* [PATCH v2] fbdev: Make fb_release() return -ENODEV if fbdev was unregistered
@ 2022-05-02 13:50 Javier Martinez Canillas
2022-05-03 15:28 ` Javier Martinez Canillas
0 siblings, 1 reply; 3+ messages in thread
From: Javier Martinez Canillas @ 2022-05-02 13:50 UTC (permalink / raw)
To: linux-kernel
Cc: Maxime Ripard, Thomas Zimmermann, Javier Martinez Canillas,
Junxiao Chang, Alex Deucher, Changcheng Deng, Daniel Vetter,
Hans de Goede, Helge Deller, Sam Ravnborg, Xiyu Yang, Zack Rusin,
Zhen Lei, Zheyu Ma, Zhouyi Zhou, dri-devel, linux-fbdev
A reference to the framebuffer device struct fb_info is stored in the file
private data, but this reference could no longer be valid and must not be
accessed directly. Instead, the file_fb_info() accessor function must be
used since it does sanity checking to make sure that the fb_info is valid.
This can happen for example if the registered framebuffer device is for a
driver that just uses a framebuffer provided by the system firmware. In
that case, the fbdev core would unregister the framebuffer device when a
real video driver is probed and ask to remove conflicting framebuffers.
The bug has been present for a long time but commit 27599aacbaef ("fbdev:
Hot-unplug firmware fb devices on forced removal") unmasked it since the
fbdev core started unregistering the framebuffers' devices associated.
Fixes: 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal")
Reported-by: Maxime Ripard <maxime@cerno.tech>
Reported-by: Junxiao Chang <junxiao.chang@intel.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
---
Changes in v2:
- Drop patch 1/2 since patch 2/2 should be enough to fix the issue.
- Add missing Fixes and Reported-by tags (Thomas Zimmermann).
- Add Thomas Zimmermann's Reviewed-by tag.
drivers/video/fbdev/core/fbmem.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 84427470367b..82d4318ba8f7 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1434,7 +1434,10 @@ fb_release(struct inode *inode, struct file *file)
__acquires(&info->lock)
__releases(&info->lock)
{
- struct fb_info * const info = file->private_data;
+ struct fb_info * const info = file_fb_info(file);
+
+ if (!info)
+ return -ENODEV;
lock_fb_info(info);
if (info->fbops->fb_release)
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2] fbdev: Make fb_release() return -ENODEV if fbdev was unregistered
2022-05-02 13:50 [PATCH v2] fbdev: Make fb_release() return -ENODEV if fbdev was unregistered Javier Martinez Canillas
@ 2022-05-03 15:28 ` Javier Martinez Canillas
2022-05-04 9:49 ` Daniel Vetter
0 siblings, 1 reply; 3+ messages in thread
From: Javier Martinez Canillas @ 2022-05-03 15:28 UTC (permalink / raw)
To: linux-kernel
Cc: Maxime Ripard, Thomas Zimmermann, Junxiao Chang, Alex Deucher,
Changcheng Deng, Daniel Vetter, Hans de Goede, Helge Deller,
Sam Ravnborg, Xiyu Yang, Zack Rusin, Zhen Lei, Zheyu Ma,
Zhouyi Zhou, dri-devel, linux-fbdev
On 5/2/22 15:50, Javier Martinez Canillas wrote:
> A reference to the framebuffer device struct fb_info is stored in the file
> private data, but this reference could no longer be valid and must not be
> accessed directly. Instead, the file_fb_info() accessor function must be
> used since it does sanity checking to make sure that the fb_info is valid.
>
> This can happen for example if the registered framebuffer device is for a
> driver that just uses a framebuffer provided by the system firmware. In
> that case, the fbdev core would unregister the framebuffer device when a
> real video driver is probed and ask to remove conflicting framebuffers.
>
> The bug has been present for a long time but commit 27599aacbaef ("fbdev:
> Hot-unplug firmware fb devices on forced removal") unmasked it since the
> fbdev core started unregistering the framebuffers' devices associated.
>
> Fixes: 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal")
> Reported-by: Maxime Ripard <maxime@cerno.tech>
> Reported-by: Junxiao Chang <junxiao.chang@intel.com>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
> ---
Applied to drm-misc (drm-misc-fixes).
--
Best regards,
Javier Martinez Canillas
Linux Engineering
Red Hat
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2] fbdev: Make fb_release() return -ENODEV if fbdev was unregistered
2022-05-03 15:28 ` Javier Martinez Canillas
@ 2022-05-04 9:49 ` Daniel Vetter
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Vetter @ 2022-05-04 9:49 UTC (permalink / raw)
To: Javier Martinez Canillas
Cc: linux-kernel, Maxime Ripard, Thomas Zimmermann, Junxiao Chang,
Alex Deucher, Changcheng Deng, Daniel Vetter, Hans de Goede,
Helge Deller, Sam Ravnborg, Xiyu Yang, Zack Rusin, Zhen Lei,
Zheyu Ma, Zhouyi Zhou, dri-devel, linux-fbdev
On Tue, May 03, 2022 at 05:28:09PM +0200, Javier Martinez Canillas wrote:
> On 5/2/22 15:50, Javier Martinez Canillas wrote:
> > A reference to the framebuffer device struct fb_info is stored in the file
> > private data, but this reference could no longer be valid and must not be
> > accessed directly. Instead, the file_fb_info() accessor function must be
> > used since it does sanity checking to make sure that the fb_info is valid.
> >
> > This can happen for example if the registered framebuffer device is for a
> > driver that just uses a framebuffer provided by the system firmware. In
> > that case, the fbdev core would unregister the framebuffer device when a
> > real video driver is probed and ask to remove conflicting framebuffers.
> >
> > The bug has been present for a long time but commit 27599aacbaef ("fbdev:
> > Hot-unplug firmware fb devices on forced removal") unmasked it since the
> > fbdev core started unregistering the framebuffers' devices associated.
> >
> > Fixes: 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal")
> > Reported-by: Maxime Ripard <maxime@cerno.tech>
> > Reported-by: Junxiao Chang <junxiao.chang@intel.com>
> > Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> > Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
> > ---
> Applied to drm-misc (drm-misc-fixes).
See my other reply, but how does this not result in leaks?
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-04 9:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-02 13:50 [PATCH v2] fbdev: Make fb_release() return -ENODEV if fbdev was unregistered Javier Martinez Canillas
2022-05-03 15:28 ` Javier Martinez Canillas
2022-05-04 9:49 ` Daniel Vetter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).