Re: [PATCH v3 1/4] fbdev: Prevent possible use-after-free in fb_release()

[Thomas Zimmermann]

Hi

Am 10.05.22 um 10:37 schrieb Thomas Zimmermann:
...
> > > You have to go through all DRM drivers that call drm_fb_helper_fini()
> > > and make sure that they free fb_info. For example armada appears to be
> > > leaking now. [1]
> >
> > But shouldn't fb_info be freed when unregister_framebuffer() is called
> > through drm_dev_unregister() ? AFAICT the call chain is the following:
> >
> > drm_put_dev()
> >    drm_dev_unregister()
> >      drm_client_dev_unregister()
> >        drm_fbdev_client_unregister()
> >          drm_fb_helper_unregister_fbi()
> >            unregister_framebuffer()
> >              do_unregister_framebuffer()
> >                put_fb_info()
> >                  drm_fbdev_fb_destroy()
> >                    framebuffer_release()
> >
> > which is the reason why I believe that drm_fb_helper_fini() should be
> > an internal static function and only called from drm_fbdev_fb_destroy().
> >
> > Drivers shouldn't really explicitly call this helper in my opinion.

One more stupid question: does armada actually use 
drm_fbdev_fb_destroy()? It's supposed to be a callback for struct 
fb_ops. Armada uses it's own instance of fb_ops, which apparently 
doesn't contain fb_destroy. [1]

Best regards
Thomas

[1] 
https://elixir.bootlin.com/linux/v5.17.6/source/drivers/gpu/drm/armada/armada_fbdev.c#L19


> Thanks.  That makes sense.
>
> Best regards
> Thomas
>
>
> >

--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev

Attachment: OpenPGP_signature
Description: OpenPGP digital signature