From nobody Sun May 10 11:15:21 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ABB15C433EF
	for <linux-kernel@archiver.kernel.org>; Thu,  5 May 2022 11:32:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1357543AbiEELfk (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 5 May 2022 07:35:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35608 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1357342AbiEELfY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 May 2022 07:35:24 -0400
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [170.10.129.74])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 5DB9D25C44
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 May 2022 04:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1651750303;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=ncwUrPXa6D//xAE+gUKX4W9jlEJvsWNrctcaxVQSCb8=;
        b=h6ipqcuK2WSU7j9avNOGI+pZ19FNbegkvj/ZZVq4SdL/ExB2cvOJoA0I2LGqEExndhlhQC
        E5ckoHdGmi3wKTh4nF+e1ZI+9L6XyOReqlt1Wj7impTDMm9HsgaZ1Ztw8V6PMtMszcNdUn
        4sTwwQiRn9+XvrKy3gUghEPch4atmuE=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-401-VF2-X5dTNzeNlOWMGnolBg-1; Thu, 05 May 2022 07:31:40 -0400
X-MC-Unique: VF2-X5dTNzeNlOWMGnolBg-1
Received: by mail-wr1-f70.google.com with SMTP id
 d28-20020adf9b9c000000b0020ad4a50e14so1356449wrc.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 May 2022 04:31:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=ncwUrPXa6D//xAE+gUKX4W9jlEJvsWNrctcaxVQSCb8=;
        b=fu09bV349Z9KKfXSdl2/602R2dSxOWbIkcQ83y+p/RTsbuXcdBk9elKYTZfWB5TDdq
         gyXBIQa2r0nEV7jPI5NxzhA2g4Qbg3EQTO8htViwVMG41vrH2Z4PuyaCK9IycuoA60vX
         /Z2HkIy5nKC0FtFmDElYdy1XLDA3Boc+HF8zmReVD/5/2X8Nrz5tEDK3oLlmTCdlhOQT
         DVKCFBwq6Ud8oTv3DQs4Ws8TgWUqkMfRtTl7c7l1UE233FE9EHnwffDocDvhtVYYpf+F
         la0PiFIPFPdcaJeYewW8TTdEXcFqryDnZvPOAL1uc51aIKB7+AzpJcM+UE1TkYxzPwar
         NMzw==
X-Gm-Message-State: AOAM531QQCKz6QxWswdljL9HO2MbKJ0OO52jXw3kgG8cEfX8Eufwlbjk
        kb4KYvyuN6cWde3MogT58pM6M/3uMLyzQe9ZlxS6IYkw8qm5deE+9zm9v5XvqWXUNIzWeSXn2yY
        mE8R4p44y3ctK/dVAKTQc0wpyYK0B8xNE/V95xnFB/s9qhXJUCamCJY7NKi/GV7d/e/SY8jiyNY
        Y=
X-Received: by 2002:a7b:ce82:0:b0:394:2514:6f07 with SMTP id
 q2-20020a7bce82000000b0039425146f07mr4288650wmj.56.1651750298709;
        Thu, 05 May 2022 04:31:38 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwTaX+emZRGME2XrbVDdeWq3PLdol9IHOXQKtajyniJm9UY0h9+OnzRg+JdW6I4XRxCo9UumA==
X-Received: by 2002:a7b:ce82:0:b0:394:2514:6f07 with SMTP id
 q2-20020a7bce82000000b0039425146f07mr4288610wmj.56.1651750298397;
        Thu, 05 May 2022 04:31:38 -0700 (PDT)
Received: from minerva.. ([90.167.94.135])
        by smtp.gmail.com with ESMTPSA id
 k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 May 2022 04:31:38 -0700 (PDT)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>,
        Daniel Vetter <daniel.vetter@intel.com>,
        Javier Martinez Canillas <javierm@redhat.com>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        Daniel Vetter <daniel@ffwll.ch>, Helge Deller <deller@gmx.de>,
        dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
Subject: [PATCH v2 1/4] fbdev: Prevent possible use-after-free in fb_release()
Date: Thu,  5 May 2022 13:31:24 +0200
Message-Id: <20220505113128.264963-2-javierm@redhat.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220505113128.264963-1-javierm@redhat.com>
References: <20220505113128.264963-1-javierm@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

From: Daniel Vetter <daniel.vetter@ffwll.ch>

Most fbdev drivers have issues with the fb_info lifetime, because call to
framebuffer_release() from their driver's .remove callback, rather than
doing from fbops.fb_destroy callback.

