Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp657015rwl; Thu, 5 Jan 2023 02:41:50 -0800 (PST) X-Google-Smtp-Source: AMrXdXtVxHr+wQiBHwz9R31xMDrlbSKmvCCpMUmnMR/bffRz6XmxQXxYtJjsz4GIeoLUvcBYf3t/ X-Received: by 2002:a17:90a:3042:b0:226:c364:2d1d with SMTP id q2-20020a17090a304200b00226c3642d1dmr3581007pjl.41.1672915310273; Thu, 05 Jan 2023 02:41:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672915310; cv=none; d=google.com; s=arc-20160816; b=rLg+NO2wvXcKeKCttEaus+6kGcnFCri5iMeBe6KfaD/zCYgzKuov57lpx8ZDZduJLm IwhKBm8zP0oX7fxyUdzQGKjvMRZSK6IwmYpfz5tFx6F29SUu5H0xQ0r7bCTdkFBJZfF+ uZX1eyN6nj2tZC/xr4CJmhAk6ApnzmkcITfhsGAzKNGyXLWgHa85/EBufdhsNJfV10xu NsDR6JSwmSjscpgTXk/81UMjSiVPt4nGM1GxqAV18RZRPYpBxmsuOeX9dlEnAVv6wotA EXfFd70xZi7LH1tOlaf2osG+WYqguwrfy2LFio5f5wrlFI3XecYYo4LrkGQoYTlbOqT8 o4kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Dt0BUqKwqWWibWQTb1wPCoKjm4VxsUkn0xweZKKMDlI=; b=SUs6nvMwH1c+IB4XtXsHABLNMaIsdeBHilzl9WuFDqd2R0QM55t8VwWO3UuLliP0GK g9pKQoO/WxFSZ55mPAhM2E+vwY6HaA76oFS2tiVwH6peaE0C3XYh3MxcYO8NR+rbey7U Mg8xoNcz0CsVuvtqe1dUsY/U/AdtTo6wc0TlTUzRoWzIo/vTG5CQIIdaOrp0xl1JvPpq jMaI5FgM4mQgOVAPl5iN9XTnMvrb6uMfzKDTRaJEtCeOnLlXAWX5YPG7W9m/g3b4Uot2 PLKXV+lXLThVsY2q/8pfUEwjHFTxuEmFozGORi4z7MtsySGQQ7WkzgkNIDyIvdxD55ru Ghbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=YVRGKFa0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h19-20020a17090acf1300b00225e6117a20si1563809pju.25.2023.01.05.02.41.43; Thu, 05 Jan 2023 02:41:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=YVRGKFa0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233184AbjAEKbn (ORCPT + 55 others); Thu, 5 Jan 2023 05:31:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232590AbjAEKbW (ORCPT ); Thu, 5 Jan 2023 05:31:22 -0500 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFF495E670 for ; Thu, 5 Jan 2023 02:25:39 -0800 (PST) Received: by mail-pj1-x102d.google.com with SMTP id v13-20020a17090a6b0d00b00219c3be9830so1584868pjj.4 for ; Thu, 05 Jan 2023 02:25:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Dt0BUqKwqWWibWQTb1wPCoKjm4VxsUkn0xweZKKMDlI=; b=YVRGKFa0easmpbhxNK49mPSwSm4p0yLlLolRTqAAayxsax3xiNb/DSU6taZNhLfwg2 NwU/6V3PZ+hSXVdRw9G7LGmz5qE5R2f+uFoPn72pC1tJ2p7L4DjEcG1XFmIQqHqu2QH+ jn+Z3syF3bwWcXBb55yis6EiEW7pTcDYekbDg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Dt0BUqKwqWWibWQTb1wPCoKjm4VxsUkn0xweZKKMDlI=; b=09Y5499kNa+d3udI0Ld0AnMOTdyn6mFf2W9OwLc7Jsh+l5OxIqJTPpq3WW9il6BWT5 AaMWpCcxSeFg2NbX6R9zyumCJDm5afixrG4jO5ZvxvucVM05FXakRKfLrDn4v8drCqBz Bx4XiIuOBEw99xu0ukd0OWuFAHtliXP72e5va+4AvVjGeFDzgVF6WNUtWDQYqBrsvIRE 8ZydoRng576N63tliQuNFlk3DK2ogJdTcMEE0Ft/b7VkbaSTQaKCIPnUwN0lWbjD3+QR oCjSUEPJHBR3FE1KPQW22VSLkojAKVOZZRXfHqSAv11aKnlOpivgvCM0kZsZVFi8sJod 9gCQ== X-Gm-Message-State: AFqh2kptMFf/2QauA44Xdd3HtApxEtTyAb5Caq5YrgtXU3HImHbcoycP fN4wzWrjCO+elu1OxfrNtN+BW+Cw2Fnuy+z3R2wvLQ== X-Received: by 2002:a17:902:bf45:b0:189:505b:73dd with SMTP id u5-20020a170902bf4500b00189505b73ddmr2984463pls.143.1672914317807; Thu, 05 Jan 2023 02:25:17 -0800 (PST) MIME-Version: 1.0 References: <20221230063528.41037-1-zh.nvgt@gmail.com> <2711de96-fcbe-5611-657a-ab29becd2ff6@gmx.de> In-Reply-To: From: Daniel Vetter Date: Thu, 5 Jan 2023 11:25:06 +0100 Message-ID: Subject: Re: [PATCH] fbmem: prevent potential use-after-free issues with console_lock() To: Helge Deller Cc: Hang Zhang , Javier Martinez Canillas , Thomas Zimmermann , Sam Ravnborg , Alex Deucher , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 5 Jan 2023 at 11:21, Daniel Vetter wrote: > > Hi Helge > > On Mon, 2 Jan 2023 at 16:28, Helge Deller wrote: > > > > On 12/30/22 07:35, Hang Zhang wrote: > > > In do_fb_ioctl(), user specified "fb_info" can be freed in the callee > > > fbcon_get_con2fb_map_ioctl() -> set_con2fb_map() -> > > > con2fb_release_oldinfo(), this free operation is protected by > > > console_lock() in fbcon_set_con2fb_map_ioctl(), it also results in > > > the change of certain states such as "minfo->dead" in matroxfb_remove(), > > > so that it can be checked to avoid use-after-free before the use sites > > > (e.g., the check at the beginning of matroxfb_ioctl()). However, > > > the problem is that the use site is not protected by the same locks > > > as for the free operation, e.g., "default" case in do_fb_ioctl() > > > can lead to "matroxfb_ioctl()" but it's not protected by console_lock(), > > > which can invalidate the aforementioned state set and check in a > > > concurrent setting. > > > > > > Prevent the potential use-after-free issues by protecting the "default" > > > case in do_fb_ioctl() with console_lock(), similarly as for many other > > > cases like "case FBIOBLANK" and "case FBIOPAN_DISPLAY". > > > > > > Signed-off-by: Hang Zhang > > > > applied to fbdev git tree. > > The patch above makes no sense at all to me: > > - fb_info is protected by lock_fb_info and > - the lifetime of fb_info is protected by the get/put functions > - yes there's the interaction with con2fb, which is protected by > console_lock, but the lifetime guarantees are ensured by the device > removal > - which means any stuff happening in matroxfb_remove is also not a > concern here (unless matroxfb completely gets all the device lifetime > stuff wrong, but it doesn't look like it's any worse than any of the > other fbdev drivers that we haven't recently fixed up due to the > takeover issues with firmware drivers I have also a really hard timing finding the con2fb map use in the matroxfb ioctl code, but that just might be that I didn't look carefully enough. Maybe that would shed some light on this. -Daniel > > On the very clear downside this now means we take console_lock for the > vblank ioctl (which is a device driver extension for reasons, despite > that it's a standard fbdev ioctl), which is no good at all given how > console_lock() is a really expensive lock. > > Unless I'm massively missing something, can you pls push the revert > before this lands in Linus' tree? > > Thanks, Daniel > > > Thanks, > > Helge > > > > > --- > > > drivers/video/fbdev/core/fbmem.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c > > > index 1e70d8c67653..8b1a1527d18a 100644 > > > --- a/drivers/video/fbdev/core/fbmem.c > > > +++ b/drivers/video/fbdev/core/fbmem.c > > > @@ -1182,6 +1182,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > > > console_unlock(); > > > break; > > > default: > > > + console_lock(); > > > lock_fb_info(info); > > > fb = info->fbops; > > > if (fb->fb_ioctl) > > > @@ -1189,6 +1190,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > > > else > > > ret = -ENOTTY; > > > unlock_fb_info(info); > > > + console_unlock(); > > > } > > > return ret; > > > } > > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch