Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1855278iob;
        Thu, 5 May 2022 09:26:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwU/L1k7zHRVm+6WncD9Wwn4GcmbbnEoIcN0xZfSktE6UPsf2KVysB1R6LczBbmSLi9QzQ+
X-Received: by 2002:a63:2b91:0:b0:3ab:3da7:b5ac with SMTP id r139-20020a632b91000000b003ab3da7b5acmr22879780pgr.36.1651767971813;
        Thu, 05 May 2022 09:26:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651767971; cv=none;
        d=google.com; s=arc-20160816;
        b=ZkBJXAWnR3mTzHIN5T7FYInin/xGa7t9tPNH4NDUFhAiPmK248KlOunLeviC0LzTo4
         7FYaaRy91EOCtQH2IdnEp65uBwYj9l+JY14WFntB0kUDv7QeIlV705xrIS87ra4ar5nF
         9jL38abUHa8D6cDXDGfaKwiqlWBVTecgoEE23obW+6qv5zSxOX0mvxlsSfNdGGLaq41L
         hIitU8qfXBwK5HugFZ0R7d4zwL0JHLIlU58T1LsfNPk29EnVZEBBx1x8ynW7izcTygzk
         fNnEikW9tDN4/4QaB5+c+RdjrX7xvvfn3LTMoMYwp91nMWnYvoEldDkosIxpWU7CEnfq
         XzkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:mail-followup-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=dMhPbH8YYksNDQWsYUNKHz6CMEzpio+MpfpxpHsuHBY=;
        b=zuJbzCGZ+J8sOygTxG06RzgdGQbldKXtbi9rrl8DQI55WRvBZd/H87oU3I9uEmNaWB
         CnjMNHRzXZw4AevXN+A9WR9fGibbYe3bnNBklrPfzfNxMfx56LFx5+mdDs3aoeyZOsX/
         MCol3ffoeEQJ7xa4ADP+2brk9AwMyk5TEpM3k7GFUDXADCQbk6/+48ZwBN+azhVyWf22
         +qhTtGvW0jlAN32oXuaUdfJnJ9mTQRKMUZc5dYDyFRE7mCNMhmUrb61ymgkuLxiefvBy
         t7XuCLfXFrJRo9DHRELJzT1WjebdApguZO/ElDly7/8w9zlt9P5VppBEFZebamDDuImX
         bHzg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ffwll.ch header.s=google header.b=Q+F4YMFK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j71-20020a63804a000000b003c626b8740csi1121019pgd.68.2022.05.05.09.25.52;
        Thu, 05 May 2022 09:26:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ffwll.ch header.s=google header.b=Q+F4YMFK;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353188AbiEEM4f (ORCPT <rfc822;anthony.2lannoy@gmail.com>
        + 99 others); Thu, 5 May 2022 08:56:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35906 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236445AbiEEM4e (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 5 May 2022 08:56:34 -0400
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AF7256216
        for <linux-kernel@vger.kernel.org>; Thu,  5 May 2022 05:52:51 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id bv19so8538882ejb.6
        for <linux-kernel@vger.kernel.org>; Thu, 05 May 2022 05:52:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ffwll.ch; s=google;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to;
        bh=dMhPbH8YYksNDQWsYUNKHz6CMEzpio+MpfpxpHsuHBY=;
        b=Q+F4YMFKbmp2KsE3LUay5GdA+juEREvkYz6rogZdVlySBdtrsWZokkOwvR/UIRqOuf
         yWO64v1ha0Z1AqNjZsZtdxtJOE2l/Oz7sraJ1HMqAcocYPuyupTzDLhXt4k31YAymA9X
         8rofUAYUyJM7LOh9REyEUWZxt9/v8D8wr/XDM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to;
        bh=dMhPbH8YYksNDQWsYUNKHz6CMEzpio+MpfpxpHsuHBY=;
        b=V9bT9ARZpOcNy56TBb2CqinmFD1lGkixE4Nhu9fYw9wGXZfyshAAg4GvSvNFozAZ3D
         cD7kg/fylea7xXTmwgqYyEdjKo0TRI91s4yLtAE5//cdxwT1wLbJG4N8u6zbWTs8DbEf
         ZsFgZL8NEcb6+HL08HsqqIkGbOadsEfXU02/FfSP1+Cuu6JmRy8h4mzZX5XkRg2zhN6z
         TB/WJuGcnMpOTqc4tGVli6UIuPQcPrtwa6G4cw2/Tvp2IKyyvhoSh7td/RGY3p/cCSj6
         Wx9koQBdIePemRUoE4vRMX271SJt6CSJQlAwE3ou2RDn8WEihJO/yffQdAbcrz/FF4x6
         k+Lg==
X-Gm-Message-State: AOAM5301NgtmKNCT4iga9RPguI8EIBF3SxsYCBr4o5mvl5WZzoy1NurW
        Hmicm3lyPd+XVzxhuOqoRpjE1g==
X-Received: by 2002:a17:907:94c5:b0:6f4:6de1:399c with SMTP id dn5-20020a17090794c500b006f46de1399cmr16128031ejc.336.1651755169715;
        Thu, 05 May 2022 05:52:49 -0700 (PDT)
Received: from phenom.ffwll.local ([2a02:168:57f4:0:efd0:b9e5:5ae6:c2fa])
        by smtp.gmail.com with ESMTPSA id l15-20020a17090612cf00b006f3ef214df9sm722670ejb.95.2022.05.05.05.52.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 May 2022 05:52:48 -0700 (PDT)
Date:   Thu, 5 May 2022 14:52:46 +0200
From:   Daniel Vetter <daniel@ffwll.ch>
To:     Javier Martinez Canillas <javierm@redhat.com>
Cc:     linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linux-fbdev@vger.kernel.org,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Helge Deller <deller@gmx.de>,
        Hans de Goede <hdegoede@redhat.com>
Subject: Re: [PATCH 2/3] fbdev/simplefb: Cleanup fb_info in .fb_destroy
 rather than .remove
Message-ID: <YnPInuayAYQa1jmz@phenom.ffwll.local>
Mail-Followup-To: Javier Martinez Canillas <javierm@redhat.com>,
        linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
        linux-fbdev@vger.kernel.org, Helge Deller <deller@gmx.de>,
        Hans de Goede <hdegoede@redhat.com>
References: <20220504215151.55082-1-javierm@redhat.com>
 <20220504215722.56970-1-javierm@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220504215722.56970-1-javierm@redhat.com>
X-Operating-System: Linux phenom 5.10.0-8-amd64 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 04, 2022 at 11:57:22PM +0200, Javier Martinez Canillas wrote:
> The driver is calling framebuffer_release() in its .remove callback, but
> this will cause the struct fb_info to be freed too early. Since it could
> be that a reference is still hold to it if user-space opened the fbdev.
> 
> This would lead to a use-after-free error if the framebuffer device was
> unregistered but later a user-space process tries to close the fbdev fd.
> 
> The correct thing to do is to only unregister the framebuffer in the
> driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy.
> 
> Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

I think this should have a Fixes: line for the patch from Thomas which
changed the remove_conflicting_fb code:

27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal")

I think we should also mention that strictly speaking the code flow is now
wrong, because hw cleanup (like iounmap) should be done from ->remove
while sw cleanup (like calling framebuffer_release()) is the only thing
that should be done from ->fb_destroy. But the current code matches what
was happening before 27599aacbaef so more minimal "fix"

With those details added Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Same for the next patch.
-Daniel

> ---
> 
>  drivers/video/fbdev/simplefb.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c
> index 94fc9c6d0411..2c198561c338 100644
> --- a/drivers/video/fbdev/simplefb.c
> +++ b/drivers/video/fbdev/simplefb.c
> @@ -84,6 +84,10 @@ struct simplefb_par {
>  static void simplefb_clocks_destroy(struct simplefb_par *par);
>  static void simplefb_regulators_destroy(struct simplefb_par *par);
>  
> +/*
> + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end
> + * of unregister_framebuffer() or fb_release(). Do any cleanup here.
> + */
>  static void simplefb_destroy(struct fb_info *info)
>  {
>  	struct simplefb_par *par = info->par;
> @@ -94,6 +98,8 @@ static void simplefb_destroy(struct fb_info *info)
>  	if (info->screen_base)
>  		iounmap(info->screen_base);
>  
> +	framebuffer_release(info);
> +
>  	if (mem)
>  		release_mem_region(mem->start, resource_size(mem));
>  }
> @@ -545,8 +551,8 @@ static int simplefb_remove(struct platform_device *pdev)
>  {
>  	struct fb_info *info = platform_get_drvdata(pdev);
>  
> +	/* simplefb_destroy takes care of info cleanup */
>  	unregister_framebuffer(info);
> -	framebuffer_release(info);
>  
>  	return 0;
>  }
> -- 
> 2.35.1
> 

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch