Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()
From: Javier Martinez Canillas
Date: Mon May 09 2022 - 18:42:28 EST
On 5/10/22 00:22, Andrzej Hajda wrote:
[snip]
>> static void drm_fbdev_fb_destroy(struct fb_info *info)
>> {
>> + if (info->cmap.len)
>> + fb_dealloc_cmap(&info->cmap);
>> +
>> drm_fbdev_release(info->par);
>> + framebuffer_release(info);
>
> I would put drm_fbdev_release at the beginning - it cancels workers
> which could expect cmap to be still valid.
>
Indeed, you are correct again. [0] is the final version of the patch I've
but don't have an i915 test machine to give it a try. I'll test tomorrow
on my test systems to verify that it doesn't cause any regressions since
with other DRM drivers.
I think that besides this patch, drivers shouldn't need to call to the
drm_fb_helper_fini() function directly. Since that would be called during
drm_fbdev_fb_destroy() anyways.
We should probably remove that call in all drivers and make this helper
function static and just private to drm_fb_helper functions.
Or am I missing something here ?
[0]: