From nobody Fri May 8 11:25:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFBB0C433EF for ; Wed, 4 May 2022 21:56:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358886AbiEDWAV (ORCPT ); Wed, 4 May 2022 18:00:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357940AbiEDWAT (ORCPT ); Wed, 4 May 2022 18:00:19 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E92354C7AC for ; Wed, 4 May 2022 14:56:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651701402; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nuNgpe3lAKna2dZKI13IhuymSX1vIwYgln5kdRF+8fw=; b=hP6CLL9913Ogp7W4mCc/toyLRARHrpJ9fNCgFlGCKSRzmrPwLtVJLhJT6AmqWhkxj7r17Y 0AYTQcn40A62da8++1uVdLyV6ZmjiBELWqfFHrcg7k2QySgB/9aBDTVKgOo5PqcxCPOjjo lLxk8DKJ2x43z2CfUbX5pj8BrEe6sZw= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-627-ZZUO52PwOXy2EQ90zburIg-1; Wed, 04 May 2022 17:56:41 -0400 X-MC-Unique: ZZUO52PwOXy2EQ90zburIg-1 Received: by mail-wr1-f70.google.com with SMTP id k29-20020adfb35d000000b0020adc94662dso811997wrd.12 for ; Wed, 04 May 2022 14:56:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nuNgpe3lAKna2dZKI13IhuymSX1vIwYgln5kdRF+8fw=; b=ztkUCo5qJB8hm/SB1UKcwncOGJG1OVVKSYt40tNTdf2zqWfkwf1rnQRut3Ve617Ity XHjrwKs958lScrJOh1er5ccLmaPEVQq6pEQqLvJZPuVCY166lLhpxxys3aw2rdXec2+3 18peNpL9nXZX2bv9myzoV3auX0u17Qntuz88catw0PDuPTf1EorZu598kKRHstGFmfpc My3cKFxgcx6ktgZ2zRdeo7QNhrBVxNFVWCd33K1XG5JAlF3gpRBjSh6EGaY37MReUrlL IliWpJZYuER68wIfuTmmhzAEZCzTgM6rMoU6oIEA7yWBAMHSmDNjiebgbLBQK5rBABx/ gskg== X-Gm-Message-State: AOAM531pFxSXXS+MCvAaEfyzY0GQ7PXE1E70O3mw5JghW689NcU4al+Z P67Onv3mhYQTD1SVuOxgIcD8DrMJu6QpaIGZMxHcYrmZkkUk5ATXObPWUARJakY7noR/lP4W529 xv2asaRzszHFTowrTsHke0gq4TaYOO6c5yuJOud59gs3Lm2rxQI9jrGp0fwWE8+uxFB3aEKgjig I= X-Received: by 2002:adf:fc52:0:b0:20c:4c8a:e370 with SMTP id e18-20020adffc52000000b0020c4c8ae370mr18157763wrs.161.1651701399771; Wed, 04 May 2022 14:56:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEPrShm5zua4UvoQHUdnN5BxXwamXBRJdW2Ea++RHDLWBCw+teWP2XtDDnUQk73fLTD222dQ== X-Received: by 2002:adf:fc52:0:b0:20c:4c8a:e370 with SMTP id e18-20020adffc52000000b0020c4c8ae370mr18157745wrs.161.1651701399466; Wed, 04 May 2022 14:56:39 -0700 (PDT) Received: from minerva.home (205.pool92-176-231.dynamic.orange.es. [92.176.231.205]) by smtp.gmail.com with ESMTPSA id a25-20020adfb519000000b0020c5253d920sm16164086wrd.108.2022.05.04.14.56.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 14:56:39 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, Daniel Vetter , Helge Deller , Daniel Vetter , Javier Martinez Canillas Subject: [PATCH 1/3] fbdev: Prevent possible use-after-free in fb_release() Date: Wed, 4 May 2022 23:56:31 +0200 Message-Id: <20220504215631.56756-1-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220504215151.55082-1-javierm@redhat.com> References: <20220504215151.55082-1-javierm@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Daniel Vetter Most fbdev drivers have issues with the fb_info lifetime, because call to framebuffer_release() from their driver's .remove callback, rather than doing from fbops.fb_destroy callback. Doing that will destroy the fb_info too early, while references to it may still exist, leading to a use-after-free error. To prevent this, check the fb_info reference