From patchwork Thu May 5 11:31:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Martinez Canillas X-Patchwork-Id: 12839408 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA93AC433FE for ; Thu, 5 May 2022 11:31:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240742AbiEELfW (ORCPT ); Thu, 5 May 2022 07:35:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351993AbiEELfV (ORCPT ); Thu, 5 May 2022 07:35:21 -0400 Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [170.10.133.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C28A325C70 for ; Thu, 5 May 2022 04:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651750301; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ncwUrPXa6D//xAE+gUKX4W9jlEJvsWNrctcaxVQSCb8=; b=Sw25yEomYGdfy2bhmc3ZIBgyH+keQoLz6Z6KY5RLndheY9V99sPT8fJ3oYIuRtr+q3pc+t TSCcX9kTAJ/JiVmVNG8f0d6pBCv1i93NQPKoA2wvIyTpxlVH016jZxUgPLAevjDWRnovL5 PLNjMhg3C08ZsTExcjKB8oE0z0b8As4= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-38-A6ffjPjdOW68Br5fQ2VA5w-1; Thu, 05 May 2022 07:31:39 -0400 X-MC-Unique: A6ffjPjdOW68Br5fQ2VA5w-1 Received: by mail-wm1-f69.google.com with SMTP id h6-20020a7bc926000000b0039470bcb9easo142198wml.1 for ; Thu, 05 May 2022 04:31:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ncwUrPXa6D//xAE+gUKX4W9jlEJvsWNrctcaxVQSCb8=; b=HBG8AJkAtRoHlGpbInpLxxUrQ8m5tybTtJuF4yd39nATYsQZ9aIUqYHcKKv48/TCxF Nj4RgbyXKtNaZf6v740ZQHQTzl0nItionmdibqUgW6ljgdcLI1VNrRugwkUWqlk1WYjL eKFHX+6zqOUXBPMyPLSbMquwc7VY0BoEbPhZ/7pFdKehsXpU61fwujtRNt+CYo2xPZ1l fNMslXIZyM4mSXcvr72wc0LiMovMKka31WpIgBHyNQwpMey2c9v11dvZr9VNgEF6qj8x l9gmABt6jrbTyTJxitWXihmk+83c/OOUzs3sroABjZQLdglIV20dKXNx2khAYsVby5nQ AzkQ== X-Gm-Message-State: AOAM5309aXuj9CVYH2jBgWAsS5EC88rXg9kS/q4s9gFsTOom+5xXhW4R wk8Sr2iZIpdyda9K7kwno36xU826j3J1lenYQkXNSXvqsZZ9FsbN0mH4W1otrk0I+YuKOJhWE9V CP8Dt9OiRnq8cXc0dP20y0Kk= X-Received: by 2002:a7b:ce82:0:b0:394:2514:6f07 with SMTP id q2-20020a7bce82000000b0039425146f07mr4288630wmj.56.1651750298622; Thu, 05 May 2022 04:31:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTaX+emZRGME2XrbVDdeWq3PLdol9IHOXQKtajyniJm9UY0h9+OnzRg+JdW6I4XRxCo9UumA== X-Received: by 2002:a7b:ce82:0:b0:394:2514:6f07 with SMTP id q2-20020a7bce82000000b0039425146f07mr4288610wmj.56.1651750298397; Thu, 05 May 2022 04:31:38 -0700 (PDT) Received: from minerva.. ([90.167.94.135]) by smtp.gmail.com with ESMTPSA id k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 04:31:38 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: Daniel Vetter , Daniel Vetter , Javier Martinez Canillas , Thomas Zimmermann , Daniel Vetter , Helge Deller , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: [PATCH v2 1/4] fbdev: Prevent possible use-after-free in fb_release() Date: Thu, 5 May 2022 13:31:24 +0200 Message-Id: <20220505113128.264963-2-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220505113128.264963-1-javierm@redhat.com> References: <20220505113128.264963-1-javierm@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org From: Daniel Vetter Most fbdev drivers have issues with the fb_info lifetime, because call to framebuffer_release() from their driver's .remove callback, rather than doing from fbops.fb_destroy callback. Doing that will destroy the fb_info too early, while references to it may still exist, leading to a use-after-free error. To prevent this, check the fb_info reference counter when attempting to kfree the data structure in framebuffer_release(). That will leak it but at least will prevent the mentioned error. Signed-off-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- (no changes