[PATCH AUTOSEL 5.15 03/65] backlight: Propagate errors from get

linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 5.15 03/65] backlight: Propagate errors from get_brightness()
       [not found] <20211116190443.2418144-1-sashal@kernel.org>
@ 2021-11-16 19:03 ` Sasha Levin
  2021-11-16 19:03 ` [PATCH AUTOSEL 5.15 07/65] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr' Sasha Levin
  1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-11-16 19:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Thomas Weißschuh, Daniel Thompson, Lee Jones, Sasha Levin,
	jingoohan1, dri-devel, linux-fbdev

From: Thomas Weißschuh <linux@weissschuh.net>

[ Upstream commit 563edf85ce18a90dd0a7b39e279a691d937205f6 ]

backlight.h documents "struct backlight_ops->get_brightness()" to return
a negative errno on failure.

So far these errors have not been handled in the backlight core.
This leads to negative values being exposed through sysfs although only
positive values are documented to be reported.

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/backlight/backlight.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/drivers/video/backlight/backlight.c b/drivers/video/backlight/backlight.c
index 537fe1b376ad7..4658cfb75aa28 100644
--- a/drivers/video/backlight/backlight.c
+++ b/drivers/video/backlight/backlight.c
@@ -292,10 +292,13 @@ static ssize_t actual_brightness_show(struct device *dev,
 	struct backlight_device *bd = to_backlight_device(dev);
 
 	mutex_lock(&bd->ops_lock);
-	if (bd->ops && bd->ops->get_brightness)
-		rc = sprintf(buf, "%d\n", bd->ops->get_brightness(bd));
-	else
+	if (bd->ops && bd->ops->get_brightness) {
+		rc = bd->ops->get_brightness(bd);
+		if (rc >= 0)
+			rc = sprintf(buf, "%d\n", rc);
+	} else {
 		rc = sprintf(buf, "%d\n", bd->props.brightness);
+	}
 	mutex_unlock(&bd->ops_lock);
 
 	return rc;
@@ -381,9 +384,18 @@ ATTRIBUTE_GROUPS(bl_device);
 void backlight_force_update(struct backlight_device *bd,
 			    enum backlight_update_reason reason)
 {
+	int brightness;
+
 	mutex_lock(&bd->ops_lock);
-	if (bd->ops && bd->ops->get_brightness)
-		bd->props.brightness = bd->ops->get_brightness(bd);
+	if (bd->ops && bd->ops->get_brightness) {
+		brightness = bd->ops->get_brightness(bd);
+		if (brightness >= 0)
+			bd->props.brightness = brightness;
+		else
+			dev_err(&bd->dev,
+				"Could not update brightness from device: %pe\n",
+				ERR_PTR(brightness));
+	}
 	mutex_unlock(&bd->ops_lock);
 	backlight_generate_event(bd, reason);
 }
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 5.15 07/65] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr'
       [not found] <20211116190443.2418144-1-sashal@kernel.org>
  2021-11-16 19:03 ` [PATCH AUTOSEL 5.15 03/65] backlight: Propagate errors from get_brightness() Sasha Levin
@ 2021-11-16 19:03 ` Sasha Levin
  1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-11-16 19:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zheyu Ma, Sam Ravnborg, Sasha Levin, daniel.vetter, willy,
	penguin-kernel, geert+renesas, xiyuyang19, linux, thunder.leizhen,
	dri-devel, linux-fbdev

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 2c0c19b681d5a331b53aab0d170f72a87c7bff12 ]

savagefb and some other drivers call kfree to free 'info->pixmap.addr'
even after calling unregister_framebuffer, which may cause double free.

Fix this by setting 'fb_info->pixmap.addr' to NULL after kfree in
unregister_framebuffer.