counter when attempting to kfree the data structure in framebuffer_release(). That will leak it but at least will prevent the mentioned error. Signed-off-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- drivers/video/fbdev/core/fbsysfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/= fbsysfs.c index 26892940c213..82e31a2d845e 100644 --- a/drivers/video/fbdev/core/fbsysfs.c +++ b/drivers/video/fbdev/core/fbsysfs.c @@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info) { if (!info) return; + + if (WARN_ON(refcount_read(&info->count))) + return; + kfree(info->apertures); kfree(info); } --=20 2.35.1 From nobody Fri May 8 11:25:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78991C433F5 for ; Wed, 4 May 2022 21:57:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378922AbiEDWBO (ORCPT ); Wed, 4 May 2022 18:01:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352006AbiEDWBN (ORCPT ); Wed, 4 May 2022 18:01:13 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9E54F4C7B5 for ; Wed, 4 May 2022 14:57:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651701452; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d5E68EYuJS0cLv3NadyCR6Subawx0t/0D3XRnBIF5EA=; b=B1jkjqHLDlL5FaW6/IJrxYQ63GM9qf0gCZ8pb/QKj+XOhRdUtJhLtZCF5n25AUrBfcB1v1 OoxlI6yp/6lXVc0OfwFdJ4m+6LaRh+d3pOYmgKEyv42F5F3ScOvsCOW3TnhnNehz2lvoZm H+JoVUJIrIMBQRT4J+UZ9XGzCYBoWnI= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-505-_hPZMhfzNM-lIc9casZmeA-1; Wed, 04 May 2022 17:57:31 -0400 X-MC-Unique: _hPZMhfzNM-lIc9casZmeA-1 Received: by mail-wr1-f69.google.com with SMTP id m8-20020adfc588000000b0020c4edd8a57so816145wrg.10 for ; Wed, 04 May 2022 14:57:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=d5E68EYuJS0cLv3NadyCR6Subawx0t/0D3XRnBIF5EA=; b=7pSeqw66I+DbIJdRbIzF636xUA2pzIx21vS6VWpWnKKZNeyzY3+yW4kWEl2XP3IytF jtabfON53256/vvNnpeyx630CZ6hVQDcerMdZyhKVq1Kj0Ud1n5QRuQyoDXQtf3CoQLP F1lRI9teJeimrHisL/wVKpHn7fwY90QdrVJkG4mS+mpHCgkSQZ8sFKd93LV1+hmcW3jl wpHVDRKdy/QTuFAO07IoT+VW1qH+ScKnug5tFyeqIluu5jZ62TSQs5j63LFIOpncXjN7 fR0g7RsauxolNAtdGLmKZy+ASu68V0gySfOpyo29zmsjXhqe713zpHXSuwBK2W8MFGwy JndA== X-Gm-Message-State: AOAM531reVLDu9CKpRC+dOhoSJE9MbtwhzTdyChZEKe4LleV7KkQT1Gv FKAVNSS9sN0uWwjAN/RKoOj9gN4kU1oIfc3HKsgk/Pi+E63ihibMXsPuT0x81PvkHOWkMqs2Ene GMwjaJGxP7o2fC5K1GoZwzVNLp4+K494Rr5aGbt2fZ1zU4MRlwVxHfmIy+m/pPdtTg6HmRTQ/6A w= X-Received: by 2002:a7b:c199:0:b0:394:26d0:a6a9 with SMTP id y25-20020a7bc199000000b0039426d0a6a9mr1363682wmi.116.1651701450128; Wed, 04 May 2022 14:57:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1qMT5MICoWPkF4Ji0uGyxOCxsrRQ04CuhwRhiVVfyNZ8vIEl2jgygGi1ttKO9pWOlUIHlhA== X-Received: by 2002:a7b:c199:0:b0:394:26d0:a6a9 with SMTP id y25-20020a7bc199000000b0039426d0a6a9mr1363665wmi.116.1651701449798; Wed, 04 May 2022 14:57:29 -0700 (PDT) Received: from minerva.home (205.pool92-176-231.dynamic.orange.es. [92.176.231.205]) by smtp.gmail.com with ESMTPSA id 11-20020a05600c264b00b0039444973258sm5213068wmy.0.2022.05.04.14.57.