since v1) drivers/video/fbdev/core/fbsysfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/fbsysfs.c index 8c1ee9ecec3d..c2a60b187467 100644 --- a/drivers/video/fbdev/core/fbsysfs.c +++ b/drivers/video/fbdev/core/fbsysfs.c @@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info) { if (!info) return; + + if (WARN_ON(refcount_read(&info->count))) + return; + kfree(info->apertures); kfree(info); } From patchwork Thu May 5 11:31:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Martinez Canillas X-Patchwork-Id: 12839410 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71051C433EF for ; Thu, 5 May 2022 11:31:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357449AbiEELfa (ORCPT ); Thu, 5 May 2022 07:35:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351993AbiEELfY (ORCPT ); Thu, 5 May 2022 07:35:24 -0400 Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [170.10.129.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9AA3926138 for ; Thu, 5 May 2022 04:31:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651750304; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UlMJQ+wz02RD+81KzAT+P3KjFBfmXeVQ3/vybVcCubw=; b=OhpD7MTtV/F/p0HJiXjGxYXRle8Vvyz2ckqV85DafRQ+oKBJ2QOsOBVtFZ4vmNz73M5EiN VOdMlia4OJamwwFJ/XF6gGe3xCotz9EZUuwTPyrF8X5D47pdO1oVyOCpefjygFvwvVm0MH 3gyn7fhOarDPZYBBDYuO8su4hnhqJ4I= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-145-97n-bbiPOvSFh0FXFYBl3g-1; Thu, 05 May 2022 07:31:41 -0400 X-MC-Unique: 97n-bbiPOvSFh0FXFYBl3g-1 Received: by mail-wr1-f69.google.com with SMTP id w4-20020adfbac4000000b0020acba4b779so1363930wrg.22 for ; Thu, 05 May 2022 04:31:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UlMJQ+wz02RD+81KzAT+P3KjFBfmXeVQ3/vybVcCubw=; b=dBTIBPYIuxUSGHI7dtXfsB5RMgxrARLcWVVGpLKyS0hj7we1GTkKfCv4sgmoIdRPqk JkkrXYhB3S8KNDNacVYhyCyHqZcqxb7cqplHgXtUigWQrvlBeo3INKQcNS6MbyrxSG72 mV+yuXhi7ox9KRH968Ip8G6jYrjuOM40oEWU1+Q7ZO56jytLFA+lcdFFfLbGecZ9rMiY oq++gIGxY1K0CvAYudyVLwHuOVjfcuxIEgfRuTEU0zPl/o/4MnUoyYqWIGOW9Uqv2QNO mt3iHcU97NUMdbZIDHt9C+XjGh7jXxRaYu6yZXooFpssv/VczSAXLwA4HtS8y9vnhUPC 3j/w== X-Gm-Message-State: AOAM533fukKMS4eIbbzGcsGPwHSHFr4tX1MKJIiM0YEPmahKDGtepxKX it5YKJh//aaizbOYM1GuXayqveIh2m8bk1Av+08uVPFzl5nfhHJRVOw2F4Bra3+A/OdFYtV/dNo Rhl717N1ZqYKfVJHLvaXPujM= X-Received: by 2002:a05:6000:1548:b0:20c:5ca8:7722 with SMTP id 8-20020a056000154800b0020c5ca87722mr16350990wry.712.1651750300438; Thu, 05 May 2022 04:31:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxug4drE+2lM0Y2bQGAKqHc9/jzcqI1egXtMk1eOS4NmBEoxmupUXagiI2LBGTtqENwnb2VKg== X-Received: by 2002:a05:6000:1548:b0:20c:5ca8:7722 with SMTP id 8-20020a056000154800b0020c5ca87722mr16350970wry.712.1651750300187; Thu, 05 May 2022 04:31:40 -0700 (PDT) Received: from minerva.. ([90.167.94.135]) by smtp.gmail.com with ESMTPSA id k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 04:31:39 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: Javier Martinez Canillas , Daniel Vetter , Thomas Zimmermann , Hans de Goede , Helge Deller , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: [PATCH v2 2/4] fbdev: simplefb: Cleanup fb_info in .fb_destroy rather than .remove Date: Thu, 5 May 2022 13:31:25 +0200 Message-Id: <20220505113128.264963-3-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220505113128.264963-1-javierm@redhat.com> References: <20220505113128.264963-1-javierm@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org The driver is calling framebuffer_release() in its .remove callback, but this will cause the struct fb_info to be freed too early. Since it could be that a reference is still hold