| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d143e43b-8a38-940e-3ae5-e7b830a74bb3@samsung.com>
Date: Mon, 20 Jan 2020 18:51:17 +0100
From: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
To: Gerd Hoffmann <kraxel@...hat.com>, dri-devel@...ts.freedesktop.org
Cc: marmarek@...isiblethingslab.com,
"open list:FRAMEBUFFER LAYER" <linux-fbdev@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] fbdev: wait for references go away
Hi,
On 1/20/20 11:00 AM, Gerd Hoffmann wrote:
> Problem: do_unregister_framebuffer() might return before the device is
> fully cleaned up, due to userspace having a file handle for /dev/fb0
do_unregister_framebuffer() doesn't guarantee that fb_info is freed after
function's return (it only drops the kernel reference on fb_info).
> open. Which can result in drm driver not being able to grab resources
> (and fail initialization) because the firmware framebuffer still holds
> them. Reportedly plymouth can trigger this.
Could you please describe issue some more?
I guess that a problem is happening during DRM driver load while fbdev
driver is loaded? I assume do_unregister_framebuffer() is called inside
do_remove_conflicting_framebuffers()?
At first glance it seems to be an user-space issue as it should not be
holding references on /dev/fb0 while DRM driver is being loaded.
> Fix this by trying to wait until all references are gone. Don't wait
> forever though given that userspace might keep the file handle open.
Where does the 1s maximum delay come from?
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
> Reported-by: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
> Signed-off-by: Gerd Hoffmann <kraxel@...hat.com>
> ---
> drivers/video/fbdev/core/fbmem.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index d04554959ea7..2ea8ac05b065 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -35,6 +35,7 @@
> #include <linux/fbcon.h>
> #include <linux/mem_encrypt.h>
> #include <linux/pci.h>
> +#include <linux/delay.h>
>
> #include <asm/fb.h>
>
> @@ -1707,6 +1708,8 @@ static void unlink_framebuffer(struct fb_info *fb_info)
>
> static void do_unregister_framebuffer(struct fb_info *fb_info)
> {
> + int limit = 100;
> +
> unlink_framebuffer(fb_info);
> if (fb_info->pixmap.addr &&
> (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
> @@ -1726,6 +1729,10 @@ static void do_unregister_framebuffer(struct fb_info *fb_info)
> fbcon_fb_unregistered(fb_info);
> console_unlock();
>
> + /* try wait until all references are gone */
> + while (atomic_read(&fb_info->count) > 1 && --limit > 0)
> + msleep(10);
> +
> /* this may free fb info */
> put_fb_info(fb_info);
> }
Powered by blists - more mailing lists