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 14:57:29 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, Daniel Vetter , Helge Deller , Hans de Goede , Javier Martinez Canillas Subject: [PATCH 2/3] fbdev/simplefb: Cleanup fb_info in .fb_destroy rather than .remove Date: Wed, 4 May 2022 23:57:22 +0200 Message-Id: <20220504215722.56970-1-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220504215151.55082-1-javierm@redhat.com> References: <20220504215151.55082-1-javierm@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The driver is calling framebuffer_release() in its .remove callback, but this will cause the struct fb_info to be freed too early. Since it could be that a reference is still hold to it if user-space opened the fbdev. This would lead to a use-after-free error if the framebuffer device was unregistered but later a user-space process tries to close the fbdev fd. The correct thing to do is to only unregister the framebuffer in the driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. Suggested-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- drivers/video/fbdev/simplefb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c index 94fc9c6d0411..2c198561c338 100644 --- a/drivers/video/fbdev/simplefb.c +++ b/drivers/video/fbdev/simplefb.c @@ -84,6 +84,10 @@ struct simplefb_par { static void simplefb_clocks_destroy(struct simplefb_par *par); static void simplefb_regulators_destroy(struct simplefb_par *par); =20 +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup here. + */ static void simplefb_destroy(struct fb_info *info) { struct simplefb_par *par =3D info->par; @@ -94,6 +98,8 @@ static void simplefb_destroy(struct fb_info *info) if (info->screen_base) iounmap(info->screen_base); =20 + framebuffer_release(info); + if (mem) release_mem_region(mem->start, resource_size(mem)); } @@ -545,8 +551,8 @@ static int simplefb_remove(struct platform_device *pdev) { struct fb_info *info =3D platform_get_drvdata(pdev); =20 + /* simplefb_destroy takes care of info cleanup */ unregister_framebuffer(info); - framebuffer_release(info); =20 return 0; } --=20 2.35.1 From nobody Fri May 8 11:25:55 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AC4FC433F5 for ; Wed, 4 May 2022 21:58:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378931AbiEDWB6 (ORCPT ); Wed, 4 May 2022 18:01:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352006AbiEDWBy (ORCPT ); Wed, 4 May 2022 18:01:54 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 72C724C7BB for ; Wed, 4 May 2022 14:58:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1651701496; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J9HgWbd8sU4BMyUvUsTJN8e3BPoAu1T5H5ui+stohEE=; b=So+BpLNVPCiQ/WB/zdHMlSMLOY7MabjIy6VhzSe276e0FxsFeJrmZ+6kwjepD12Jprjeo4 QltDsQVOPboIuIeUAno0QAKL05YKLcFGfrweQIcew7Gf1qW3JKkYVGwebgMQJWnc0PhRo/ 3wa77LW6Bw2DXmyTulz4n4y2WYgljq4= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-104-9PilUsThORWErYDVBCAj5g-1; Wed, 04 May 2022 17:58:15 -0400 X-MC-Unique: 9PilUsThORWErYDVBCAj5g-1 Received: by mail-wm1-f71.google.com with SMTP id n186-20020a1c27c3000000b00392ae974ca1so1915887wmn.0 for ; Wed, 04 May 2022 14:58:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=J9HgWbd8sU4BMyUvUsTJN8e3BPoAu1T5H5ui+stohEE=; b=LwlZqmS5B5yIxkN/384fJppPvzSms/F5nZa6QVsaMsaxZh421DrWr4p7w+3Cmer9Nm MTPfzJVCdy2178pkVX+e5Vkkkgdej33TJhKjA7Flt1WKs6/7uZFfRUamVub1X9I0uLjQ tC6yZfZqYZXvd27SHoF03eyhwQYCKl9sNbt8TpTyVy8NaZICfySPnopWwRTKKStDIiDQ FyooflCIN0A5oc7HGDRDWsxie/C2hl7Cv5vaGaO3EtEvZ5WS4mZ+Hpcq+XdlGW7aFJyK