dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered"
@ 2022-05-04 10:51 Javier Martinez Canillas
  2022-05-04 11:04 ` Daniel Vetter
  0 siblings, 1 reply; 2+ messages in thread
From: Javier Martinez Canillas @ 2022-05-04 10:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: linux-fbdev, Thomas Zimmermann, Daniel Vetter, Helge Deller,
	Javier Martinez Canillas, dri-devel, Maxime Ripard

This reverts commit aafa025c76dcc7d1a8c8f0bdefcbe4eb480b2f6a. That commit
attempted to fix a NULL pointer dereference, caused by the struct fb_info
associated with a framebuffer device to not longer be valid when the file
descriptor was closed.

But the solution was wrong since it was just papering over the issue, and
also would leak any resources that might be reference counted in fb_open.

Instead, the fbdev drivers that are releasing the fb_info too soon should
be fixed to prevent this situation to happen.

Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---

 drivers/video/fbdev/core/fbmem.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 97eb0dee411c..a6bb0e438216 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1434,10 +1434,7 @@ fb_release(struct inode *inode, struct file *file)
 __acquires(&info->lock)
 __releases(&info->lock)
 {
-	struct fb_info * const info = file_fb_info(file);
-
-	if (!info)
-		return -ENODEV;
+	struct fb_info * const info = file->private_data;
 
 	lock_fb_info(info);
 	if (info->fbops->fb_release)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered"
  2022-05-04 10:51 [PATCH] Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered" Javier Martinez Canillas
@ 2022-05-04 11:04 ` Daniel Vetter
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Vetter @ 2022-05-04 11:04 UTC (permalink / raw)
  To: Javier Martinez Canillas
  Cc: linux-fbdev, Thomas Zimmermann, Daniel Vetter, Helge Deller,
	linux-kernel, dri-devel, Maxime Ripard

On Wed, May 04, 2022 at 12:51:40PM +0200, Javier Martinez Canillas wrote:
> This reverts commit aafa025c76dcc7d1a8c8f0bdefcbe4eb480b2f6a. That commit
> attempted to fix a NULL pointer dereference, caused by the struct fb_info
> associated with a framebuffer device to not longer be valid when the file
> descriptor was closed.
> 
> But the solution was wrong since it was just papering over the issue, and
> also would leak any resources that might be reference counted in fb_open.
> 
> Instead, the fbdev drivers that are releasing the fb_info too soon should
> be fixed to prevent this situation to happen.

Maybe add a bit more detail here why this goes boom:

The issue was uncovered by 27599aacbaef ("fbdev: Hot-unplug firmware fb
devices on forced removal"), which added an new path that goes through the
struct device removal instead of directly unregistering the fb. Most fbdev
drivers have issues with the fb_info lifetime, because they directly call
framebuffer_release() from their device driver's ->remove callback,
instead of from fbops->fb_destroy callback. This meant that due to this
switch the fb_info was now destroyed too early, while references still
existed, while before it was simply leaked. The patch we're reverting here
reinstated that leak, hence "fixed" the regression.

With that or similar added:

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Also thinking about this, maybe we should have a WARN_ON in
framebuffer_release if the refcount is elevated, and simply bail out in
that case? That would make this bug a lot easier to debug and less
confusing.

Maybe include that in your series to fix this properly.
-Daniel

> 
> Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> ---
> 
>  drivers/video/fbdev/core/fbmem.c | 5 +----
>  1 file changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 97eb0dee411c..a6bb0e438216 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1434,10 +1434,7 @@ fb_release(struct inode *inode, struct file *file)
>  __acquires(&info->lock)
>  __releases(&info->lock)
>  {
> -	struct fb_info * const info = file_fb_info(file);
> -
> -	if (!info)
> -		return -ENODEV;
> +	struct fb_info * const info = file->private_data;
>  
>  	lock_fb_info(info);
>  	if (info->fbops->fb_release)
> -- 
> 2.35.1
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-04 11:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-04 10:51 [PATCH] Revert "fbdev: Make fb_release() return -ENODEV if fbdev was unregistered" Javier Martinez Canillas
2022-05-04 11:04 ` Daniel Vetter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).