Doing that will destroy the fb_info too early, while references to it may
still exist, leading to a use-after-free error.

To prevent this, check the fb_info reference counter when attempting to
kfree the data structure in framebuffer_release(). That will leak it but
at least will prevent the mentioned error.

Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
---

(no changes since v1)

 drivers/video/fbdev/core/fbsysfs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/video/fbdev/core/fbsysfs.c b/drivers/video/fbdev/core/=
fbsysfs.c
index 8c1ee9ecec3d..c2a60b187467 100644
--- a/drivers/video/fbdev/core/fbsysfs.c
+++ b/drivers/video/fbdev/core/fbsysfs.c
@@ -80,6 +80,10 @@ void framebuffer_release(struct fb_info *info)
 {
 	if (!info)
 		return;
+
+	if (WARN_ON(refcount_read(&info->count)))
+		return;
+
 	kfree(info->apertures);
 	kfree(info);
 }
--=20
2.35.1
From nobody Sun May 10 11:15:21 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 28C2AC433FE
	for <linux-kernel@archiver.kernel.org>; Thu,  5 May 2022 11:31:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1357478AbiEELfg (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 5 May 2022 07:35:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35580 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1357319AbiEELfW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 May 2022 07:35:22 -0400
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [170.10.133.74])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 97C5A25C4F
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 May 2022 04:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1651750302;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=UlMJQ+wz02RD+81KzAT+P3KjFBfmXeVQ3/vybVcCubw=;
        b=CmYnZ6oHd/UsdftedsHxmRwQpI+jDsBQZclCm/7AnPgj17Bjax/cNnbTZzqM7Iel+EYI7e
        ZDsKuhgC4IE1yRHh5QUtMHoX3qJYCXcTr+65vHcnKlK4zCLMUa9LdcYkJqmRb4AEEkVd+4
        4kWoJ9R3qq9cTLUngXHPlIzqNm4V3sQ=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-508-6U9hyrAbPaCIOa0MRZbRCg-1; Thu, 05 May 2022 07:31:41 -0400
X-MC-Unique: 6U9hyrAbPaCIOa0MRZbRCg-1
Received: by mail-wr1-f71.google.com with SMTP id
 m8-20020adfc588000000b0020c4edd8a57so1354023wrg.10
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 May 2022 04:31:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=UlMJQ+wz02RD+81KzAT+P3KjFBfmXeVQ3/vybVcCubw=;
        b=ynnUc3JzOAjtFHUsQsUATlDEGHAqaC7Bq2TiG0NXCr5jy+mRhyaHwKgDm2hv3KOiJc
         ntKg5Ggeh3BbBAniimAO0As01MmrNAW6CdnigYrtrkbq/CIzPd7ttsBSspf1P/OfMmnv
         e4Oq8atWz6zcicCp8RQ2Nte62m1gSmPKkXfSQ0jdAdEM4yqrHj1LabWzBgz8uzIglN8Y
         Is9qHWx9RdmiuldrsS+r+aHiyJMwLTnYI+Ty3O5nfKgbKFlTyaT0ItziHMtlL+mu3BGE
         Cprs1EzkoZb8VmCuqj1CisnlRUPO6zCo1gc3PRdp1Md+ddyUh5/1VrPgPzcZldmSWBNY
         86rA==
X-Gm-Message-State: AOAM531ER5Jed/Vcxk317vcV6SmOUpg6YGDyRZptPOpixyowImoE4jUs
        nR5tEcxEIFvyxnZxGolcR39Z2UAIZ02c4cO88h5B0ktJevKxKjpT84xpo+pfqoIwh0mSAGglPlU
        nBGMkyRjIdXn1m6KVLcB8Eqp72sDRrU3gIUIbJoLvhhT1cOyDKlZpyIX5dndHWr3pLmW0tPW9Go
        g=
X-Received: by 2002:a05:6000:1548:b0:20c:5ca8:7722 with SMTP id
 8-20020a056000154800b0020c5ca87722mr16350998wry.712.1651750300470;
        Thu, 05 May 2022 04:31:40 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJxug4drE+2lM0Y2bQGAKqHc9/jzcqI1egXtMk1eOS4NmBEoxmupUXagiI2LBGTtqENwnb2VKg==
X-Received: by 2002:a05:6000:1548:b0:20c:5ca8:7722 with SMTP id
 8-20020a056000154800b0020c5ca87722mr16350970wry.712.1651750300187;
        Thu, 05 May 2022 04:31:40 -0700 (PDT)
Received: from minerva.. ([90.167.94.135])
        by smtp.gmail.com with ESMTPSA id
 k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 May 2022 04:31:39 -0700 (PDT)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Javier Martinez Canillas <javierm@redhat.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        Hans de Goede <hdegoede@redhat.com>,
        Helge Deller <deller@gmx.de>, dri-devel@lists.freedesktop.org,
        linux-fbdev@vger.kernel.org
Subject: [PATCH v2 2/4] fbdev: simplefb: Cleanup fb_info in .fb_destroy rather
 than .remove
Date: Thu,  5 May 2022 13:31:25 +0200
Message-Id: <20220505113128.264963-3-javierm@redhat.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220505113128.264963-1-javierm@redhat.com>
References: <20220505113128.264963-1-javierm@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