to it if user-space opened the fbdev. This would lead to a use-after-free error if the framebuffer device was unregistered but later a user-space process tries to close the fbdev fd. The correct thing to do is to only unregister the framebuffer in the driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. Suggested-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- (no changes since v1) drivers/video/fbdev/simplefb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c index 94fc9c6d0411..2c198561c338 100644 --- a/drivers/video/fbdev/simplefb.c +++ b/drivers/video/fbdev/simplefb.c @@ -84,6 +84,10 @@ struct simplefb_par { static void simplefb_clocks_destroy(struct simplefb_par *par); static void simplefb_regulators_destroy(struct simplefb_par *par); +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup here. + */ static void simplefb_destroy(struct fb_info *info) { struct simplefb_par *par = info->par; @@ -94,6 +98,8 @@ static void simplefb_destroy(struct fb_info *info) if (info->screen_base) iounmap(info->screen_base); + framebuffer_release(info); + if (mem) release_mem_region(mem->start, resource_size(mem)); } @@ -545,8 +551,8 @@ static int simplefb_remove(struct platform_device *pdev) { struct fb_info *info = platform_get_drvdata(pdev); + /* simplefb_destroy takes care of info cleanup */ unregister_framebuffer(info); - framebuffer_release(info); return 0; } From patchwork Thu May 5 11:31:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Martinez Canillas X-Patchwork-Id: 12839409 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5015BC433F5 for ; Thu, 5 May 2022 11:31:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351993AbiEELfc (ORCPT ); Thu, 5 May 2022 07:35:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357400AbiEELf2 (ORCPT ); Thu, 5 May 2022 07:35:28 -0400 Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [170.10.133.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A3AFF506E2 for ; Thu, 5 May 2022 04:31:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651750306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kHj6RqHilBMUbncDK/2tHoS4NrC5xcTylW4aCqmdFU0=; b=XffKnjZ7c9IQRIGKetdXVt6z96vaslUVAtIW+TOpKAHTPkbrIrI8m8Ve7G+A2uQcSbmOK5 2CiXpKisoJrR4FZQX/sYrpaZSnjDvVNeRzXjRdrPAiqcBnSbL+IKIf2qfXOpzWqt4NJsws AjIlME2iBoyM2cO2nn3qNCXvXQrvB5I= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-18-5Psu2eLUOhGshI107QokPQ-1; Thu, 05 May 2022 07:31:43 -0400 X-MC-Unique: 5Psu2eLUOhGshI107QokPQ-1 Received: by mail-wr1-f69.google.com with SMTP id v29-20020adfa1dd000000b0020ad932b7c0so1350976wrv.0 for ; Thu, 05 May 2022 04:31:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kHj6RqHilBMUbncDK/2tHoS4NrC5xcTylW4aCqmdFU0=; b=HnK8LSM45rzuxmcBkh0QPG2fHXcIgguYg8aAV9EilkNqYQCz1NxZuMpNwWh/QPugn/ Czmhy9e+1Ph8aQCEaqAFV6NSjt03zS5nqhVJqkzjJH8534r5go7lcBfu2WtJSY0ZPeNx Ph7xjRq96MHl9QiEvgiodpPDuTLT+t9sff2L6Irlcker8+0R4o1KkF/fYqiuA9Z5DVCF udZvDpKVh6qcs+vcYZnBErHDcFCNk8ILFqXDd0mtawgIhdu0sPO6iOwGSWraVC+lOyyt 6NJSEDQVANlpAiLHumN8uft12T9wuIB+IAsE1pMf2Ail3SpeLRvD4OS2mP3JiLFdyA+8 /xTw== X-Gm-Message-State: AOAM531YrGIwhwal7CODIxF6z0WaAwZ5/dZmJWjvUcxgxXY2JrSLNu4P kPYcWJnDv0ZPaGWDFOpVym3iY/OCFJxWPXNbn+sircUnwEVI3UjN6USuV/PYmxaeS0lZ0ha/ESy qYg34Nwvg9XSXs2tW5dCm1FA= X-Received: by 2002:a05:600c:48a6:b0:394:39c3:52 with SMTP id j38-20020a05600c48a600b0039439c30052mr4238781wmp.66.1651750302492; Thu, 05 May 2022 04:31:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0kdiNiZLFcv712Ydt7i9wnRcz/9iaODWbWGG3Ol0GG6/v5Xr4uslaghhGTnrCqtdWkt6x7A== X-Received: by 2002:a05:600c:48a6:b0:394:39c3:52 with SMTP id