi=off' on Raspberry Pi,
unloading the vc4 module calls vc4_hvs_unbind() with
dev_get_drvdata(master) returning NULL.

Return early when 'drm' is NULL before converting it to 'vc4' and before
dereferencing 'vc4->hvs', preventing a kernel oops.

Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 drivers/gpu/drm/vc4/vc4_hvs.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c
index ee8d0738501b..9cb66f696fc7 100644
--- a/drivers/gpu/drm/vc4/vc4_hvs.c
+++ b/drivers/gpu/drm/vc4/vc4_hvs.c
@@ -1753,10 +1753,16 @@ static void vc4_hvs_unbind(struct device *dev, struct device *master,
 			   void *data)
 {
 	struct drm_device *drm = dev_get_drvdata(master);
-	struct vc4_dev *vc4 = to_vc4_dev(drm);
-	struct vc4_hvs *hvs = vc4->hvs;
+	struct vc4_dev *vc4;
+	struct vc4_hvs *hvs;
 	struct drm_mm_node *node, *next;
 
+	if (!drm)
+		return;
+
+	vc4 = to_vc4_dev(drm);
+	hvs = vc4->hvs;
+
 	if (drm_mm_node_allocated(&vc4->hvs->mitchell_netravali_filter))
 		drm_mm_remove_node(&vc4->hvs->mitchell_netravali_filter);
 

Claude review: drm/vc4: fix NULL dereference in vc4_hvs_unbind

[Claude Code Review Bot]

Overall Series Review

Subject: drm/vc4: fix NULL dereference in vc4_hvs_unbind
Author: Thorsten Blum <thorsten.blum@linux.dev>
Patches: 1
Reviewed: 2026-05-05T08:48:38.566003

---

This is a single-patch fix for a real NULL pointer dereference in `vc4_hvs_unbind()`. The bug occurs because `vc4_drm_unbind()` calls `dev_set_drvdata(dev, NULL)` before the component framework's `devres_release_group()` triggers `vc4_component_unbind_all()`, which in turn calls `vc4_hvs_unbind()`. At that point, `dev_get_drvdata(master)` returns NULL, and the original code immediately dereferences it through `to_vc4_dev(drm)` and `vc4->hvs`.

The fix is correct and minimal — it moves the `vc4` and `hvs` variable initialization after a NULL check on `drm`. The pattern is appropriate for a defensive guard in a teardown path.

**Verdict: The patch looks correct and is suitable for merging.**

---
Generated by Claude Code Patch Reviewer

Claude review: drm/vc4: fix NULL dereference in vc4_hvs_unbind

[Claude Code Review Bot]

Patch Review

**Correctness:** The fix correctly addresses the crash. The root cause is in `vc4_drv.c:416` where `dev_set_drvdata(dev, NULL)` is called in `vc4_drm_unbind()` before the devm-managed `vc4_component_unbind_all()` fires at `vc4_drv.c:275`, which subsequently calls each component's unbind (including `vc4_hvs_unbind`). By the time `vc4_hvs_unbind` runs, `dev_get_drvdata(master)` returns NULL.

**Code change:**
```c
-	struct vc4_dev *vc4 = to_vc4_dev(drm);
-	struct vc4_hvs *hvs = vc4->hvs;
+	struct vc4_dev *vc4;
+	struct vc4_hvs *hvs;
 	struct drm_mm_node *node, *next;

+	if (!drm)
+		return;
+
+	vc4 = to_vc4_dev(drm);
+	hvs = vc4->hvs;
```

This is clean and correct — the early return prevents the NULL dereference path entirely.

**Minor observations:**

1. **Consistent with existing code?** The other unbind functions in this driver (`vc4_v3d_unbind` in `vc4_v3d.c:494`) do **not** have this same NULL guard but are susceptible to the same issue. If this NULL drvdata scenario can be triggered for `vc4_hvs_unbind`, it can likely be triggered for `vc4_v3d_unbind` as well (which does `struct vc4_dev *vc4 = to_vc4_dev(drm)` without checking). Consider adding the same guard there, or at least noting that those functions may need fixing too. `vc4_crtc_unbind` and `vc4_txp_unbind` don't dereference `master` drvdata, so they are safe.

2. **Root cause vs. symptom:** This is a band-aid. The real issue is the ordering in `vc4_drm_unbind()` — it clears drvdata before the devm-managed `component_unbind_all` action fires. Moving `dev_set_drvdata(dev, NULL)` into a devm action registered *before* the `component_unbind_all` action (so it runs *after*) would fix this at the source. However, for a stable-targeted fix, the defensive NULL check is the safer and more appropriate approach.

3. **Fixes tag and Cc stable:** Both look correct — the fix references `c8b75bca92cb` which introduced the original `vc4_hvs_unbind`, and the stable tag is appropriate for a NULL deref fix.

4. **Unused variable after early return:** `hvs` is assigned at line 1764 but only used at lines 1778-1779 (`clk_disable_unprepare(hvs->disp_clk)` and `clk_disable_unprepare(hvs->core_clk)`). Meanwhile lines 1766-1776 all use `vc4->hvs` directly instead of `hvs`. This is a pre-existing inconsistency (not introduced by this patch), but the patch does perpetuate it by keeping the `hvs` local variable.

**Overall:** Good fix, appropriate for stable. The `vc4_v3d_unbind` gap is worth flagging to the author as a follow-up.

---
Generated by Claude Code Patch Reviewer