Thread (29 messages) 29 messages, 4 authors, 2022-05-11

Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

From: Javier Martinez Canillas <javierm@redhat.com>
Date: 2022-05-10 09:45:15
Also in: dri-devel, lkml 

On 5/10/22 11:39, Thomas Zimmermann wrote:

[snip]
quoted
3) Set .fb_destroy to drm_fbdev_fb_destroy() if isn't set by drivers when
    they call drm_fb_helper_initial_config() or drm_fb_helper_fill_info().

I'm leaning towards option (3). Then the fb_info release will be automatic
whether drivers are using the generic setup or a custom one.
IMHO this would just be another glitch to paper over all the broken 
code. And if you follow through drm_fbdev_fb_helper(), [1] it'll call 
_fini at some point and probably blow up in some other way. Instances of 
struct fb_ops are also usually const.

The only reliable way AFAICT is to do what generic fbdev does: use 
unregister_framebuffer and do the software cleanup somewhere within 
fb_destroy. And then fix all drivers to use that pattern.
Right. We can't really abstract this away from drivers that are not
using the generic fbdev helpers. So then they will have to provide
their own .fb_destroy() callback and do the cleanup.

-- 
Best regards,

Javier Martinez Canillas
Linux Engineering
Red Hat
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help