Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On Tue, May 10, 2022 at 09:50:38AM +0200, Javier Martinez Canillas wrote: > On 5/10/22 09:19, Andrzej Hajda wrote: > > > > > > On 10.05.2022 00:42, Javier Martinez Canillas wrote: > >> On 5/10/22 00:22, Andrzej Hajda wrote: > >> > >> [snip] > >> > static void drm_fbdev_fb_destroy(struct f

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On Mon, May 09, 2022 at 10:00:41PM +0200, Javier Martinez Canillas wrote: > Hello Thomas, > > On 5/9/22 20:32, Thomas Zimmermann wrote: > > Hi > > > > Am 09.05.22 um 18:33 schrieb Javier Martinez Canillas: > >> On 5/9/22 17:51, Andrzej Hajda wrote: > >> > >> [snip] > >> > >> + > > Regardi

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 5/10/22 11:39, Thomas Zimmermann wrote: [snip] >> >> 3) Set .fb_destroy to drm_fbdev_fb_destroy() if isn't set by drivers when >> they call drm_fb_helper_initial_config() or drm_fb_helper_fill_info(). >> >> I'm leaning towards option (3). Then the fb_info release will be automatic >> wheth

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Javier Am 10.05.22 um 11:06 schrieb Javier Martinez Canillas: Hello Thomas, On 5/10/22 10:50, Thomas Zimmermann wrote: [snip] Drivers shouldn't really explicitly call this helper in my opinion. One more stupid question: does armada actually use drm_fbdev_fb_destroy()? It's supposed to b

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hello Thomas, On 5/10/22 10:50, Thomas Zimmermann wrote: [snip] >>> Drivers shouldn't really explicitly call this helper in my opinion. > > One more stupid question: does armada actually use > drm_fbdev_fb_destroy()? It's supposed to be a callback for struct > fb_ops. Armada uses it's own ins

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Am 10.05.22 um 10:37 schrieb Thomas Zimmermann: ... You have to go through all DRM drivers that call drm_fb_helper_fini() and make sure that they free fb_info. For example armada appears to be leaking now. [1] But shouldn't fb_info be freed when unregister_framebuffer() is called through

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Am 10.05.22 um 10:30 schrieb Javier Martinez Canillas: Hello Thomas, On 5/10/22 10:04, Thomas Zimmermann wrote: Hi Am 10.05.22 um 00:42 schrieb Javier Martinez Canillas: On 5/10/22 00:22, Andrzej Hajda wrote: [snip] static void drm_fbdev_fb_destroy(struct fb_info *info) { +

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hello Thomas, On 5/10/22 10:04, Thomas Zimmermann wrote: > Hi > > Am 10.05.22 um 00:42 schrieb Javier Martinez Canillas: >> On 5/10/22 00:22, Andrzej Hajda wrote: >> >> [snip] >> static void drm_fbdev_fb_destroy(struct fb_info *info) { + if (info->cmap.len) +

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Am 10.05.22 um 00:42 schrieb Javier Martinez Canillas: On 5/10/22 00:22, Andrzej Hajda wrote: [snip] static void drm_fbdev_fb_destroy(struct fb_info *info) { + if (info->cmap.len) + fb_dealloc_cmap(&info->cmap); + drm_fbdev_release(info->par); + fr

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 5/10/22 09:19, Andrzej Hajda wrote: > > > On 10.05.2022 00:42, Javier Martinez Canillas wrote: >> On 5/10/22 00:22, Andrzej Hajda wrote: >> >> [snip] >> static void drm_fbdev_fb_destroy(struct fb_info *info) { + if (info->cmap.len) + fb_dealloc_cma

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 10.05.2022 00:42, Javier Martinez Canillas wrote: On 5/10/22 00:22, Andrzej Hajda wrote: [snip] static void drm_fbdev_fb_destroy(struct fb_info *info) { + if (info->cmap.len) + fb_dealloc_cmap(&info->cmap); + drm_fbdev_release(info->par); + frame

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 5/10/22 00:22, Andrzej Hajda wrote: [snip] >> static void drm_fbdev_fb_destroy(struct fb_info *info) >> { >> + if (info->cmap.len) >> + fb_dealloc_cmap(&info->cmap); >> + >> drm_fbdev_release(info->par); >> + framebuffer_release(info); > > I would put dr

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 09.05.2022 22:03, Javier Martinez Canillas wrote: On 5/9/22 20:12, Thomas Zimmermann wrote: [snip] I actually thought about the same but then remembered what Daniel said in [0] (AFAIU at least) that these should be done in .remove() so the current code looks like matches that and only fr

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 5/9/22 20:12, Thomas Zimmermann wrote: [snip] >> I actually thought about the same but then remembered what Daniel said in [0] >> (AFAIU at least) that these should be done in .remove() so the current code >> looks like matches that and only framebuffer_release() should be moved. >> >> For ves

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hello Thomas, On 5/9/22 20:32, Thomas Zimmermann wrote: > Hi > > Am 09.05.22 um 18:33 schrieb Javier Martinez Canillas: >> On 5/9/22 17:51, Andrzej Hajda wrote: >> >> [snip] >> >> + > Regarding drm: > What about drm_fb_helper_fini? It calls also framebuffer_release and is > called

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Am 09.05.22 um 18:33 schrieb Javier Martinez Canillas: On 5/9/22 17:51, Andrzej Hajda wrote: [snip] + Regarding drm: What about drm_fb_helper_fini? It calls also framebuffer_release and is called often from _remove paths (checked intel/radeon/nouveau). I guess it should be fixed as well.

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hi Javier Am 09.05.22 um 18:33 schrieb Javier Martinez Canillas: On 5/9/22 17:51, Andrzej Hajda wrote: [snip] + Regarding drm: What about drm_fb_helper_fini? It calls also framebuffer_release and is called often from _remove paths (checked intel/radeon/nouveau). I guess it should be fixed as

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 5/9/22 17:51, Andrzej Hajda wrote: [snip] + >>> Regarding drm: >>> What about drm_fb_helper_fini? It calls also framebuffer_release and is >>> called often from _remove paths (checked intel/radeon/nouveau). I guess >>> it should be fixed as well. Do you plan to fix it? >>> >> I think you

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 09.05.2022 17:30, Javier Martinez Canillas wrote: Hello Andrzej, On 5/9/22 16:56, Andrzej Hajda wrote: On 06.05.2022 00:04, Javier Martinez Canillas wrote: From: Daniel Vetter Most fbdev drivers have issues with the fb_info lifetime, because call to framebuffer_release() from their dri

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

Hello Andrzej, On 5/9/22 16:56, Andrzej Hajda wrote: > On 06.05.2022 00:04, Javier Martinez Canillas wrote: >> From: Daniel Vetter >> >> Most fbdev drivers have issues with the fb_info lifetime, because call to >> framebuffer_release() from their driver's .remove callback, rather than >> doing fr

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

On 06.05.2022 00:04, Javier Martinez Canillas wrote: From: Daniel Vetter Most fbdev drivers have issues with the fb_info lifetime, because call to framebuffer_release() from their driver's .remove callback, rather than doing from fbops.fb_destroy callback. Doing that will destroy the fb_info t

[PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

From: Daniel Vetter Most fbdev drivers have issues with the fb_info lifetime, because call to framebuffer_release() from their driver's .remove callback, rather than doing from fbops.fb_destroy callback. Doing that will destroy the fb_info too early, while references to it may still exist, leadi