The driver is calling framebuffer_release() in its .remove callback, but
this will cause the struct fb_info to be freed too early. Since it could
be that a reference is still hold to it if user-space opened the fbdev.

This would lead to a use-after-free error if the framebuffer device was
unregistered but later a user-space process tries to close the fbdev fd.

The correct thing to do is to only unregister the framebuffer in the
driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy.

Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
---

(no changes since v1)

 drivers/video/fbdev/simplefb.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c
index 94fc9c6d0411..2c198561c338 100644
--- a/drivers/video/fbdev/simplefb.c
+++ b/drivers/video/fbdev/simplefb.c
@@ -84,6 +84,10 @@ struct simplefb_par {
 static void simplefb_clocks_destroy(struct simplefb_par *par);
 static void simplefb_regulators_destroy(struct simplefb_par *par);
=20
+/*
+ * fb_ops.fb_destroy is called by the last put_fb_info() call at the end
+ * of unregister_framebuffer() or fb_release(). Do any cleanup here.
+ */
 static void simplefb_destroy(struct fb_info *info)
 {
 	struct simplefb_par *par =3D info->par;
@@ -94,6 +98,8 @@ static void simplefb_destroy(struct fb_info *info)
 	if (info->screen_base)
 		iounmap(info->screen_base);
=20
+	framebuffer_release(info);
+
 	if (mem)
 		release_mem_region(mem->start, resource_size(mem));
 }
@@ -545,8 +551,8 @@ static int simplefb_remove(struct platform_device *pdev)
 {
 	struct fb_info *info =3D platform_get_drvdata(pdev);
=20
+	/* simplefb_destroy takes care of info cleanup */
 	unregister_framebuffer(info);
-	framebuffer_release(info);
=20
 	return 0;
 }
--=20
2.35.1
From nobody Sun May 10 11:15:21 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B6751C433F5
	for <linux-kernel@archiver.kernel.org>; Thu,  5 May 2022 11:32:09 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1357398AbiEELfp (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 5 May 2022 07:35:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35624 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1357352AbiEELfZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 May 2022 07:35:25 -0400
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [170.10.129.74])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 000C54F9D8
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 May 2022 04:31:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1651750304;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=kHj6RqHilBMUbncDK/2tHoS4NrC5xcTylW4aCqmdFU0=;
        b=O5y10VDzLzn0Oe0P184620ZmJDJOGTZyhhsDv75G9AyM8HLvsasZBlyGkpe1DWhlItzm7e
        rUMiDG7lkWqot/6M/196Mite4ePobO/JYiLZ5x7dyRtxwzkIa0yIgeMeVRKR1YGPLsK9cg
        xylSDUAJJA69dTsPQcadUwDQ2U2bVCs=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-549-C-ntXjm4MTmlovju03Y5Wg-1; Thu, 05 May 2022 07:31:43 -0400
X-MC-Unique: C-ntXjm4MTmlovju03Y5Wg-1
Received: by mail-wr1-f72.google.com with SMTP id
 s14-20020adfa28e000000b0020ac7532f08so1354416wra.15
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 May 2022 04:31:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=kHj6RqHilBMUbncDK/2tHoS4NrC5xcTylW4aCqmdFU0=;
        b=z8k3nccoBL8+eS+44XHpbjlTwBR6kUbipSRwIUQ5MZwOdATx9G4uIX9LeifZ+Jir/I
         n3GYMzIRNj2/OLdx+2RxAO1OBfJ8L6MBloBdrPH6WByoAmoNRSm6u+hrBL4j6ZXULhAE
         Qh+CKQqDSBWWYo9bLHsJyCofy/scKbBf/a2/fTncQ6XPyjzqQczs3txqOo/WfVyxUqrc
         O7aUYYawQCfKE0cHiLSO2XnsH1XE8SNb8aWLV3RohRG/afFpIQ+7P7idwB8wJ6LRd1ZR
         kMUjqhcKYAypgopRl/3BvmyWbB+14mYin+BHxmieiFsfzw7knltCd/4JchqFhHCOtdzt
         uANA==
X-Gm-Message-State: AOAM5313xjMRqfxP7wBslhD69Ztt1vcHDW7WgF1RyEPmAF6CYYiQBSSu
        FnXOAxzy/OCOS0Gd4Fkcd4z52yHOzkswzq53+oGXQ7FNIBSzwF1arWSH36ogrwg8YEFQNPqnCty
        YiMa2TSBBCc4059LFInV9Aa+OQS4dBcnLTBaR7iTw0sUGWzj01gY+QqjH7Z3xyKapskLN9symeY
        E=
X-Received: by 2002:a05:600c:48a6:b0:394:39c3:52 with SMTP id
 j38-20020a05600c48a600b0039439c30052mr4238798wmp.66.1651750302612;
        Thu, 05 May 2022 04:31:42 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJz0kdiNiZLFcv712Ydt7i9wnRcz/9iaODWbWGG3Ol0GG6/v5Xr4uslaghhGTnrCqtdWkt6x7A==
X-Received: by 2002:a05:600c:48a6:b0:394:39c3:52 with SMTP id
 j38-20020a05600c48a600b0039439c30052mr4238760wmp.66.1651750302269;
        Thu, 05 May 2022 04:31:42 -0700 (PDT)
Received: from minerva.. ([90.167.94.135])
        by smtp.gmail.com with ESMTPSA id
 k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 May 2022 04:31:41 -0700 (PDT)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Javier Martinez Canillas <javierm@redhat.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        Helge Deller <deller@gmx.de>, Peter Jones <pjones@redhat.com>,
        dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
Subject: [PATCH v2 3/4] fbdev: efifb: Cleanup fb_info in .fb_destroy rather
 than .remove
Date: Thu,  5 May 2022 13:31:26 +0200
Message-Id: <20220505113128.264963-4-javierm@redhat.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220505113128.264963-1-javierm@redhat.com>
References: <20220505113128.264963-1-javierm@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

The driver is calling framebuffer_release() in its .remove callback, but
this will cause the struct fb_info to be freed too early. Since it could
be that a reference is still hold to it if user-space opened the fbdev.

This would lead to a use-after-free error if the framebuffer device was
unregistered but later a user-space process tries to close the fbdev fd.

The correct thing to do is to only unregister the framebuffer in the
driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy.

Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
---

(no changes since v1)

 drivers/video/fbdev/efifb.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
index ea42ba6445b2..cfa3dc0b4eee 100644
--- a/drivers/video/fbdev/efifb.c
+++ b/drivers/video/fbdev/efifb.c
@@ -243,6 +243,10 @@ static void efifb_show_boot_graphics(struct fb_info *i=
nfo)
 static inline void efifb_show_boot_graphics(struct fb_info *info) {}
 #endif
=20
+/*
+ * fb_ops.fb_destroy is called by the last put_fb_info() call at the end
+ * of unregister_framebuffer() or fb_release(). Do any cleanup here.
+ */
 static void efifb_destroy(struct fb_info *info)
 {
 	if (efifb_pci_dev)
@@ -254,6 +258,9 @@ static void efifb_destroy(struct fb_info *info)
 		else
 			memunmap(info->screen_base);
 	}
+
+	framebuffer_release(info);
+
 	if (request_mem_succeeded)
 		release_mem_region(info->apertures->ranges[0].base,
 				   info->apertures->ranges[0].size);
@@ -620,9 +627,9 @@ static int efifb_remove(struct platform_device *pdev)
 {
 	struct fb_info *info =3D platform_get_drvdata(pdev);
=20
+	/* efifb_destroy takes care of info cleanup */
 	unregister_framebuffer(info);
 	sysfs_remove_groups(&pdev->dev.kobj, efifb_groups);
-	framebuffer_release(info);
=20
 	return 0;
 }
--=20
2.35.1
From nobody Sun May 10 11:15:21 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6202AC433EF
	for <linux-kernel@archiver.kernel.org>; Thu,  5 May 2022 11:32:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1357701AbiEELfv (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 5 May 2022 07:35:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35670 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1357388AbiEELf2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 May 2022 07:35:28 -0400
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [170.10.129.74])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1EAC0517F0
        for <linux-kernel@vger.kernel.org>;
 Thu,  5 May 2022 04:31:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1651750306;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=iaNxVGQEFp6Vh3rpWtfph/7pGGoZXolh5bDdGY4BamI=;
        b=IgCKEiMsAcpt4x0Jvg6JVUrTMxTrYuHy3VA4w7OHOcGQ04fKDZFlPTZmABRPHEVi8xe4AJ
        6M6HqaT1BwyA02NdJ8NQ7P4gtPIpzXeh9J5z7Pq4Xdh0LEEbgnGNpluQdIXg7KH2f841WI
        GM1GaGzEPGtTT5wbnS23jh/vEYHcdYk=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-561-SCMUONF2NQqBVrSyo7Bp5g-1; Thu, 05 May 2022 07:31:46 -0400
X-MC-Unique: SCMUONF2NQqBVrSyo7Bp5g-1
Received: by mail-wm1-f70.google.com with SMTP id
 v191-20020a1cacc8000000b0038ce818d2efso1598905wme.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 May 2022 04:31:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=iaNxVGQEFp6Vh3rpWtfph/7pGGoZXolh5bDdGY4BamI=;
        b=0rbfc3SLbpHd+w+p4sijeF9T0JqOQQ8wTZ6rc+s70uurldkk3lUFKhdurC50AWrH7f
         WZ/eVXl4XItoHWWtCXpGEq3eqz4qTaypuXyiSqIE4emoItB8MD1rnuBOO/UNtJArS/Yz
         QpIWVzJQtgMCbXPj/m/GK3KVSSgme3Jycld1UKF49i+Tu2AxBQoutDpF7LIttNYcEYb2
         ZTibSz16E7Un8+kJ4MORbs45rwb0EbPsBNTMhYouMkAHWmE72Y90Ey8EsGsGwTFK2RGq
         QRo+No4jEVerq+ig5oZp/4cT+SeLtXZjAJCQEjAmKby08/PpDRmCy6jLtLj8XE8KK8mp
         dqgQ==
X-Gm-Message-State: AOAM531ivpoELIcqh3GdteSExMpBUCqk7N8/3p0uw6y6D6lZKGHtMDgi
        8hdLA4RQTDJzO0/PucacT6bVlV5+2+KUZEHa9Tn1pJifmKyjPtOiv6cmOlQbASKEwM6XS5QugHl
        4A0JaOKl1ra0WHxLd3Ll0Gw6f4h8+eQ+I2mUWweaRLfEi7YqNvPj5ZRFp2ttMGi02NjsmJBTnnm
        4=
X-Received: by 2002:adf:e3c1:0:b0:20a:aba9:9b38 with SMTP id
 k1-20020adfe3c1000000b0020aaba99b38mr20119963wrm.673.1651750304463;
        Thu, 05 May 2022 04:31:44 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwogTeQYgdTtWNZ/wNca28ZWGYyN1l0Yo2mnXOCjf6sBJLP+nj0+3gp8L+KGNj+gcXV021TEA==
X-Received: by 2002:adf:e3c1:0:b0:20a:aba9:9b38 with SMTP id
 k1-20020adfe3c1000000b0020aaba99b38mr20119937wrm.673.1651750304208;
        Thu, 05 May 2022 04:31:44 -0700 (PDT)
Received: from minerva.. ([90.167.94.135])
        by smtp.gmail.com with ESMTPSA id
 k1-20020a5d5181000000b0020c5253d8f5sm995809wrv.65.2022.05.05.04.31.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 May 2022 04:31:43 -0700 (PDT)
From: Javier Martinez Canillas <javierm@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: Javier Martinez Canillas <javierm@redhat.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Helge Deller <deller@gmx.de>, dri-devel@lists.freedesktop.org,
        linux-fbdev@vger.kernel.org
Subject: [PATCH v2 4/4] fbdev: vesafb: Cleanup fb_info in .fb_destroy rather
 than .remove
Date: Thu,  5 May 2022 13:31:27 +0200
Message-Id: <20220505113128.264963-5-javierm@redhat.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220505113128.264963-1-javierm@redhat.com>
References: <20220505113128.264963-1-javierm@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

The driver is calling framebuffer_release() in its .remove callback, but
this will cause the struct fb_info to be freed too early. Since it could
be that a reference is still hold to it if user-space opened the fbdev.

This would lead to a use-after-free error if the framebuffer device was
unregistered but later a user-space process tries to close the fbdev fd.

The correct thing to do is to only unregister the framebuffer in the
driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy.

Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
---

Changes in v2:
- Also do the change for vesafb (Thomas Zimmermann).

 drivers/video/fbdev/vesafb.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c
index df6de5a9dd4c..1f03a449e505 100644
--- a/drivers/video/fbdev/vesafb.c
+++ b/drivers/video/fbdev/vesafb.c
@@ -179,6 +179,10 @@ static int vesafb_setcolreg(unsigned regno, unsigned r=
ed, unsigned green,
 	return err;
 }
=20
+/*
+ * fb_ops.fb_destroy is called by the last put_fb_info() call at the end
+ * of unregister_framebuffer() or fb_release(). Do any cleanup here.
+ */
 static void vesafb_destroy(struct fb_info *info)
 {
 	struct vesafb_par *par =3D info->par;
@@ -187,7 +191,13 @@ static void vesafb_destroy(struct fb_info *info)
 	arch_phys_wc_del(par->wc_cookie);
 	if (info->screen_base)
 		iounmap(info->screen_base);
+
+	if (((struct vesafb_par *)(info->par))->region)
+		release_region(0x3c0, 32);
+
 	release_mem_region(info->apertures->ranges[0].base, info->apertures->rang=
es[0].size);
+
+	framebuffer_release(info);
 }
=20
 static struct fb_ops vesafb_ops =3D {
@@ -484,10 +494,8 @@ static int vesafb_remove(struct platform_device *pdev)
 {
 	struct fb_info *info =3D platform_get_drvdata(pdev);
=20
+	/* vesafb_destroy takes care of info cleanup */
 	unregister_framebuffer(info);
-	if (((struct vesafb_par *)(info->par))->region)
-		release_region(0x3c0, 32);
-	framebuffer_release(info);
=20
 	return 0;
 }
--=20
2.35.1