BJt9AzndAKphczCLwbxrwwEqR/fhNBbofTaHcVUR0YxpEam76u9gBh76Hq0U3EcnYS3U 9ySA== X-Gm-Message-State: AOAM530EzZ/xjbI/jrCVbxso/PoVXkwrQGEpObBVjqFcVxa7HqgwWejP grYIH/EDErtwfdpVE9hzeNXrfjF07nyGZybjesJ2+m3Nwk5/92/m9J3zPYqyevbFwPyHvClZdje Yj30a5izqfAvMLd/gUBXYdxjSA7HDgMvvWxYgXq8pQ4hGoOq2eeIMA4GQCzxlcWSOPwCzVs6aZZ c= X-Received: by 2002:a5d:584a:0:b0:20c:5a8b:cee7 with SMTP id i10-20020a5d584a000000b0020c5a8bcee7mr14891890wrf.111.1651701494367; Wed, 04 May 2022 14:58:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyi1rI7Ysw/yS2KuEXDRIJhqrF+e633rbFMsZfhkqQBH5RX7aHp1FggslnaX3+T4EtZ2beo3g== X-Received: by 2002:a5d:584a:0:b0:20c:5a8b:cee7 with SMTP id i10-20020a5d584a000000b0020c5a8bcee7mr14891871wrf.111.1651701494069; Wed, 04 May 2022 14:58:14 -0700 (PDT) Received: from minerva.home (205.pool92-176-231.dynamic.orange.es. [92.176.231.205]) by smtp.gmail.com with ESMTPSA id q10-20020a1cf30a000000b003942a244ee9sm4553648wmq.46.2022.05.04.14.58.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 14:58:13 -0700 (PDT) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, Daniel Vetter , Helge Deller , Peter Jones , Javier Martinez Canillas Subject: [PATCH 3/3] fbdev/efifb: Cleanup fb_info in .fb_destroy rather than .remove Date: Wed, 4 May 2022 23:58:06 +0200 Message-Id: <20220504215806.57147-1-javierm@redhat.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220504215151.55082-1-javierm@redhat.com> References: <20220504215151.55082-1-javierm@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The driver is calling framebuffer_release() in its .remove callback, but this will cause the struct fb_info to be freed too early. Since it could be that a reference is still hold to it if user-space opened the fbdev. This would lead to a use-after-free error if the framebuffer device was unregistered but later a user-space process tries to close the fbdev fd. The correct thing to do is to only unregister the framebuffer in the driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. Suggested-by: Daniel Vetter Signed-off-by: Javier Martinez Canillas Reviewed-by: Thomas Zimmermann --- drivers/video/fbdev/efifb.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c index ea42ba6445b2..cfa3dc0b4eee 100644 --- a/drivers/video/fbdev/efifb.c +++ b/drivers/video/fbdev/efifb.c @@ -243,6 +243,10 @@ static void efifb_show_boot_graphics(struct fb_info *i= nfo) static inline void efifb_show_boot_graphics(struct fb_info *info) {} #endif =20 +/* + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end + * of unregister_framebuffer() or fb_release(). Do any cleanup here. + */ static void efifb_destroy(struct fb_info *info) { if (efifb_pci_dev) @@ -254,6 +258,9 @@ static void efifb_destroy(struct fb_info *info) else memunmap(info->screen_base); } + + framebuffer_release(info); + if (request_mem_succeeded) release_mem_region(info->apertures->ranges[0].base, info->apertures->ranges[0].size); @@ -620,9 +627,9 @@ static int efifb_remove(struct platform_device *pdev) { struct fb_info *info =3D platform_get_drvdata(pdev); =20 + /* efifb_destroy takes care of info cleanup */ unregister_framebuffer(info); sysfs_remove_groups(&pdev->dev.kobj, efifb_groups); - framebuffer_release(info); =20 return 0; } --=20 2.35.1