Commit d258d00
committed
fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove
The driver is calling framebuffer_release() in its .remove callback, but
this will cause the struct fb_info to be freed too early. Since it could
be that a reference is still hold to it if user-space opened the fbdev.
This would lead to a use-after-free error if the framebuffer device was
unregistered but later a user-space process tries to close the fbdev fd.
To prevent this, move the framebuffer_release() call to fb_ops.fb_destroy
instead of doing it in the driver's .remove callback.
Strictly speaking, the code flow in the driver is still wrong because all
the hardware cleanupd (i.e: iounmap) should be done in .remove while the
software cleanup (i.e: releasing the framebuffer) should be done in the
.fb_destroy handler. But this at least makes to match the behavior before
commit 27599aa ("fbdev: Hot-unplug firmware fb devices on forced removal").
Fixes: 27599aa ("fbdev: Hot-unplug firmware fb devices on forced removal")
Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20220505220540.366218-1-javierm@redhat.com1 parent 666b90b commit d258d00
1 file changed
Lines changed: 8 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
243 | 243 | | |
244 | 244 | | |
245 | 245 | | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
246 | 250 | | |
247 | 251 | | |
248 | 252 | | |
| |||
254 | 258 | | |
255 | 259 | | |
256 | 260 | | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
257 | 264 | | |
258 | 265 | | |
259 | 266 | | |
| |||
620 | 627 | | |
621 | 628 | | |
622 | 629 | | |
| 630 | + | |
623 | 631 | | |
624 | 632 | | |
625 | | - | |
626 | 633 | | |
627 | 634 | | |
628 | 635 | | |
| |||
0 commit comments