Message ID | 20220504215631.56756-1-javierm@redhat.com (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
Series | fbdev: Fix use-after-free caused by wrong fb_info cleanup in drivers | expand |
Am 04.05.22 um 23:56 schrieb Javier Martinez Canillas: > From: Daniel Vetter <daniel.vetter@ffwll.ch> > > Most fbdev drivers have issues with the fb_info lifetime, because call to > framebuffer_release() from their driver's .remove callback, rather than > doing from fbops.fb_destroy callback. > > Doing that will destroy the fb_info too early, while references to it may > still exist, leading to a use-after-free error. > > To prevent this, check the fb_info reference counter when attempting to > kfree the data structure in framebuffer_release(). That will leak it but > at least will prevent the mentioned error. > > Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> > Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> > --- > > drivers/video/fbdev/core/fbsysfs.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c > index 26892940c213..82e31a2d845e 100644 > --- a/drivers/video/fbdev/core/fbsysfs.c > +++ b/drivers/video/fbdev/core/fbsysfs.c > @@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info) > { > if (!info) > return; > + > + if (WARN_ON(refcount_read(&info->count))) > + return; > + > kfree(info->apertures); > kfree(info); > }
diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c index 26892940c213..82e31a2d845e 100644 --- a/drivers/video/fbdev/core/fbsysfs.c +++ b/drivers/video/fbdev/core/fbsysfs.c @@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info) { if (!info) return; + + if (WARN_ON(refcount_read(&info->count))) + return; + kfree(info->apertures); kfree(info); }