j38-20020a05600c48a600b0039439c30052mr4238760wmp.66.1651750302269; Thu, 05 May 2022 04:31:42 -0700 (PDT) Received: from minerva.. ([90.167.94.135]) by smtp.gmail.com with ESMTPSA id k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 04:31:41 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: Javier Martinez Canillas , Daniel Vetter , Thomas Zimmermann , Helge Deller , Peter Jones , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: [PATCH v2 3/4] fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove Date: Thu, 5 May 2022 13:31:26 +0200 Message-Id: <20220505113128.264963-4-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220505113128.264963-1-javierm@redhat.com> References: <20220505113128.264963-1-javierm@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org The driver is calling framebuffer_release() in its .remove callback, but this will cause the struct fb_info to be freed too early. Since it could be that a reference is still hold to it if user-space opened the fbdev. This would lead to a use-after-free error if the framebuffer device was unregistered but later a user-space process tries to close the fbdev fd. The correct thing to do is to only unregister the framebuffer in the driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. Suggested-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- (no changes since v1) drivers/video/fbdev/efifb.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c index ea42ba6445b2..cfa3dc0b4eee 100644 --- a/drivers/video/fbdev/efifb.c +++ b/drivers/video/fbdev/efifb.c @@ -243,6 +243,10 @@ static void efifb_show_boot_graphics(struct fb_info *info) static inline void efifb_show_boot_graphics(struct fb_info *info) {} #endif +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup here. + */ static void efifb_destroy(struct fb_info *info) { if (efifb_pci_dev) @@ -254,6 +258,9 @@ static void efifb_destroy(struct fb_info *info) else memunmap(info->screen_base); } + + framebuffer_release(info); + if (request_mem_succeeded) release_mem_region(info->apertures->ranges[0].base, info->apertures->ranges[0].size); @@ -620,9 +627,9 @@ static int efifb_remove(struct platform_device *pdev) { struct fb_info *info = platform_get_drvdata(pdev); + /* efifb_destroy takes care of info cleanup */ unregister_framebuffer(info); sysfs_remove_groups(&pdev->dev.kobj, efifb_groups); - framebuffer_release(info); return 0; } From patchwork Thu May 5 11:31:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Martinez Canillas X-Patchwork-Id: 12839411 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADCB5C433EF for ; Thu, 5 May 2022 11:31:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355141AbiEELfd (ORCPT ); Thu, 5 May 2022 07:35:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357354AbiEELf1 (ORCPT ); Thu, 5 May 2022 07:35:27 -0400 Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [170.10.129.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 99CFF25C70 for ; Thu, 5 May 2022 04:31:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651750306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iaNxVGQEFp6Vh3rpWtfph/7pGGoZXolh5bDdGY4BamI=; b=IgCKEiMsAcpt4x0Jvg6JVUrTMxTrYuHy3VA4w7OHOcGQ04fKDZFlPTZmABRPHEVi8xe4AJ 6M6HqaT1BwyA02NdJ8NQ7P4gtPIpzXeh9J5z7Pq4Xdh0LEEbgnGNpluQdIXg7KH2f841WI GM1GaGzEPGtTT5wbnS23jh/vEYHcdYk= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-557-Mu6HMrQuNuWu2W3sooyWmg-1; Thu, 05 May 2022 07:31:45 -0400 X-MC-Unique: Mu6HMrQuNuWu2W3sooyWmg-1 Received: by mail-wr1-f72.google.com with SMTP id j21-20020adfa555000000b0020adb9ac14fso1354719wrb.13 for ; Thu, 05 May 2022 04:31:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iaNxVGQEFp6Vh3rpWtfph/7pGGoZXolh5bDdGY4BamI=; b=1sJqjGxHtdYB7xUfvlam2i5JIQArgxIw3Lb7JovEzFR0qVhN7btv19WQXJXvIBj2zk orqHjWVOse2dsS9xVBc6F3kGjO90k3v5cnSUUYrpe6bdFV+1RyliFxx4NNbQlGISVUHT UdfRRqxmKe85ykXF9GteW3NKjBQA4C0lZJpOslbpRiH07dHO45hy0nI3thm+snWSn4yn s1ghUzOKJctS8dEPX4m7+DokovL2ybRi+KT128r5ORI7aI2zyJQauo9Lfej5sHflkqlZ woghXGCwdPt/7urGVpzFsi3Zjj6yl7SM9I3mw8+nWRlTR7AYppe7TRXvKl1+nDs8Gox1 OU1w== X-Gm-Message-State: AOAM533woTxRTpC85zUn5CC7vsvjQQQDXxUp3QVbUQYDJJA4UQhrCb9m eULPPNDEN1qLBOKsea0C/ylbgkT022yriJCHG15GAQaSz46bU8Eam3tcR6xLPRVFX2m5BQCtzxm 1865jJVDn67vv60IS+x/BSGU= X-Received: by 2002:adf:e3c1:0:b0:20a:aba9:9b38 with SMTP id k1-20020adfe3c1000000b0020aaba99b38mr20119954wrm.673.1651750304422; Thu, 05 May 2022 04:31:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwogTeQYgdTtWNZ/wNca28ZWGYyN1l0Yo2mnXOCjf6sBJLP+nj0+3gp8L+KGNj+gcXV021TEA== X-Received: by 2002:adf:e3c1:0:b0:20a:aba9:9b38 with SMTP id k1-20020adfe3c1000000b0020aaba99b38mr20119937wrm.673.1651750304208; Thu, 05 May 2022 04:31:44 -0700 (PDT) Received: from minerva.. ([90.167.94.135]) by smtp.gmail.com with ESMTPSA id k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 04:31:43 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: Javier Martinez Canillas , Daniel Vetter , Helge Deller , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: [PATCH v2 4/4] fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove Date: Thu, 5 May 2022 13:31:27 +0200 Message-Id: <20220505113128.264963-5-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220505113128.264963-1-javierm@redhat.com> References: <20220505113128.264963-1-javierm@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org The driver is calling framebuffer_release() in its .remove callback, but this will cause the struct fb_info to be freed too early. Since it could be that a reference is still hold to it if user-space opened the fbdev. This would lead to a use-after-free error if the framebuffer device was unregistered but later a user-space process tries to close the fbdev fd. The correct thing to do is to only unregister the framebuffer in the driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. Suggested-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- Changes in v2: - Also do the change for vesafb (Thomas Zimmermann). drivers/video/fbdev/vesafb.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c index df6de5a9dd4c..1f03a449e505 100644 --- a/drivers/video/fbdev/vesafb.c +++ b/drivers/video/fbdev/vesafb.c @@ -179,6 +179,10 @@ static int vesafb_setcolreg(unsigned regno, unsigned red, unsigned green, return err; } +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup here. + */ static void vesafb_destroy(struct fb_info *info) { struct vesafb_par *par = info->par; @@ -187,7 +191,13 @@ static void vesafb_destroy(struct fb_info *info) arch_phys_wc_del(par->wc_cookie); if (info->screen_base) iounmap(info->screen_base); + + if (((struct vesafb_par *)(info->par))->region) + release_region(0x3c0, 32); + release_mem_region(info->apertures->ranges[0].base, info->apertures->ranges[0].size); + + framebuffer_release(info); } static struct fb_ops vesafb_ops = { @@ -484,10 +494,8 @@ static int vesafb_remove(struct platform_device *pdev) { struct fb_info *info = platform_get_drvdata(pdev); + /* vesafb_destroy takes care of info cleanup */ unregister_framebuffer(info); - if (((struct vesafb_par *)(info->par))->region) - release_region(0x3c0, 32); - framebuffer_release(info); return 0; }