From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hyunwoo Kim <imv4bel@gmail.com>,
Helge Deller <deller@gmx.de>
Subject: [PATCH 4.19 37/78] fbdev: smscufx: Fix several use-after-free bugs
Date: Wed, 2 Nov 2022 03:34:22 +0100 [thread overview]
Message-ID: <20221102022054.081323757@linuxfoundation.org> (raw)
In-Reply-To: <20221102022052.895556444@linuxfoundation.org>
From: Hyunwoo Kim <imv4bel@gmail.com>
commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream.
Several types of UAFs can occur when physically removing a USB device.
Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and
in this function, there is kref_put() that finally calls ufx_free().
This fix prevents multiple UAFs.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/
Cc: <stable@vger.kernel.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/smscufx.c | 55 ++++++++++++++++++++++--------------------
1 file changed, 30 insertions(+), 25 deletions(-)
--- a/drivers/video/fbdev/smscufx.c
+++ b/drivers/video/fbdev/smscufx.c
@@ -100,7 +100,6 @@ struct ufx_data {
struct kref kref;
int fb_count;
bool virtualized; /* true when physical usb device not present */
- struct delayed_work free_framebuffer_work;
atomic_t usb_active; /* 0 = update virtual buffer, but no usb traffic */
atomic_t lost_pixels; /* 1 = a render op failed. Need screen refresh */
u8 *edid; /* null until we read edid from hw or get from sysfs */
@@ -1119,15 +1118,24 @@ static void ufx_free(struct kref *kref)
{
struct ufx_data *dev = container_of(kref, struct ufx_data, kref);
- /* this function will wait for all in-flight urbs to complete */
- if (dev->urbs.count > 0)
- ufx_free_urb_list(dev);
+ kfree(dev);
+}
- pr_debug("freeing ufx_data %p", dev);
+static void ufx_ops_destory(struct fb_info *info)
+{
+ struct ufx_data *dev = info->par;
+ int node = info->node;
- kfree(dev);
+ /* Assume info structure is freed after this point */
+ framebuffer_release(info);
+
+ pr_debug("fb_info for /dev/fb%d has been freed", node);
+
+ /* release reference taken by kref_init in probe() */
+ kref_put(&dev->kref, ufx_free);
}
+
static void ufx_release_urb_work(struct work_struct *work)
{
struct urb_node *unode = container_of(work, struct urb_node,
@@ -1136,14 +1144,9 @@ static void ufx_release_urb_work(struct
up(&unode->dev->urbs.limit_sem);
}
-static void ufx_free_framebuffer_work(struct work_struct *work)
+static void ufx_free_framebuffer(struct ufx_data *dev)
{
- struct ufx_data *dev = container_of(work, struct ufx_data,
- free_framebuffer_work.work);
struct fb_info *info = dev->info;
- int node = info->node;
-
- unregister_framebuffer(info);
if (info->cmap.len != 0)
fb_dealloc_cmap(&info->cmap);
@@ -1155,11 +1158,6 @@ static void ufx_free_framebuffer_work(st
dev->info = NULL;
- /* Assume info structure is freed after this point */
- framebuffer_release(info);
-
- pr_debug("fb_info for /dev/fb%d has been freed", node);
-
/* ref taken in probe() as part of registering framebfufer */
kref_put(&dev->kref, ufx_free);
}
@@ -1171,11 +1169,13 @@ static int ufx_ops_release(struct fb_inf
{
struct ufx_data *dev = info->par;
+ mutex_lock(&disconnect_mutex);
+
dev->fb_count--;
/* We can't free fb_info here - fbmem will touch it when we return */
if (dev->virtualized && (dev->fb_count == 0))
- schedule_delayed_work(&dev->free_framebuffer_work, HZ);
+ ufx_free_framebuffer(dev);
if ((dev->fb_count == 0) && (info->fbdefio)) {
fb_deferred_io_cleanup(info);
@@ -1189,6 +1189,8 @@ static int ufx_ops_release(struct fb_inf
kref_put(&dev->kref, ufx_free);
+ mutex_unlock(&disconnect_mutex);
+
return 0;
}
@@ -1295,6 +1297,7 @@ static struct fb_ops ufx_ops = {
.fb_blank = ufx_ops_blank,
.fb_check_var = ufx_ops_check_var,
.fb_set_par = ufx_ops_set_par,
+ .fb_destroy = ufx_ops_destory,
};
/* Assumes &info->lock held by caller
@@ -1678,9 +1681,6 @@ static int ufx_usb_probe(struct usb_inte
goto destroy_modedb;
}
- INIT_DELAYED_WORK(&dev->free_framebuffer_work,
- ufx_free_framebuffer_work);
-
retval = ufx_reg_read(dev, 0x3000, &id_rev);
check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval);
dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev);
@@ -1753,10 +1753,12 @@ e_nomem:
static void ufx_usb_disconnect(struct usb_interface *interface)
{
struct ufx_data *dev;
+ struct fb_info *info;
mutex_lock(&disconnect_mutex);
dev = usb_get_intfdata(interface);
+ info = dev->info;
pr_debug("USB disconnect starting\n");
@@ -1770,12 +1772,15 @@ static void ufx_usb_disconnect(struct us
/* if clients still have us open, will be freed on last close */
if (dev->fb_count == 0)
- schedule_delayed_work(&dev->free_framebuffer_work, 0);
+ ufx_free_framebuffer(dev);
- /* release reference taken by kref_init in probe() */
