On Mon, May 02, 2022 at 03:09:44PM +0200, Javier Martinez Canillas wrote:
A reference to the framebuffer device struct fb_info is stored in the file private data, but this reference could no longer be valid and must not be accessed directly. Instead, the file_fb_info() accessor function must be used since it does sanity checking to make sure that the fb_info is valid.
This can happen for example if the fbdev driver was one that is using a framebuffer provided by the system firmware. In that case, the fbdev core could unregister the framebuffer device if a real video driver is probed.
Reported-by: Maxime Ripard maxime@cerno.tech Signed-off-by: Javier Martinez Canillas javierm@redhat.com
Doesn't this mean we just leak the references? Also anything the driver might refcount in fb_open would be leaked too.
I'm not sure what exactly you're trying to fix here, but this looks a bit wrong.
Maybe stepping back what fbdev would need, but doesn't have (see the commit reference I dropped on the previous version) is drm_dev_enter/exit around hw access. the file_fb_info check essentially provides that, but with races and everything.
But drm_dev_enter/exit should not disable sw side code, especially not refcount cleanup like fb_release does here. -Daniel
drivers/video/fbdev/core/fbmem.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 20d8929df79f..d68097105f93 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1439,7 +1439,10 @@ fb_release(struct inode *inode, struct file *file) __acquires(&info->lock) __releases(&info->lock) {
- struct fb_info * const info = file->private_data;
struct fb_info * const info = file_fb_info(file);
if (!info)
return -ENODEV;lock_fb_info(info); if (info->fbops->fb_release)
-- 2.35.1