Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4833729iob; Mon, 9 May 2022 02:44:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhu3RB/Pz+cTcOmn4Ktdas/FRFceSTEZzbv/XOpsgxgAnjEH2RW6kevlAtLquLaUIpJhuy X-Received: by 2002:a63:f046:0:b0:3c6:a37b:1613 with SMTP id s6-20020a63f046000000b003c6a37b1613mr5668613pgj.168.1652089472775; Mon, 09 May 2022 02:44:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652089472; cv=none; d=google.com; s=arc-20160816; b=tSd8V4d6XrbLkDi4EzOJAs6ESJzZsgGEljqD9xXhM5M+/QP8dTr3QXC8jO9nZNoGc9 NRiaP2rPsg3YCs+m2577JVgBwNGFWb52WxBiIP0yAE2oG3F78ZnpIbclqI6uLvoXbNin O1AzKRQ8/V8ira/DhxpRwZPnBL9l5jPXjTKf5BOTOhzh825H3nosTrntr5nCOHPBPgkJ 58k/geM5fZy3l/XrVvS1O29HQX3bvhyQK7kbG3XuZtdfhO+Hxnt40bWpAjg+WYd7VZSc +Lq/U/KeQUPsOVgAjGHbNz641lCJKyLpzZDpuD7HUR6ylMuNcXKitqDTIAqgnm2hJsRP CsUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=FM/Z6quK2HFXaGlKN2qHDcgt6AtRbU+Icwi43NmIU6g=; b=yE02bBznnUunqZzn2xACZtLcHa9esgtU+t2aQTpxjYjoQJ4w/Hz7m4/r88AehqSCNH /gYGBKhxGX5JB6qmIVQ4frWb9d1KkN6hz/L7Ldbc6R75afz+Tmxzh/bDMLK2LE2K04AZ wxiR0ivhkCuiqGJVtkpuJfmXpY3mh+CK5iN150ozOxHgNOFz4k0KGVnheoQiqEaJLFu7 B2QhI90prA4oFCylJiSVhzerLRUJAi3DbJNpNMl3VxJDJ1w7UhVPGRWC3j0Yp9YPWXF2 GUteSnGlx6WR501iLanF4ZzpxtNzzakXUueUWXEICKTNm81uSDSw7AmkrS+urdjv6hSl VTMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=e7ujymya; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id ay8-20020a1709028b8800b0015c96aea0c1si10268615plb.270.2022.05.09.02.44.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 May 2022 02:44:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=e7ujymya; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 56C95213326; Mon, 9 May 2022 02:28:32 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359835AbiEENBE (ORCPT + 99 others); Thu, 5 May 2022 09:01:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233634AbiEENBB (ORCPT ); Thu, 5 May 2022 09:01:01 -0400 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C90184AE08 for ; Thu, 5 May 2022 05:57:21 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id i19so8541252eja.11 for ; Thu, 05 May 2022 05:57:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=FM/Z6quK2HFXaGlKN2qHDcgt6AtRbU+Icwi43NmIU6g=; b=e7ujymya9ex2b8NDhVyC0LmZepjwDZX1dOJK1JDnnmGuRG6AyTOFnHJ4J2V7rtz1p/ FBP0QGnQxWCfs+GWzsqJKxqz66EmleSHDZtXvbKHaBCbdrS6bFMgGWAdoBaq5hRTvKk1 IAbU4QUVUeqgtXnBEA9JGXIncA6nXjki8yuyg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :content-transfer-encoding:in-reply-to; bh=FM/Z6quK2HFXaGlKN2qHDcgt6AtRbU+Icwi43NmIU6g=; b=sOyYf/HHARlxxiJG+eA9fAwacOMvW95YYojFAx0VdCJeTFCpHZxJmdNSYLGnTovc5g tlATu8XW0x9y3xeqKQu23vwISyIIRid+ao8QYfu2l3lD3bbt+6BiXHu+ELxEB/1Mt1WJ qJFSzPQFmPfk0MDZMRZjoHHVQB07eOmzRJrm9M52Asscm+AJeabYUZQ/LWppEJsrN9LW 77QphSUihRpaMBaaDyzBTBx4jKFAs26btD55qJO/YEnmZtAqsHMMKAeYGAZ1wRc3rZRf 3umYstJ8jhdkLII3yQqhpVD0ZBjGJfZCMtC7jZMoT+GrZhFJILukhxah7Li/qMvgJuXu Afog== X-Gm-Message-State: AOAM533r/MDjEyTW7zpB/thRc3R2AV68ACGF913JtVVI73dMHJfTGDV/ nm5qxATjRV13fe5/T6YOOPZvTg== X-Received: by 2002:a17:906:58ca:b0:6f4:444f:31ef with SMTP id e10-20020a17090658ca00b006f4444f31efmr19843303ejs.135.1651755440390; Thu, 05 May 2022 05:57:20 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:57f4:0:efd0:b9e5:5ae6:c2fa]) by smtp.gmail.com with ESMTPSA id n15-20020a05640206cf00b0042617ba6386sm823998edy.16.2022.05.05.05.57.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 05:57:19 -0700 (PDT) Date: Thu, 5 May 2022 14:57:18 +0200 From: Daniel Vetter To: Thomas Zimmermann Cc: Javier Martinez Canillas , linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, Daniel Vetter , Helge Deller , dri-devel@lists.freedesktop.org, Hans de Goede Subject: Re: [PATCH 2/3] fbdev/simplefb: Cleanup fb_info in .fb_destroy rather than .remove Message-ID: Mail-Followup-To: Thomas Zimmermann , Javier Martinez Canillas , linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, Helge Deller , dri-devel@lists.freedesktop.org, Hans de Goede References: <20220504215151.55082-1-javierm@redhat.com> <20220504215722.56970-1-javierm@redhat.com> <974f4d00-89bc-a2da-6d65-ca4207300794@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <974f4d00-89bc-a2da-6d65-ca4207300794@suse.de> X-Operating-System: Linux phenom 5.10.0-8-amd64 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 05, 2022 at 09:29:40AM +0200, Thomas Zimmermann wrote: > Hi > > Am 04.05.22 um 23:57 schrieb Javier Martinez Canillas: > > The driver is calling framebuffer_release() in its .remove callback, but > > this will cause the struct fb_info to be freed too early. Since it could > > be that a reference is still hold to it if user-space opened the fbdev. > > > > This would lead to a use-after-free error if the framebuffer device was > > unregistered but later a user-space process tries to close the fbdev fd. > > > > The correct thing to do is to only unregister the framebuffer in the > > driver's .remove callback, but do any cleanup in the fb_ops.fb_destroy. > > > > Suggested-by: Daniel Vetter > > Signed-off-by: Javier Martinez Canillas > > Reviewed-by: Thomas Zimmermann > > Please see my question below. > > > --- > > > > drivers/video/fbdev/simplefb.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c > > index 94fc9c6d0411..2c198561c338 100644 > > --- a/drivers/video/fbdev/simplefb.c > > +++ b/drivers/video/fbdev/simplefb.c > > @@ -84,6 +84,10 @@ struct simplefb_par { > > static void simplefb_clocks_destroy(struct simplefb_par *par); > > static void simplefb_regulators_destroy(struct simplefb_par *par); > > +/* > > + * fb_ops.fb_destroy is called by the last put_fb_info() call at the end > > + * of unregister_framebuffer() or fb_release(). Do any cleanup here. > > + */ > > static void simplefb_destroy(struct fb_info *info) > > { > > struct simplefb_par *par = info->par; > > @@ -94,6 +98,8 @@ static void simplefb_destroy(struct fb_info *info) > > if (info->screen_base) > > iounmap(info->screen_base); > > + framebuffer_release(info); > > + > > if (mem) > > release_mem_region(mem->start, resource_size(mem)); > > The original problem with fbdev hot-unplug was that vmwgfx needed the > framebuffer region to be released. If we release it only after userspace > closed it's final file descriptor, vmwgfx could have already failed. > > I still don't fully get why this code apparently works or at least doesn't > blow up occasionally. Any ideas? See my other reply, releasing hw stuff should be done from ->remove, not ->fb_destroy. Also note that none of the patches discussed moved around anything here, we simply leaked things a bit when only unregistering the fb and not going through the device->remove callback. I guess in practice it works because unregistering the device sends out a uevent, and userspace then closes all it's device fd as a reaction to that, and usually that's fast enough to not upset anyone? No idea tbh. -Daniel > Best regards > Thomas > > > } > > @@ -545,8 +551,8 @@ static int simplefb_remove(struct platform_device *pdev) > > { > > struct fb_info *info = platform_get_drvdata(pdev); > > + /* simplefb_destroy takes care of info cleanup */ > > unregister_framebuffer(info); > > - framebuffer_release(info); > > return 0; > > } > > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Maxfeldstr. 5, 90409 N?rnberg, Germany > (HRB 36809, AG N?rnberg) > Gesch?ftsf?hrer: Ivo Totev -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch