diff mbox series

fbdev: efifb: Fix a use-after-free due early fb_info cleanup

Message ID 20220506132225.588379-1-javierm@redhat.com (mailing list archive)
State New, archived
Headers show
Series fbdev: efifb: Fix a use-after-free due early fb_info cleanup | expand

Commit Message

Javier Martinez Canillas May 6, 2022, 1:22 p.m. UTC
Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
than .remove") attempted to fix a use-after-free error due driver freeing
the fb_info in the .remove handler instead of doing it in .fb_destroy.

But ironically that change introduced yet another use-after-free since the
fb_info was still used after the free.

This should fix for good by freeing the fb_info at the end of the handler.

Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reported-by: Andrzej Hajda <andrzej.hajda@intel.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---

 drivers/video/fbdev/efifb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Thomas Zimmermann May 6, 2022, 1:39 p.m. UTC | #1
Am 06.05.22 um 15:22 schrieb Javier Martinez Canillas:
> Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
> than .remove") attempted to fix a use-after-free error due driver freeing
> the fb_info in the .remove handler instead of doing it in .fb_destroy.
> 
> But ironically that change introduced yet another use-after-free since the
> fb_info was still used after the free.
> 
> This should fix for good by freeing the fb_info at the end of the handler.
> 
> Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
> Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Reported-by: Andrzej Hajda <andrzej.hajda@intel.com>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

Reviewed-by: Thomas Zimmermann <tzimemrmann@suse.de>

> ---
> 
>   drivers/video/fbdev/efifb.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
> index cfa3dc0b4eee..b3d5f884c544 100644
> --- a/drivers/video/fbdev/efifb.c
> +++ b/drivers/video/fbdev/efifb.c
> @@ -259,12 +259,12 @@ static void efifb_destroy(struct fb_info *info)
>   			memunmap(info->screen_base);
>   	}
>   
> -	framebuffer_release(info);
> -
>   	if (request_mem_succeeded)
>   		release_mem_region(info->apertures->ranges[0].base,
>   				   info->apertures->ranges[0].size);
>   	fb_dealloc_cmap(&info->cmap);
> +
> +	framebuffer_release(info);
>   }
>   
>   static const struct fb_ops efifb_ops = {
Andi Shyti May 6, 2022, 3:44 p.m. UTC | #2
Hi Javier,

On Fri, May 06, 2022 at 03:22:25PM +0200, Javier Martinez Canillas wrote:
> Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
> than .remove") attempted to fix a use-after-free error due driver freeing
> the fb_info in the .remove handler instead of doing it in .fb_destroy.
> 
> But ironically that change introduced yet another use-after-free since the
> fb_info was still used after the free.
> 
> This should fix for good by freeing the fb_info at the end of the handler.
> 
> Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
> Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Reported-by: Andrzej Hajda <andrzej.hajda@intel.com>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>

Andi
Andrzej Hajda May 6, 2022, 4:50 p.m. UTC | #3
On 06.05.2022 15:22, Javier Martinez Canillas wrote:
> Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
> than .remove") attempted to fix a use-after-free error due driver freeing
> the fb_info in the .remove handler instead of doing it in .fb_destroy.
>
> But ironically that change introduced yet another use-after-free since the
> fb_info was still used after the free.
>
> This should fix for good by freeing the fb_info at the end of the handler.
>
> Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
> Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
> Reported-by: Andrzej Hajda <andrzej.hajda@intel.com>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> ---

Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>

Regards
Andrzej
>
>   drivers/video/fbdev/efifb.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
> index cfa3dc0b4eee..b3d5f884c544 100644
> --- a/drivers/video/fbdev/efifb.c
> +++ b/drivers/video/fbdev/efifb.c
> @@ -259,12 +259,12 @@ static void efifb_destroy(struct fb_info *info)
>   			memunmap(info->screen_base);
>   	}
>   
> -	framebuffer_release(info);
> -
>   	if (request_mem_succeeded)
>   		release_mem_region(info->apertures->ranges[0].base,
>   				   info->apertures->ranges[0].size);
>   	fb_dealloc_cmap(&info->cmap);
> +
> +	framebuffer_release(info);
>   }
>   
>   static const struct fb_ops efifb_ops = {
Lucas De Marchi May 7, 2022, 4:20 p.m. UTC | #4
On Fri, May 06, 2022 at 03:22:25PM +0200, Javier Martinez Canillas wrote:
>Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
>than .remove") attempted to fix a use-after-free error due driver freeing
>the fb_info in the .remove handler instead of doing it in .fb_destroy.
>
>But ironically that change introduced yet another use-after-free since the
>fb_info was still used after the free.
>
>This should fix for good by freeing the fb_info at the end of the handler.
>
>Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")

are these patches going through any CI before being applied? Maybe would
be a good idea to cc intel-gfx mailing list on these fixes to have Intel
CI to pick them up for some tests?

pushed to drm-misc-fixes where the previous patch was applied.

thanks
LUcas De Marchi

>Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>Reported-by: Andrzej Hajda <andrzej.hajda@intel.com>
>Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
>---
>
> drivers/video/fbdev/efifb.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
>index cfa3dc0b4eee..b3d5f884c544 100644
>--- a/drivers/video/fbdev/efifb.c
>+++ b/drivers/video/fbdev/efifb.c
>@@ -259,12 +259,12 @@ static void efifb_destroy(struct fb_info *info)
> 			memunmap(info->screen_base);
> 	}
>
>-	framebuffer_release(info);
>-
> 	if (request_mem_succeeded)
> 		release_mem_region(info->apertures->ranges[0].base,
> 				   info->apertures->ranges[0].size);
> 	fb_dealloc_cmap(&info->cmap);
>+
>+	framebuffer_release(info);
> }
>
> static const struct fb_ops efifb_ops = {
>-- 
>2.35.1
>
Javier Martinez Canillas May 7, 2022, 4:40 p.m. UTC | #5
Hello Lucas,

On 5/7/22 18:20, Lucas De Marchi wrote:
> On Fri, May 06, 2022 at 03:22:25PM +0200, Javier Martinez Canillas wrote:
>> Commit d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather
>> than .remove") attempted to fix a use-after-free error due driver freeing
>> the fb_info in the .remove handler instead of doing it in .fb_destroy.
>>
>> But ironically that change introduced yet another use-after-free since the
>> fb_info was still used after the free.
>>
>> This should fix for good by freeing the fb_info at the end of the handler.
>>
>> Fixes: d258d00fb9c7 ("fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove")
> 
> are these patches going through any CI before being applied? Maybe would
> be a good idea to cc intel-gfx mailing list on these fixes to have Intel
> CI to pick them up for some tests?
>

I Cc'ed intel-gfx for this particular patch. I should had done it for the
previous patches too, but I wasn't aware that Cc'ing that list would make
it run on your CI.

I tested locally the offending patch on an EFI platform before applying it
and I don't know why it didn't fail there. Sorry all for the inconvenience.
 
> pushed to drm-misc-fixes where the previous patch was applied.
> 

Thanks.
diff mbox series

Patch

diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
index cfa3dc0b4eee..b3d5f884c544 100644
--- a/drivers/video/fbdev/efifb.c
+++ b/drivers/video/fbdev/efifb.c
@@ -259,12 +259,12 @@  static void efifb_destroy(struct fb_info *info)
 			memunmap(info->screen_base);
 	}
 
-	framebuffer_release(info);
-
 	if (request_mem_succeeded)
 		release_mem_region(info->apertures->ranges[0].base,
 				   info->apertures->ranges[0].size);
 	fb_dealloc_cmap(&info->cmap);
+
+	framebuffer_release(info);
 }
 
 static const struct fb_ops efifb_ops = {