- kref_put(&dev->kref, ufx_free);
+ /* this function will wait for all in-flight urbs to complete */
+ if (dev->urbs.count > 0)
+ ufx_free_urb_list(dev);
- /* consider ufx_data freed */
+ pr_debug("freeing ufx_data %p", dev);
+
+ unregister_framebuffer(info);
mutex_unlock(&disconnect_mutex);
}
next prev parent reply other threads:[~2022-11-02 3:30 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-02 2:33 [PATCH 4.19 00/78] 4.19.264-rc1 review Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 01/78] ocfs2: clear dinode links count in case of error Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 02/78] ocfs2: fix BUG when iput after ocfs2_mknod fails Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 03/78] x86/microcode/AMD: Apply the patch early on every logical thread Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 04/78] hwmon/coretemp: Handle large core ID value Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 05/78] ata: ahci-imx: Fix MODULE_ALIAS Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 06/78] ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 07/78] KVM: arm64: vgic: Fix exit condition in scan_its_table() Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 08/78] media: venus: dec: Handle the case where find_format fails Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 09/78] arm64: errata: Remove AES hwcap for COMPAT tasks Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 10/78] r8152: add PID for the Lenovo OneLink+ Dock Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 11/78] btrfs: fix processing of delayed data refs during backref walking Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 12/78] btrfs: fix processing of delayed tree block " Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 13/78] ACPI: extlog: Handle multiple records Greg Kroah-Hartman
2022-11-02 2:33 ` [PATCH 4.19 14/78] tipc: Fix recognition of trial period Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 15/78] tipc: fix an information leak in tipc_topsrv_kern_subscr Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 16/78] HID: magicmouse: Do not set BTN_MOUSE on double report Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 17/78] net/atm: fix proc_mpc_write incorrect return value Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 18/78] net: sched: cake: fix null pointer access issue when cake_init() fails Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 19/78] net: hns: fix possible memory leak in hnae_ae_register() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 20/78] iommu/vt-d: Clean up si_domain in the init_dmars() error path Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 21/78] media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 22/78] [PATCH v3] ACPI: video: Force backlight native for more TongFang devices Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 23/78] Makefile.debug: re-enable debug info for .S files Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 24/78] hv_netvsc: Fix race between VF offering and VF association message from host Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 25/78] mm: /proc/pid/smaps_rollup: fix no vmas null-deref Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 26/78] can: kvaser_usb: Fix possible completions during init_completion Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 27/78] ALSA: Use del_timer_sync() before freeing timer Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 28/78] ALSA: au88x0: use explicitly signed char Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 29/78] USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 30/78] usb: dwc3: gadget: Stop processing more requests on IMI Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 31/78] usb: dwc3: gadget: Dont set IMI for no_interrupt Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 32/78] usb: bdc: change state when port disconnected Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 33/78] usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 34/78] xhci: Remove device endpoints from bandwidth list when freeing the device Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 35/78] tools: iio: iio_utils: fix digit calculation Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 36/78] iio: light: tsl2583: Fix module unloading Greg Kroah-Hartman
2022-11-02 2:34 ` Greg Kroah-Hartman [this message]
2022-11-02 2:34 ` [PATCH 4.19 38/78] mac802154: Fix LQI recording Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 39/78] drm/msm/dsi: fix memory corruption with too many bridges Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 40/78] drm/msm/hdmi: " Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 41/78] mmc: core: Fix kernel panic when remove non-standard SDIO card Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 42/78] kernfs: fix use-after-free in __kernfs_remove Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 43/78] perf auxtrace: Fix address filter symbol name match for modules Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 44/78] s390/futex: add missing EX_TABLE entry to __futex_atomic_op() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 45/78] Xen/gntdev: dont ignore kernel unmapping error Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 46/78] xen/gntdev: Prevent leaking grants Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 47/78] mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 48/78] net: ieee802154: fix error return code in dgram_bind() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 49/78] drm/msm: Fix return type of mdp4_lvds_connector_mode_valid Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 50/78] arc: iounmap() arg is volatile Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 51/78] ALSA: ac97: fix possible memory leak in snd_ac97_dev_register() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 52/78] tipc: fix a null-ptr-deref in tipc_topsrv_accept Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 53/78] net: netsec: fix error handling in netsec_register_mdio() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 54/78] x86/unwind/orc: Fix unreliable stack dump with gcov Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 55/78] amd-xgbe: fix the SFP compliance codes check for DAC cables Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 56/78] amd-xgbe: add the bit rate quirk for Molex cables Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 57/78] kcm: annotate data-races around kcm->rx_psock Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 58/78] kcm: annotate data-races around kcm->rx_wait Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 59/78] net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 60/78] net: lantiq_etop: dont free skb when returning NETDEV_TX_BUSY Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 61/78] tcp: fix indefinite deferral of RTO with SACK reneging Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 62/78] can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path Greg Kroah-Hartman
2022-11-04 17:28 ` Pavel Machek
2022-11-02 2:34 ` [PATCH 4.19 63/78] PM: hibernate: Allow hybrid sleep to work with s2idle Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 64/78] media: vivid: s_fbuf: add more sanity checks Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 65/78] media: vivid: dev->bitmap_cap wasnt freed in all cases Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 66/78] media: v4l2-dv-timings: add sanity checks for blanking values Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 67/78] media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check interlaced Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 68/78] i40e: Fix ethtool rx-flow-hash setting for X722 Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 69/78] i40e: Fix VF hang when reset is triggered on another VF Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 70/78] i40e: Fix flow-type by setting GL_HASH_INSET registers Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 71/78] net: ksz884x: fix missing pci_disable_device() on error in pcidev_init() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 72/78] PM: domains: Fix handling of unavailable/disabled idle states Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 73/78] ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev() Greg Kroah-Hartman
2022-11-02 2:34 ` [PATCH 4.19 74/78] ALSA: aoa: Fix I2S device accounting Greg Kroah-Hartman
2022-11-02 2:35 ` [PATCH 4.19 75/78] openvswitch: switch from WARN to pr_warn Greg Kroah-Hartman
2022-11-02 2:35 ` [PATCH 4.19 76/78] net: ehea: fix possible memory leak in ehea_register_port() Greg Kroah-Hartman
2022-11-02 2:35 ` [PATCH 4.19 77/78] net/mlx5e: Do not increment ESN when updating IPsec ESN state Greg Kroah-Hartman
2022-11-02 2:35 ` [PATCH 4.19 78/78] can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global FIFO receive Greg Kroah-Hartman
2022-11-02 17:22 ` [PATCH 4.19 00/78] 4.19.264-rc1 review Pavel Machek
2022-11-02 20:46 ` Guenter Roeck
2022-11-03 10:18 ` Naresh Kamboju
2022-11-03 12:22 ` Sudip Mukherjee
2022-11-04 15:17 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221102022054.081323757@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=imv4bel@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).