Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

From: Thomas Zimmermann <tzimmermann@suse.de>
To: Javier Martinez Canillas <javierm@redhat.com>,
	Andrzej Hajda <andrzej.hajda@intel.com>,
	linux-kernel@vger.kernel.org
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
	linux-fbdev@vger.kernel.org, Helge Deller <deller@gmx.de>,
	dri-devel@lists.freedesktop.org,
	Daniel Vetter <daniel.vetter@intel.com>
Subject: Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()
Date: Tue, 10 May 2022 11:39:37 +0200	[thread overview]
Message-ID: <23ae6eaa-c281-9fc1-2c64-dd953ad2f5f1@suse.de> (raw)
In-Reply-To: <35ffd96d-3cbe-12dd-c1ea-878299ec173c@redhat.com>

[-- Attachment #1.1: Type: text/plain, Size: 2060 bytes --]

Hi Javier

Am 10.05.22 um 11:06 schrieb Javier Martinez Canillas:
> Hello Thomas,
> 
> On 5/10/22 10:50, Thomas Zimmermann wrote:
> 
> [snip]
> 
>>>> Drivers shouldn't really explicitly call this helper in my opinion.
>>
>> One more stupid question: does armada actually use
>> drm_fbdev_fb_destroy()? It's supposed to be a callback for struct
>> fb_ops. Armada uses it's own instance of fb_ops, which apparently
>> doesn't contain fb_destroy. [1]
>>
> 
> No stupid question at all. You are correct on this. So I guess we still
> need this call in the drivers that don't provide a .fb_destroy() handler.
> 
> I see many options here:
> 
> 1) Document in drm_fb_helper_alloc_fbi() that drivers only need to call
>     drm_fb_helper_fini() explicitly if they are not setting up a fbdev
>     with drm_fbdev_generic_setup(), otherwise is not needed.
> 
> 2) Make drm_fbdev_fb_destroy() an exported symbol so drivers that have
>     custom fb_ops can use it.
> 
> 3) Set .fb_destroy to drm_fbdev_fb_destroy() if isn't set by drivers when
>     they call drm_fb_helper_initial_config() or drm_fb_helper_fill_info().
> 
> I'm leaning towards option (3). Then the fb_info release will be automatic
> whether drivers are using the generic setup or a custom one.

IMHO this would just be another glitch to paper over all the broken 
code. And if you follow through drm_fbdev_fb_helper(), [1] it'll call 
_fini at some point and probably blow up in some other way. Instances of 
struct fb_ops are also usually const.

The only reliable way AFAICT is to do what generic fbdev does: use 
unregister_framebuffer and do the software cleanup somewhere within 
fb_destroy. And then fix all drivers to use that pattern.

Best regards
Thomas

[1] 
https://elixir.bootlin.com/linux/v5.17.6/source/drivers/gpu/drm/drm_fb_helper.c#L2082

> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]