The following log reveals it:

[   37.318872] BUG: KASAN: double-free or invalid-free in kfree+0x13e/0x290
[   37.319369]
[   37.320803] Call Trace:
[   37.320992]  dump_stack_lvl+0xa8/0xd1
[   37.321274]  print_address_description+0x87/0x3b0
[   37.321632]  ? kfree+0x13e/0x290
[   37.321879]  ? kfree+0x13e/0x290
[   37.322126]  ? kfree+0x13e/0x290
[   37.322374]  kasan_report_invalid_free+0x58/0x90
[   37.322724]  ____kasan_slab_free+0x123/0x140
[   37.323049]  __kasan_slab_free+0x11/0x20
[   37.323347]  slab_free_freelist_hook+0x81/0x150
[   37.323689]  ? savagefb_remove+0xa1/0xc0 [savagefb]
[   37.324066]  kfree+0x13e/0x290
[   37.324304]  savagefb_remove+0xa1/0xc0 [savagefb]
[   37.324655]  pci_device_remove+0xa9/0x250
[   37.324959]  ? pci_device_probe+0x7d0/0x7d0
[   37.325273]  device_release_driver_internal+0x4f7/0x7a0
[   37.325666]  driver_detach+0x1e8/0x2c0
[   37.325952]  bus_remove_driver+0x134/0x290
[   37.326262]  ? sysfs_remove_groups+0x97/0xb0
[   37.326584]  driver_unregister+0x77/0xa0
[   37.326883]  pci_unregister_driver+0x2c/0x1c0
[   37.336124]
[   37.336245] Allocated by task 5465:
[   37.336507]  ____kasan_kmalloc+0xb5/0xe0
[   37.336801]  __kasan_kmalloc+0x9/0x10
[   37.337069]  kmem_cache_alloc_trace+0x12b/0x220
[   37.337405]  register_framebuffer+0x3f3/0xa00
[   37.337731]  foo_register_framebuffer+0x3b/0x50 [savagefb]
[   37.338136]
[   37.338255] Freed by task 5475:
[   37.338492]  kasan_set_track+0x3d/0x70
[   37.338774]  kasan_set_free_info+0x23/0x40
[   37.339081]  ____kasan_slab_free+0x10b/0x140
[   37.339399]  __kasan_slab_free+0x11/0x20
[   37.339694]  slab_free_freelist_hook+0x81/0x150
[   37.340034]  kfree+0x13e/0x290
[   37.340267]  do_unregister_framebuffer+0x21c/0x3d0
[   37.340624]  unregister_framebuffer+0x23/0x40
[   37.340950]  savagefb_remove+0x45/0xc0 [savagefb]
[   37.341302]  pci_device_remove+0xa9/0x250
[   37.341603]  device_release_driver_internal+0x4f7/0x7a0
[   37.341990]  driver_detach+0x1e8/0x2c0
[   37.342272]  bus_remove_driver+0x134/0x290
[   37.342577]  driver_unregister+0x77/0xa0
[   37.342873]  pci_unregister_driver+0x2c/0x1c0
[   37.343196]  cleanup_module+0x15/0x1c [savagefb]
[   37.343543]  __se_sys_delete_module+0x398/0x490
[   37.343881]  __x64_sys_delete_module+0x56/0x60
[   37.344221]  do_syscall_64+0x4d/0xc0
[   37.344492]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1633848148-29747-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 7420d2c16e47e..826175ad88a2f 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1702,8 +1702,11 @@ static void do_unregister_framebuffer(struct fb_info *fb_info)
 {
 	unlink_framebuffer(fb_info);
 	if (fb_info->pixmap.addr &&
-	    (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
+	    (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) {
 		kfree(fb_info->pixmap.addr);
+		fb_info->pixmap.addr = NULL;
+	}
+
 	fb_destroy_modelist(&fb_info->modelist);
 	registered_fb[fb_info->node] = NULL;
 	num_registered_fb--;
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

[parent not found: <20211116191754.2419097-1-sashal@kernel.org>]

* [PATCH AUTOSEL 5.15 07/65] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr'
       [not found] <20211116191754.2419097-1-sashal@kernel.org>
@ 2021-11-16 19:16 ` Sasha Levin
  0 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2021-11-16 19:16 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zheyu Ma, Sam Ravnborg, Sasha Levin, daniel.vetter, willy,
	geert+renesas, william.kucharski, xiyuyang19, penguin-kernel,
	thunder.leizhen, linux, dri-devel, linux-fbdev

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 2c0c19b681d5a331b53aab0d170f72a87c7bff12 ]

savagefb and some other drivers call kfree to free 'info->pixmap.addr'
even after calling unregister_framebuffer, which may cause double free.

Fix this by setting 'fb_info->pixmap.addr' to NULL after kfree in
unregister_framebuffer.

The following log reveals it:

[   37.318872] BUG: KASAN: double-free or invalid-free in kfree+0x13e/0x290
[   37.319369]
[   37.320803] Call Trace:
[   37.320992]  dump_stack_lvl+0xa8/0xd1
[   37.321274]  print_address_description+0x87/0x3b0
[   37.321632]  ? kfree+0x13e/0x290
[   37.321879]  ? kfree+0x13e/0x290
[   37.322126]  ? kfree+0x13e/0x290
[   37.322374]  kasan_report_invalid_free+0x58/0x90
[   37.322724]  ____kasan_slab_free+0x123/0x140
[   37.323049]  __kasan_slab_free+0x11/0x20
[   37.323347]  slab_free_freelist_hook+0x81/0x150
[   37.323689]  ? savagefb_remove+0xa1/0xc0 [savagefb]
[   37.324066]  kfree+0x13e/0x290
[   37.324304]  savagefb_remove+0xa1/0xc0 [savagefb]
[   37.324655]  pci_device_remove+0xa9/0x250
[   37.324959]  ? pci_device_probe+0x7d0/0x7d0
[   37.325273]  device_release_driver_internal+0x4f7/0x7a0
[   37.325666]  driver_detach+0x1e8/0x2c0
[   37.325952]  bus_remove_driver+0x134/0x290
[   37.326262]  ? sysfs_remove_groups+0x97/0xb0
[   37.326584]  driver_unregister+0x77/0xa0
[   37.326883]  pci_unregister_driver+0x2c/0x1c0
[   37.336124]
[   37.336245] Allocated by task 5465:
[   37.336507]  ____kasan_kmalloc+0xb5/0xe0
[   37.336801]  __kasan_kmalloc+0x9/0x10
[   37.337069]  kmem_cache_alloc_trace+0x12b/0x220
[   37.337405]  register_framebuffer+0x3f3/0xa00
[   37.337731]  foo_register_framebuffer+0x3b/0x50 [savagefb]
[   37.338136]
[   37.338255] Freed by task 5475:
[   37.338492]  kasan_set_track+0x3d/0x70
[   37.338774]  kasan_set_free_info+0x23/0x40
[   37.339081]  ____kasan_slab_free+0x10b/0x140
[   37.339399]  __kasan_slab_free+0x11/0x20
[   37.339694]  slab_free_freelist_hook+0x81/0x150
[   37.340034]  kfree+0x13e/0x290
[   37.340267]  do_unregister_framebuffer+0x21c/0x3d0
[   37.340624]  unregister_framebuffer+0x23/0x40
[   37.340950]  savagefb_remove+0x45/0xc0 [savagefb]
[   37.341302]  pci_device_remove+0xa9/0x250
[   37.341603]  device_release_driver_internal+0x4f7/0x7a0
[   37.341990]  driver_detach+0x1e8/0x2c0
[   37.342272]  bus_remove_driver+0x134/0x290
[   37.342577]  driver_unregister+0x77/0xa0
[   37.342873]  pci_unregister_driver+0x2c/0x1c0
[   37.343196]  cleanup_module+0x15/0x1c [savagefb]
[   37.343543]  __se_sys_delete_module+0x398/0x490
[   37.343881]  __x64_sys_delete_module+0x56/0x60
[   37.344221]  do_syscall_64+0x4d/0xc0
[   37.344492]  entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1633848148-29747-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 7420d2c16e47e..826175ad88a2f 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1702,8 +1702,11 @@ static void do_unregister_framebuffer(struct fb_info *fb_info)
 {
 	unlink_framebuffer(fb_info);
 	if (fb_info->pixmap.addr &&
-	    (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
+	    (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT)) {
 		kfree(fb_info->pixmap.addr);
+		fb_info->pixmap.addr = NULL;
+	}
+
 	fb_destroy_modelist(&fb_info->modelist);
 	registered_fb[fb_info->node] = NULL;
 	num_registered_fb--;
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-11-16 19:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20211116190443.2418144-1-sashal@kernel.org>
2021-11-16 19:03 ` [PATCH AUTOSEL 5.15 03/65] backlight: Propagate errors from get_brightness() Sasha Levin
2021-11-16 19:03 ` [PATCH AUTOSEL 5.15 07/65] fbdev: fbmem: Fix double free of 'fb_info->pixmap.addr' Sasha Levin
     [not found] <20211116191754.2419097-1-sashal@kernel.org>
2021-11-16 19:16 ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).